The settlement, the strongest government rebuke yet to the social network, stems from changes Facebook made to its privacy settings in December 2009 to make aspects of users' profiles—such as name, picture, gender and friends list—public by default.
In an aggressive complaint, the Federal Trade Commission charged that Facebook's changes threatened the "health and safety" of users, in part, by exposing "potentially sensitive affiliations" such as political views, sexual orientation or business relationships.
As part of the settlement, Facebook agreed to submit to independent privacy audits every two years for the next 20 years. If it violates the settlement, it can be fined $16,000 per day per violation. The requirement to ask for permission could force Facebook to be less aggressive in the way that it rolls out new features. Previously, Facebook has rolled out features such as facial recognition by asking users to turn new features "off" rather than asking them to turn them "on."
The landmark privacy settlement marks a turning point for the social network as it attempts to build bridges in Washington and appease Wall Street ahead of an initial public offering.
The settlement may go toward quelling investor concerns over Facebook's privacy policies, which have faced intense scrutiny. Facebook may file for an IPO as early as this year and is targeting an offering date between April 2012 and June 2012, people familiar with the matter have said.
Facebook Chief Executive Mark Zuckerberg, in a blog post, said his company made a "small number of high-profile mistakes." In the past 18 months, he said, Facebook has released 20 new tools to give users more control over how they share information. He said Facebook is making a "clear and formal long-term commitment" to "giving you tools to control who can see your information and then making sure only those people you intend can see it," he said.
Mr. Zuckerberg also appointed two attorneys as new chief privacy officers, Erin Egan and Michael Richter. Mr. Richter, previously Facebook's chief privacy counsel, will oversee product-related privacy issues. Ms. Egan will oversee policy-related privacy decisions.
Still, some Facebook users doubt the settlement will change Facebook's behavior. "How can it possibly result in a change?" said Steven Greer, a New Yorker who runs an online health-care information service. "The very fundamental business model of Facebook is to collect information about you and use it to sell ads."
Mr. Greer said he deleted his business's Facebook page a few weeks ago when the company asked him for his cellphone number to verify his account, because he doesn't trust it with his data.
The FTC charged Facebook with eight counts of violating its users' privacy that constituted "unfair and deceptive" behavior. The agency has rarely alleged "unfairness" in privacy-enforcement actions.
"The settlement signals that the FTC will use every tool at its disposal to make sure that every company treats every user's privacy with care and respect," said FTC Chairman Jon Leibowitz.
The FTC alleged that Facebook engaged in deceptive behavior when it promised user privacy protections that it didn't fulfill. Specifically, the agency said Facebook promised that third-party apps would only have access to user information they needed, when in many cases, apps had unrestricted access to users' personal data.
Similarly, the agency said Facebook's "verified apps" program failed to certify the security of apps. The FTC also alleged Facebook didn't delete users' photos and videos when users deleted their accounts, even though it claimed to.
The FTC also said Facebook, which has long claimed it doesn't share users' specific private information with advertisers, was in fact giving a specific user ID to advertisers that could be combined with a user's browsing history, allowing for a more unique identification of users than had been previously known. The FTC didn't have any specific allegations as to how the information was used by advertisers.
In the proposed settlement, Facebook says it admits the facts in the FTC's complaint but expressly denies the FTC's allegations the law has been violated.
Facebook agreed to many of the same terms that Google Inc. agreed to in March when it settled charges that it had deceived users by telling Gmail users that their information would only be used for email, when it was actually used for a social-networking service called Buzz.
Like Google, Facebook agreed to a install a comprehensive privacy review of new products and to seek affirmative consent from users before making changes that override their privacy preferences.
Unlike Google, Facebook negotiated language that says it may in the future seek to modify the requirements for affirmative consent to address "technological changes and changes in methods of obtaining affirmative express consent."
The settlement will be subject to public comment for 30 days before the FTC decides whether to make the agreement final.
The addition of new privacy officers is Facebook's latest effort to develop its relationship with Washington. The company began to revamp its privacy and policy staff in July 2010 with the hiring of Marne Levine as vice president of global public policy. Then, in September, it hired Ms. Egan as senior policy adviser and director of privacy. She was previously a partner at Covington & Burling LLP and co-chairman of its global privacy and data-security practice.
Facebook has also hired Louisa Terrell, former special assistant to President Obama for legislative affairs, to join its Washington office. It hired Erika Mann, a former member of the European parliament, to head its Brussels office.