Skip to main content

Social network site Myspace promised users it wouldn’t share their personally identifiable information in a way that was inconsistent with the reason people provided the info, without first notifying them and getting their approval. The company also said that information used to customize ads wouldn’t identify people to third parties and that Myspace wouldn’t share browsing activity that wasn’t anonymous. But according to a lawsuit filed by the FTC, Myspace provided advertisers with the “Friend ID” of users who were viewing particular pages on the site. Once advertisers had the Friend ID, they could put two and two together to access lots of other personal information — including users’ full names. That meant that the company’s promises about notice, permission, and anonymous data were false and misleading. To settle the FTC’s charges, Myspace has agreed to change its practices to protect users’ privacy in the future. Part I of the proposed order prohibits Myspace from misrepresenting the privacy and confidentiality of any “covered information.” The order defines that phrase broadly as information from or about an individual consumer including, but not limited to, a first and last name; home or other physical address, including street name and city or town; email address or other online contact information, like an instant messaging user identifier or screen name; mobile or other phone number; photos and videos; IP address, User ID, device ID, or other persistent identifier; list of contacts; or physical location. That provision also makes it illegal for Myspace to misrepresent its adherence to any privacy, security, or other compliance program. That includes the US-EU Safe Harbor Framework. (In addition to violating its own privacy promises, Myspace’s claim that it complied with the Safe Harbor Principles was also false, said the FTC.) Under Part II of the order, Myspace has to implement a comprehensive privacy program designed to address privacy risks related to the development and management of existing product and services and new ones, and to protect the privacy and confidentiality of covered information. The order spells out the required features of the program. Specifically, Myspace will:

  • designate the person responsible for the program;
  • identify reasonably foreseeable material risks — from inside the company and out — that could result in the unauthorized collection or disclosure of covered information;
  • assess the sufficiency of safeguards in place to control those risks;
  • establish and maintain reasonable controls and procedures to address the risks identified through the privacy risk assessment;
  • regularly test the effectiveness of the safeguards;
  • take reasonable steps to ensure that service providers protect the privacy of covered information they get from Myspace, including putting privacy provisions in their contracts; and
  • adjust its privacy program in light of testing, changes to how it does business, and any other circumstance Myspace has reason to know may have a material impact on the program’s effectiveness.

Part III puts in place a feature common in recent FTC orders: a requirement that every other year for the next 20 years, Myspace will have its privacy program evaluated by a qualified, objective, independent professional. That person will have to certify that Myspace provides protections that meet or go beyond the protections required by the order. Next: What the Myspace case means for your company

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates

 
Return to top