3-16-2012
By Meg RoggensackDirector, Business and Human Rights
In February, Facebook filed for its IPO amid lingering concerns about its privacy policies. The filing, called a Form S-1, is required before a company can become eligible to trade its stock publicly. It contains important information for potential investors—information about the company’s business plans, finances, management and stock ownership. It also discloses risks that the company considers material enough to potentially interfere with the company’s future.
Facebook’s initial Form S1 included among the risk factors disclosed that it could face government and regulatory scrutiny, and/or damage to its brand or reputation, from unauthorized access or use of its users’ data or by violations of its policies by third parties. Third parties, such as platform developers, have access to Facebook’s user information and can manage it in ways that would violate Facebook’s policies and put the company at legal risk.
Recently, Facebook filed an amendment to its registration statement further clarifying those disclosures.
In the recent amendment, Facebook acknowledged that third parties may violate not just the policies that are specifically aimed at third party access (such as Facebook’s Platform Policies), but also the policies designed for Facebook’s users, including Facebook’s terms of service (which serve as the contract between Facebook and its users) and Facebook’s Data Use Policy (which Facebook refers to as its “privacy policy”).
While those clarifications are welcome, Facebook must also recognize that it alone is ultimately responsible for ensuring that sensitive user information provided to third parties is adequately protected. That should be a basic condition of doing business, embedded in contractual language.
But Facebook should go even further: it should ensure that third parties are taking adequate steps to prevent or minimize disclosure of personal information. In light of Facebook’s dominant market position and its trove of user information, the company should actively oversee third party compliance with policies to prevent or minimize disclosure.
Facebook’s current policies don’t explicitly outline measures it takes to protect user information provided to third parties. At a minimum, Facebook should clearly explain:
- what information (either provided by them or collected about them) can be made available to third parties
- what due diligence is conducted before deciding to provide personal information to a third party
- what information may be provided, to whom, and for what purpose
- what internal safeguards have been put in place at both Facebook and the third party to ensure appropriate safeguards for data transfer and handling to prevent unauthorized disclosure
- how Facebook plans to oversee third parties to ensure that policies and safeguards are adequately implemented
- how Facebook will respond to unauthorized disclosures
If Facebook’s goal is to be a leader on privacy, as Mark Zuckerberg repeatedly claims, it needs to actually lead on privacy—by protecting user information provided to third parties.