Anita Ramasastry

Facebook Follies: Why Facebook's Recent Change to its User Agreement Was A Bad Move, and Will Likely Be Unenforceable

By ANITA RAMASASTRY
Tuesday, Feb. 24, 2009

Why are 130,000 Facebook users very angry? The culprit is a small but significant change to Facebook's Terms of Service (its contract with its users) that was made without full notification to all users. The change was a seemingly radical shift: Facebook amended its contract language to reserve the right to continue to use member content forever -- even long after users have closed their accounts or deleted their content.

Users post a great deal of content on their Facebook pages, from age, to marital status, to favorite movies, cars, and even political affiliations. This content is valuable to Facebook and its affiliates for marketing purposes and for possible resale. Can Facebook now do anything it wants with that content? That answer is unclear, but what is clear is that Facebook should not -- and legally cannot -- unilaterally change its Terms of Service without giving users proper notice.

In this column, I will outline Facebook's actions and the public's response. I will also discuss why Facebook was legally required to give its members proper notice of the change, coupled with a chance to unsubscribe or at least to have their prior data governed by the earlier user agreement.

Facebook's Foolish Move: Amending Its Terms of Service and Failing to Be Open with Users About the Change

This is not the first time that Facebook has caused a public outcry over its privacy practices. As I have noted in previous columns such as this one, Facebook has tried new features involving user content that have sparked controversy. This time, however, Facebook took a bold step with its contract that seemed to alter the very nature of the bargain it had struck with its members.

When you join Facebook, under its Terms of Service, you grant Facebook a "license" (that is, legal permission) to use your content "on or in connection with the Facebook Service or the promotion thereof." To some extent, such a license is necessary. While you are using Facebook, it may need to process, store, or share your data with others as part of providing services to you. The controversy occurred because of Facebook's recent revision to the license – purporting to eliminate language that guaranteed that the license would "automatically expire" if content were removed from the site.

How did Facebook notify customers of this change? First, Suzie White, Facebook's corporate counsel for commercial transactions, announced the change on the company's blog on February 4. Ms. White wrote, "We want to let you know that today we're updating our Terms of Use -- the rules you and Facebook agree to when you sign up to use the site. We used to have several different documents that outlined what people could and could not do on Facebook, but now we're consolidating all this information to one central place. We've also simplified and clarified a lot of information that applies to you, including some things you shouldn't do when using the site."

White did provide a link to the new Terms of Service, but did not highlight the change relating to the perpetual license. Facebook also did not send out an email or any other mass communication to notify users of these changes. And White's brief post, which didn't call attention to the content license, largely went unnoticed by users.

A few days later, a blog, The Consumerist, drew public attention to the change. The blog described the change as "We Can Do Anything We Want With Your Content. Forever." That description was pretty much accurate. The new Terms of Service read as follows:

"You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof."

The new Terms of Service differed from the old Terms of Service, due to the deletion of these two sentences: "You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content." These sentences had made the license limited, not perpetual.

Users Revolt, EPIC Threatens to Complain, and Facebook Caves

In response to the furor over the Facebook Terms of Service changes, the nonprofit Electronic Privacy Information Center (EPIC) prepared a draft complaint, which it planned to file with the Federal Trade Commission (FTC), stating that Facebook's changes amounted to a deceptive trade practice. The complaint contended that "It simply cannot be correct that Facebook, having induced millions of Internet users to provide detailed personal information to share with their friends and colleagues, can now transform the terms of service under a take-it-or-leave-it edict that does not even allow users who choose to cancel the service the opportunity to recapture the data they provided. It is precisely in such circumstances that agencies charged with protecting consumers and safeguarding a fair and transparent marketplace must intervene."

Meanwhile, Facebook users founded the site People against the New Terms of Service to protest the change -- which now has 130,000 members and is growing.

Based on the possible FTC enforcement action and the public criticism, Facebook caved. Barry Schmitt, a Facebook spokesperson, noted, "It was never our intention to confuse people or make them uneasy about sharing on Facebook. I also want to be very clear that Facebook does not, nor have we ever, claimed ownership over people's content. Your content belongs to you." Schmitt added, "We do need certain licenses in order to facilitate the sharing of your content through our service. That's where the Terms of Use come in." Schmitt noted that Facebook would be studying its Terms of Use and revising them anew but "[i]n the meantime, we've decided to revert to the old Terms as we work to address this."

EPIC and other privacy groups rightly heralded this as a victory for Facebook members. But let's imagine that Facebook hadn't backed down. Could it have prevailed in defending the new Terms of Service?

Would the New Terms of Service Have Been Enforceable? Not Without Direct Notice to Customers, According to a Ninth Circuit Decision

Facebook backed down in the face of opposition. But was the change to their terms of service enforceable? The answer is likely no. Facebook did not provide true notice to its members of the changes it had made. And in 2007, the U.S. Court of Appeals for the Ninth Circuit in Douglas v. Talk America Inc., held that a company could not unilaterally change its contract with customers by posting the new terms on its website.

