The Federal Trade Commission (FTC) on May 8, 2012, announced that it has reached a consent agreement with the social networking site Myspace. The agreement settled charges that Myspace misled its users about the extent to which the site shared personal information with third-party advertisers, and it signals increased scrutiny by the FTC on how social networks share information about their users with advertisers. The consent order prohibits Myspace from making misrepresentations regarding the extent to which it maintains the privacy of its users' information and the extent to which it complies with the U.S.-EU Safe Harbor Framework and similar programs. The order also requires Myspace to establish a "comprehensive privacy program" and obtain biennial assessments of the program by an independent auditor for the next 20 years. The consent order is the third such order specifically requiring a comprehensive privacy program, following similar privacy consent orders the FTC entered into with Google and, more recently, Facebook.

Background

The FTC alleged that, contrary to representations made in its privacy policy, Myspace shared users' personally identifiable information (PII) with third-party advertisers by providing those advertisers with users' "Friend IDs." A Myspace Friend ID is a persistent, unique number that easily can be used to access a Myspace user's profile page. Depending on a user's privacy settings, different types of information may be publicly available on that user's profile page. According to the complaint, Myspace designated certain profile information, including a user's profile picture, location, gender, age, display name, and full name, as "basic profile information" outside the scope of its privacy settings, and thus made that information publicly viewable. While a user could change Myspace's default setting, which shows the user's full name publicly, allegedly only approximately 16 percent of users had made their full names private as of July 2010. Thus, as of July 2010, the Friend ID allegedly could be used to access, at a minimum, the basic profile information of Myspace users, including the full names of approximately 84 percent of those users.

Since January 2009, Myspace allegedly shared the Friend IDs, ages, and genders of users viewing the Myspace site with third-party advertisers. According to the complaint, Myspace transmitted this information to third-party advertisers from January 2009 to June 2010 whenever its affiliated advertising network did not have an appropriate ad to serve. While Myspace allegedly started encrypting the Friend IDs, ages, and genders of users viewing the Myspace site in June 2010, it provided the encryption key to its affiliated ad network so that this information could be used to target advertising to those users. On October 29, 2010, Myspace's affiliated ad network was sold to a third party, and Myspace allegedly continued to provide the encryption key to the new owners of the ad network for the following year.