Myspace’s privacy policy promised the company would not share users' personal information without first notifying them and receiving permission to do so. The privacy policy also promised that information used to customize ads would not individually identify users to third parties and that the company would not share nonanonymized browsing activity.
The FTC charged that Myspace violated its privacy policy by providing advertisers with the “friend ID” of users who were viewing particular pages on the site. Advertisers could use the friend ID to locate a user’s profile to obtain personal information and the user’s full name. This enabled advertisers to combine the user’s real name and other personal information with web-browsing activities of that user.
In addition, the FTC charged that Myspace violated the US-EU Safe Harbor Framework by not providing notice to users about how their information would be used and not providing users with an opt-out choice.
The settlement order between the FTC and Myspace bars the company from misrepresenting the extent to which it protects the privacy of users' personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the US-EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect consumers' information and to obtain biennial assessments of its privacy program by independent, third-party auditors for 20 years. Although no fines were imposed on Myspace, it could be fined up to $16,000 per violation for future infringement of the agreement, FTC explained.
FTC has also taken actions against Twitter, Facebook, and Google for privacy policy violations. The agency is reportedly in talks with Google about a possible $10 million fine for bypassing privacy settings in Apple’s Safari browser, according to a report by Bloomberg.