The FTC MySpace Settlement: A Reminder to Say What You Do & Do What You Say

Once again, the Federal Trade Commission (“FTC”) has settled with a social networking platform regarding deceptive and misleading privacy practices. Following settlements with Twitter, Inc. in June 2010, Google, Inc. in March 2011, and Facebook, Inc. in November 2011, on Tuesday, the FTC reached a similar agreement with MySpace LLC (“MySpace”) over its failure to uphold promises made in its privacy policy regarding the collection and dissemination of user information.

MySpace employs a “Friend ID” as a unique personal identifier associated with each MySpace account. The Friend ID can be used to access the user’s basic profile information (e.g. full name) or even more if the user has chosen to make his/her profile available to the public. The MySpace privacy policy promised that it would not share users’ personally identifiable information (“PII”) without first giving the user notice and gaining the user’s consent. The privacy policy further promised that the information used to customize ads would not individually identify users to third parties and would not share non-anonymized browsing activity.

Contrary to what was stated in MySpace’s privacy policy, however, MySpace provided advertisers with the Friend ID, age and gender of users who were viewing pages on MySpace.   Dissemination of this information allowed advertisers to use the Friend ID to locate the user’s profile thereby accessing additional user PII, including, in most cases, the user’s full name. Additionally, with the Friend ID and the additional PII that the Friend ID makes available, advertisers could link wider web browsing activity to a specific individual.

The settlement bars MySpace from making future misrepresentations regarding the extent to which it protects users’ personal information, requires it to implement a comprehensive privacy program and requires it to undergo biennial, independent, third party privacy assessments for the next 20 years.  Further, the settlement also bars MySpace from misrepresenting “the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework” as the complaint also alleged that MySpace misrepresented its compliance with this program.

The MySpace settlement serves as a reminder that the FTC is very serious about its enforcement efforts in the privacy realm. And, the key takeaway is clear: a privacy policy is more than just a ‘piece of a paper.’ Privacy policies must clearly state exactly what user information is obtained, stored and shared and companies must live up to the promises made in their privacy policies.