Myspace Settles FTC Charges of Misleading and Deceptive Statements in its Privacy Policy

On May 8, 2012, the Federal Trade Commission (FTC) announced its settlement with social networking service Myspace on charges that it misrepresented its protection of users’ personal information in violation of federal law. Like many of its social media counterparts who were recently the target of FTC enforcement actions, Myspace is charged with espousing strict privacy measures and then failing to do as promised.

The Myspace social network comprises millions of users who create and customize online profiles. Myspace assigns a persistent unique identifier, called a Friend ID,” to each profile created. Though users have the ability to upload extensive personal information to their profile, Myspace designates a subset of personal user data as basic profile information,” which include the user’s profile picture, Friend ID, location, gender, age, display name, and full name. According to the complaint, this basic profile information is publicly displayed by default and is outside the scope of the privacy settings. The only piece of basic information that users can hide from public view - provided that they change the default setting - is their full name. As of July 2010, only 16% of users had actually changed the default setting to hide their full name.

Under its privacy policy, Myspace promised that it would not share users’ personal information or use it in a way that was inconsistent with the purpose for which it was submitted without their consent. In addition, Myspace promised that customized ads would not individually identify users to third parties and would not share non-anonymized browsing activity. According to the complaint, Myspace in fact shared the Friend ID, age, and gender of users with third-party advertisers. Advertisers used the Friend ID to locate the user’s Myspace profiles to obtain personal information, including in most instances the user’s full name. Advertisers could also combine the user’s real name and other personal data with additional information to link broader web-browsing activity to a specific individual. In addition, Myspace certified in its privacy policy that it complied with the U.S.- EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. These statements of compliance were false, according to the FTC.

The proposed settlement order bars Myspace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S -EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect users’ information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for twenty (20) years. This agreement will be subject to public comment for thirty (30) days through June 8th, after which the FTC will decide whether to make the proposed consent order final. Interested parties are strongly encourage to submit written comments prior to this date.