Privacy and Data Security

The MySpace privacy policy indicates, according to the FTC, that a users’ personally identifiable information will not be shared for purposes inconsistent with the reasons why it was submitted. MySpace is also a participant in the EU-US Safe Harbor program, under which it self-certified that it would tell users how information was used and give users the ability to opt-out. The FTC recently charged that MySpace, in violation of its public promises (in the self-certification and the privacy policy), shared “Friend IDs” with advertisers. Friend IDs are persistent unique identifiers assigned to each user on MySpace. The Friend ID number is viewable by others, as it is associated with the URL of a MySpace user’s profile page. Advertisers could thus use the Friend IDs to find users on MySpace, and depending on the privacy settings the user had set, could see all the information in the user’s profile (and in some cases, could see what those users were doing elsewhere on the Internet). As part of a settlement reached on May 8, 2012, MySpace has agreed to implement a comprehensive privacy program which includes: having an employee or group of employees responsible for the program; identifying foreseeable risks and placing controls to manage those risks; regularly monitoring compliance and effectiveness of the program; and making sure vendors can properly protect privacy. MySpace has also agreed to get third-party assessments done every other year for the next 20 years, and for the next five years report to the FTC if it receives any consumer privacy complaints, among other things.

TIP: The FTC has reported that this is part of its “ongoing efforts to make sure companies live up to the privacy promises they make to consumers.” Companies should examine closely their privacy policies –and other public statements made about how information will be treated- to ensure that they are accurate. This case also reminds companies to look at the activities of third party partners as well as the companies own.