- accurately represent “the extent to which it maintains the privacy or security of covered information”;
- clearly and prominently disclose any changes, and to obtain affirmative express consent, prior to sharing nonpublic Facebook user information with any third party in a manner that materially exceeds the restrictions the user has chosen through privacy settings;
- adopt “procedures reasonably designed to ensure that covered information cannot be accessed by any third party” no more than 30 days after the user has deleted the information or terminated the account;
- establish and implement a comprehensive privacy program, reasonably designed to address privacy risks and to protect covered information, with controls and procedures that are appropriate to Facebook’s size, complexity, activities, and the sensitivity of the information it collects:
- The detailed requirements for this program incorporate elements of the FTC’s Privacy Report released December 2010, which we summarized here.
- The required privacy program also incorporates elements contained in the Personal Data Privacy and Security Act introduced earlier this year by Senator Leahy (D. Vermont). The most far-reaching of these may be the requirement that Facebook develop and use reasonable steps to use service providers (undefined) that are capable of appropriately protecting the privacy of covered information, and contractually requiring service providers to implement and maintain appropriate privacy protections as well;
- maintain detailed records of compliance with these terms, and to submit to independent privacy audits every two years for twenty years to demonstrate compliance.