Social networking service Myspace has agreed to settle
Federal Trade Commission charges that it misrepresented
its protection of users' personal information.
The settlement bars Myspace from future privacy
misrepresentations, requires it to implement a
comprehensive privacy program, and calls for regular,
independent privacy assessments for the next 20 years.
Myspace assigns a persistent unique identifier, called a
"Friend ID," to each profile created on Myspace. A
user's profile publicly discloses his or her age,
gender, profile picture (if the user chooses to include
one), display name, and, by default, the user's full
name. User profiles also may contain additional
information such as pictures, hobbies, interests, and
lists of users' friends.
users personally identifiable information, or use such
information in a way that was inconsistent with the
purpose for which it was submitted, without first giving
notice to users and receiving their permission to do so.
used to customize ads would not individually identify
users to third parties and would not share
non-anonymized browsing activity.
the FTC charged, Myspace provided advertisers with the
Friend ID of users who were viewing particular pages on
the site. Advertisers could use the Friend ID to locate
a user's Myspace profile to obtain personal information
publicly available on the profile and, in most
instances, the user's full name. Advertisers also could
combine the user's real name and other personal
information with additional information to link broader
web-browsing activity to a specific individual. The
agency charged that the deceptive statements in its
In addition, Myspace certified that it complied with the
U.S.-EU Safe Harbor Framework, which provides a method
for U.S. companies to transfer personal data lawfully
from the European Union to the United States. As part of
its self-certification, Myspace claimed that it complied
with the Safe Harbor Principles, including the
requirements that consumers be given notice of how their
information will be used and the choice to opt out. The
FTC alleged that these statements were false.
The proposed settlement order bars Myspace from
misrepresenting the extent to which it
protects the privacy of users' personal information or
the extent to which it belongs to or complies with any
privacy, security or other compliance program, including
the U.S.-EU Safe Harbor Framework. The order also
requires that Myspace establish a comprehensive privacy
program designed to protect consumers' information, and
to obtain biennial assessments of its privacy program by
independent, third-party auditors for 20 years.