The FTC found that Facebook was sharing user information with advertisers, misinforming users about how they could control their own personal information, permitting third-party applications to gain access to all user information, beyond what they needed to operate, and maintaining public access to information and images from deleted accounts.
Under the deal, which was announced in November and was subject to public comment before being finalized, Facebook agreed to independent privacy audits every two years for a 20-year period, and to make sure that users consent to any sharing of their personal information, either by Facebook or by third-party applications. Facebook is subject to fines of $16,000 for violations of the order.
The order was approved by a vote of 3-1, with Commissioner Maureen Ohlhausen not participating. Commissioner J. Thomas Rosch dissented, objecting that Facebook didn't admit to any violations, and because he was not convinced that the FTC's ruling would apply to third-party applications.
The majority statement sought to allay these concerns, saying that the terms of the settlement, "make clear that Facebook will be liable for conduct by apps that contradicts Facebook's promises about the privacy or security practices of these apps."