Facebook, the world's biggest social networking site, has agreed to settle complaints by the Federal Trade Commission that it failed to protect users' privacy or disclose how their data could be used.
The proposed 20-year agreement would require Palo Alto, California-based Facebook to get clear consent from users before sharing material posted under earlier, more restrictive terms, the commission said. It would also compel independent reviews of Facebook's privacy practices.
"Companies must live up to their promises about privacy," commission chairman Jon Leibowitz said.
The settlement "will protect consumer choices and ensure they have full and truthful information about their data."
The deal was part of an effort to resolve legal issues that could be a distraction as Facebook moved towards an initial public offering, said Francis Gaskins, president of Los Angeles-based IPODesktop.com, a website that tracks IPOs.
Facebook is considering an IPO that would raise US$10 billion ($13 billion) and value the company at more than US$100 billion, a person familiar with the matter said.
"They're obviously trying to clear the decks to take off," Gaskins said, adding the settlement "should give some comfort" to potential investors.
In a blog posting, Facebook chief executive Mark Zuckerberg said the company should have been more vigilant in protecting users' privacy.
"I'm the first to admit that we've made a bunch of mistakes," he said.
Marc Rotenberg, executive director of the Electronic Privacy Information Centre, a Washington-based advocacy group that filed a complaint against Facebook over privacy issues in 2009, said yesterday's settlement "is a sweeping order that will prevent Facebook from disregarding the privacy interests of its users in the future".
It should also send a message to the internet industry at large, said Maneesha Mithal, associate director of the commission's division of privacy and identity protection.
"The provisions of the order are good practices for all companies to follow," Mithal said.
"Companies should seek permission from consumers before they make changes to how they treat personal information."
Zuckerberg said the company already had addressed many of the commission's concerns.
Yesterday he appointed Erin Egan, a former partner at Covington & Burling who specialised in data security, as chief privacy officer, policy, and Michael Richter, the company's head privacy counsel, as chief privacy officer, products, Zuckerberg said.
The settlement, which the commissioners approved 4-0, required Facebook to establish a "comprehensive privacy programme" and block access to a user's account within 30 days of it being deleted.
The company was also barred from making any deceptive claims about its privacy practices.
Audits by an independent third party would help build faith in Facebook's efforts, said Elliot Schrage, a company spokesman.
"Oversight fosters trust by providing users with additional assurances that the commitments we make are being upheld," he said.
Michael Gartenberg, an analyst at Gartne, a Connecticut technology research company, said, "There's no doubt Facebook and privacy have not gone well together in the past."
The commission said Facebook shared users' personal information with advertisers after promising it wouldn't.
Facebook also pledged it would restrict sharing of information to designated "friends" of users while the data also was accessible to third-party applications used by the friends, the commission said.
Facebook assured users that third-party applications only had access to data required for them to function while, in fact, the applications had access to almost all of a user's personal information, according to the agency.
The company's "Verified Apps" program to certify the security of applications didn't work, the commission said.
In other commission actions on internet privacy, Google agreed in March to settle claims that the company used deceptive tactics and violated its own privacy policies when it introduced its Buzz social networking service last year.
That same month, the agency accepted a settlement with Twitter, resolving charges that the company deceived consumers and put their privacy at risk.
Federal Trade Commission's agreement with Facebook:
* Facebook to establish a "comprehensive privacy programme".
* Must block access to a user's account within 30 days of it being deleted.
* Barred from making any deceptive claims about its privacy practices.
* Must get clear consent from users before sharing material posted under earlier, more restrictive terms.
* Policy to be audited by an independent third party.
- BloombergBy Sara Forden, Jeff Bliss