Once again, the Federal Trade Commission (“FTC”) has settled with a social networking platform regarding deceptive and misleading privacy practices.
MySpace employs a “Friend ID” as a unique personal identifier associated with each MySpace account. The Friend ID can be used to access the user’s basic profile information (e.g. full name) or even more if the user has chosen to make his/her profile available to the public.
Dissemination of this information allowed advertisers to use the Friend ID to locate the user’s profile thereby accessing additional user PII, including, in most cases, the user’s full name.
Additionally, with the Friend ID and the additional PII that the Friend ID makes available, advertisers could link wider web browsing activity to a specific individual.
The settlement bars MySpace from making future misrepresentations regarding the extent to which it protects users’ personal information, requires it to implement a comprehensive privacy program and requires it to undergo biennial, independent, third party privacy assessments for the next 20 years.
Further, the settlement also bars MySpace from misrepresenting “the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework” as the complaint also alleged that MySpace misrepresented its compliance with this program.
Privacy policies must clearly state exactly what user information is obtained, stored and shared and companies must live up to the promises made in their privacy policies.
Cross-posted from InfoLawGroup