A settlement between the Federal Trade Commission and Facebook now requires the site to let you know when it changes privacy settings, and have you opt-in before those changes can take effect on your account. The site is also subject to privacy audits every 2 years until 2031.

Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, Chairman of the FTC. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”

The way Facebook has typically done business has entailed making changes first, and then asking for forgiveness when users have responded negatively to those changes. Under the new rules it will have to get permission first – a move that’s likely to slow down some changes that come to the site.

In an official statement on Facebook, CEO Mark Zuckerberg spoke of his continued commitment to Facebook users and named two new privacy officers to help make sure that happens:

I am creating two new corporate officer roles to make sure our commitments will be reflected in what we do internally — in the development of our products and the security of our systems — and externally — in the way we work collaboratively with regulators, government agencies and privacy groups from around the world:

- Erin Egan will become Chief Privacy Officer, Policy. Erin recently joined Facebook after serving as a partner and co-chair of the global privacy and data security practice of Covington & Burling, the respected international law firm. Throughout her career, Erin has been deeply involved in legislative and regulatory efforts to address privacy, data security, spam, spyware and other consumer protection issues. Erin will lead our engagement in the global public discourse and debate about online privacy and ensure that feedback from regulators, legislators, experts and academics from around the world is incorporated into Facebook’s practices and policies.

- Michael Richter will become Chief Privacy Officer, Products. Michael is currently Facebook’s Chief Privacy Counsel on our legal team. In his new role, Michael will join our product organization to expand, improve and formalize our existing program of internal privacy review. He and his team will work to ensure that our principles of user control, privacy by design and transparency are integrated consistently into both Facebook’s product development process and our products themselves.

These two positions will further strengthen the processes that ensure that privacy control is built into our products and policies. I’m proud to have two such strong individuals with so much privacy expertise serving in these roles.

Where Facebook users will probably notice the most changes is in how new products are rolled out. TechCrunch points out that a service like Places wouldn’t be possible under the new rules. With Places you are able to check-in your friends with you wherever you are without their consent (unless the have opted out of the service). Under the new rules you would only be able to check-in people who had agreed to be part of the service. If your friends don’t log in for a while, or ignore the privacy message, you may be checking in alone.

The official complaint lodged with the FTC listed a number of concerns which have now been addressed including:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

Under the settlement with the FTC Facebook is now:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

What do you think about the new policies? For those of you with Facebook privacy concerns, does the settlement fix the issues you have? How do you feel about the potential impact the settlement might have on new Facebook products?