I just released the following statement regarding Facebook’s settlement with the Federal Trade Commission of complaintsover changes the company made in December 2009 to what information would appear on users’ profiles:
For years, many privacy advocates have insisted that holding companies to their own privacy policies won’t protect consumers because companies can change those policies at a whim. Today’s settlement makes clear that changes to what a company may do with information already collected require informed user consent—provided the changes are material. This builds on a similar settlement with Google last month over the use of Gmail information in the Buzz social network without consent, among earlier FTC actions, such as preventing the transfer of sensitive information when a company goes into bankruptcy.
Thus, while Congress struggles to craft ‘comprehensive baseline privacy’ legislation in the European model, the FTC is using its existing 1938 authority over unfair or deceptive trade practices to build a common law of privacy. This is a process of discovery: what’s the right balance between protecting privacy and the consumer benefits of encouraging the development of new services? That process won’t be perfect or easy, but it’s much more likely to keep up with technological change than legislation or prophylactic regulation would be, and less likely to fall prey to regulatory capture by incumbents as a barrier to competition.
Case-by-case adjudication is a venerable American tradition—one that’s more, not less, vital in the rapidly changing field of consumer privacy. Rather than rushing to write new laws, Congress should focus on ensuring the FTC has the resources it needs to use its existing authority effectively. That means, most of all, having a larger core of technologists on staff to guide what is supposed to be our expert agency on privacy.