This past Tuesday Facebook agreed to a settlement with the Federal Trade Commission regarding its ever-controversial privacy policy. The complete settlement can he found here. The charge against Facebook was that that company deceived consumers “by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” Of the several points that Facebook agreed to, two are most important for other website owners to consider:

• Facebook can no longer make misrepresentations about the privacy or security of users’ personal information.

• Facebook must obtain consumers’ affirmative express consent before implementing changes that are in contrast to users’ privacy preferences.

As Facebook has been on the forefront of internet-based privacy issues in the past few years there are several instructional points for website owners to take away from the suit and settlement.

First, as Jerry Seinfeld once explained, any restaurant can take a reservation, but it’s another thing to actually fill the reservation. Likewise, while most websites have already realized that their privacy policy must actually be tailored to their website (rather than copy and pasting from someone else’s privacy policy), website owners must take the additional step of actually following their policy. A privacy policy not only serves to inform users, but it sets guidelines that the website itself must follow. A company that doesn’t follow its own privacy policy can get into costly trouble.

Second, it is now clear that if you are changing your privacy policy, you must adequately inform your users. While some users may not be that concerned about how public their personal information is, some users will care quite a bit. If you are going to change the policy in a material way, you will need to do more than just change policy on your site and hope users will notice. You must keep your users updated on what you are doing with their information or else there will be no soup for you!

Third, the Facebook settlement may represent the final tidal wave in the sea change from opt-out privacy options to opt-in. Facebook liked to change its privacy options by making users’ personal information public and then asking users to “opt-out,” meaning that the information was first made public, then users had to manually find the option and click the option to make it private. Now, when Facebook wants to change its privacy protocol, the personal information will be kept private until the user chooses to allow the information to be public, thus “opting-in.” Opt-in privacy options are likely to become the privacy norm and depending on your business model and how you use your users’ information, you may be well advised to follow this principle in your own privacy practices.