Facebook has reached a tentative settlement with the Federal Trade Commission on accusations that it deceived consumers that their private information on the social network would remain private when it wasn’t, the FTC said Tuesday.

Under the proposed settlement, Facebook promised to take a number of steps to live up to its promises, including giving consumers clear and prominent notice and obtaining express consent before their information is shared beyond the privacy settings they have established. There were no financial penalties.

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” FTC Chairman Jon Leibowitz said in announcing the proposed settlement. “Facebook’s innovation does not have to come at the expense of consumer privacy.”

In a blog Tuesday, Facebook Founder Mark Zuckerberg announced the creation of two chief privacy officer posts, one for policy and the other for products. “These two positions will further strengthen the processes that ensure that privacy control is built into our products and policies,” he said.

Zuckerberg tapped Erin Egan, a lawyer specializing in global privacy and data security who recently joined Facebook, as CPO for policy, and Michael Richter, Facebook’s chief privacy counsel, as CPO for products.

Notwithstanding the FTC charges that Facebook violated members’ privacy, Zuckerberg maintained the social network has had a good history of providing transparency and control over who can see members’ information. “That said,” he wrote, “I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high-profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done.” (Beacon allowed a member’s action on an advertiser’s website to be posted in their Facebook news feed without explicit permission from the member.)

Many of the actions the FTC ordered to assure members’ privacy have already been accomplished, Zuckerberg said.

The proposed settlement, which the FTC approved by a 4-0 vote, bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Congressional Action Mulled

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., characterized the proposed settlement as just the first step toward protecting consumer’s online privacy. “Ultimately,” he said in a statement, “legislation is needed that empowers consumers to protect their personal information from companies surreptitiously collecting and using that personal information for profit. It’s unacceptable for any company, including Facebook, to change customer privacy settings without their knowledge or consent, especially a company with 800 million users.”

Under the proposed settlement, according to the FTC, Facebook is prohibited from making misrepresentations about the privacy or security of consumers’ personal information. Facebook also is to:

    • Get consumers’ affirmative express consent before enacting changes that override their privacy preferences.
    • Prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account.
    • Established and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services and to protect the privacy and confidentiality of consumers’ information.
    • Obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order and to ensure that the privacy of consumers’ information is protected within 180 days and every two years thereafter for the next two decades.