The FTC’s Allegations
However, when Myspace displayed ads from certain unaffiliated third parties to logged-in users, Myspace provided the advertiser or its affiliate with the viewer’s “Friend ID,” which is a persistent unique numerical identifier assigned to each Myspace user. This left third parties a few clicks away from accessing a host of other information about the user. For most users, the Friend ID could be used to get the users’ full name and any other information designated as public in the users’ settings. The public information could then be combined with additional information harvested by the advertiser’s tracking cookie and by any other means.
According the FTC, the representations that Myspace made in its privacy policies were thus false and misleading statements and constituted deceptive acts or practices in violation of Section 5 of the FTC Act. The agency also alleged that Myspace misrepresented its compliance with the US-EU Safe Harbor framework: to transfer personal data lawfully from the E.U. to the U.S., companies must self-certify that they meet certain privacy principles about collection and use of uder data, including Notice and Choice. According to the FTC, Myspace also misrepresented its compliance – although it did not make the offending statements about Safe Harbor compliance until December 2010, after the time period of its other deceptive practices.
The order forbids Myspace from misrepresenting its privacy practices, including collection, disclosure and third-party sharing, of all “covered information.” This includes a user’s name, address, e-mail address or chat screen name, phone number, photos and videos, IP address, device ID or other permanent identifier, contact list or physical location. Like the Google and Facebook settlements, the order requires Myspace to establish and maintain a comprehensive privacy program and submit to biennial assessments of its privacy programs by an independent auditor for 20 years. Myspace must also retain a plethora of related documents for five years, including all “widely disseminated statements” about Myspace’s privacy practices, complaints or communications with law enforcement about the order, or any documents that call into question Myspace’s compliance.
The 20-year timeframe, which has been the standard in FTC’s previous privacy consent decrees, has raised some snickers among commentators about Myspace’s longevity, given the site’s declining market share. Founded in 2003, the site was acquired by News Corp. for $580 million in 2005 and for a while dwarfed Facebook’s number of users. However, it was sold to Specific Media for $35 million last year and its number of unique users is less than half of its 2008 peak.
The agreement will be subject to public comment until June 8, after which the Commission will decide whether to make the proposed consent order final.