In that case, former AOL subscribers brought a class action against Talk America (a company acquired by AOL) on the ground that it had attempted to change its Terms of Service simply by posting a revised contract on its website, without any further notice to customers. The revised contract purported to add certain service charges, waive users' right to bring class actions, and add an arbitration clause and a New York choice-of-law provision. The case appears to have been the first of its kind. The Ninth Circuit concluded that the revised Terms of Service was not a binding modification or new contract – defined by the classic requirements of offer, acceptance and consideration. Instead, it was merely an offer, which would not be binding until and unless users accepted it.

The Ninth Circuit also made clear that users did not accept the offer simply by continuing to use the service. In addition, it noted the problem with the practice of simply posting new Terms of Service without directly notifying users, explaining that a party would not "know when to check the website for possible changes to the contract terms without being notified that the contract has been changed and how." In addition, the Court noted that it would be cumbersome for users to have to check the site daily for possible changes to the Terms of Service contract, comparing every word of it with the version that had been posted the day before. Finally, while the reported decision did not state whether the original contract permitted posting of changes online, under the Ninth Circuit's logic it seems very unlikely that such a provision would moot the need for direct notice to customers.

If Facebook Had Simply Given Users Direct Notice of the Changes to Its Terms of Service, Would The Change Then Have Been Legal?

Now, let's suppose – contrary to fact – that Facebook had given users direct notice of the change to its Terms of Service, rather than merely posting them on its blog. Would that solve the company's legal problems? Not necessarily, for a deceptive trade practices issue would still remain.

As EPIC argued, Facebook has induced people to subscribe and participate because of its privacy practices and its original Terms of Services -- which seemed to say that once you delete your material, Facebook relinquishes any right to use it, aside from archiving it. A court, or the FTC, might deem it unfair or deceptive for Facebook to change the rules of the game after enticing consumers to be free with what they posted on their Facebook pages.

But what if, in addition to providing users with direct notice of the change in the Terms of Service, Facebook had also offered customers the chance to unsubscribe and thus have their information kept confidential? Or, what if users received direct notice and Facebook's new Terms of Service had explicitly not applied to existing information, but only to future information? In that case, the Terms of Service might pass muster, for users could no longer claim a bait-and-switch as to old material, and it seems unreasonable to ask a company never to change its Terms of Service in a prospective – as opposed to retrospective – way.

The Need for Notice to Users Is Also Underlined By the FTC's Gateway Case

As noted above, EPIC had planned to file a complaint challenging Facebook's actions with the FTC -- which already requires that users must be given notice, and must accept companies' material changes to their privacy policies. For example, in the case In re Gateway Learning Corp., filed in 2003, the FTC charged that Gateway engaged in an illegal "unfair and deceptive practice" when it materially changed its privacy policy and attempted to apply it retroactively to data it had previously collected from consumers. Gateway had not provided its customers with notice of the changes. This was the first FTC case of this nature.

More specifically, the FTC alleged that Gateway Learning (the sellers of "Hooked on Phonics") had violated federal law when it rented out its customers' personal information to marketers, despite explicit promises made in its privacy policy. The FTC claimed that, after collecting consumers' information, Gateway Learning altered its privacy policy to allow it to share the information with third parties without notifying consumers or getting their prior consent. This seems like the same kind of bait-and-switch argument we saw above with the Talk America/AOL case, and arguably with the Facebook situation.

According to the FTC, since 2000, Gateway Learning's online privacy policy had stated, "We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive customer's explicit consent."

However, the FTC alleged that, despite these promises, Gateway Learning started renting out its customers' data -- including their names, addresses, phone numbers, and even the age ranges and gender of their children. The marketers who received such data would use it to send targeted mailings and telemarketing calls.

In June 2003, Gateway Learning revised its online privacy policy for its Hooked on Phonics website to say that "from time to time" Gateway Learning would provide consumers' personal information to "reputable companies" whose products or services consumers might find of interest, the FTC complaint alleged. However, according to the FTC, Gateway Learning continued to also rent out data collected under the earlier policy, and failed to contact consumers who had already provided their information to give them notice of the new privacy policy. Nor did Gateway highlight on its website the fact that the privacy policy had changed.

Ultimately, the FTC's settlement barred Gateway from making deceptive claims about how it would use consumers' information, and from applying material changes in its privacy policy retroactively, without consumers' consent.

The Lesson for Facebook and Other Companies: Don't Use the Bait-and-Switch Regarding Past Data, and Give Users Direct Notice of Terms of Service Changes

The Gateway settlement seems directly relevant to the Facebook dispute – raising the same kind of issues of privacy, notice, retroactivity and the bait-and-switch. Among the lessons Facebook should take away from the controversyis that its members do not like to lose control of their information for good; they want clear, direct notice if changes are made; and they do not want information that Facebook promised to protect to be suddenly stripped of protection. 130,000 concerned members have registered their displeasure and the number is growing. Facebook needs to re-earn its users' trust – for both legal and loyalty reasons.



Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Ads by FindLaw