• by Wendy Davis , Staff Writer @wendyndavis, June 4, 2010

In March, a federal judge approved Facebook's $10 million settlement of a privacy lawsuit stemming from its failed Beacon initiative, which involved telling users about their friends' ecommerce activity.

As part of that settlement, Facebook agreed to fund a new privacy organization, whose board of directors will include Facebook's chief lobbyist Tim Sparapani. Some privacy advocates objected, arguing that Facebook would have too much control over the new group, but the judge presiding over the case approved the settlement anyway.

But as soon as the ink was dry, Facebook created a new privacy storm. In April, the company launched its controversial instant personalization program, which shares users' names and other data with the outside companies Pandora, Microsoft Docs and Yelp; users can opt out, but if they take no action their information is shared by default. Yet more recently, Facebook found itself dealing with fallout from a report stating that the company disclosed names of users who clicked on ads to the advertisers -- a glitch Facebook appears to have already fixed.

Both of those developments have already resulted in lawsuits. In the last seven days, two people sued Facebook for allegedly sharing users' names with advertisers in violation of its privacy policy. A third recently sued the company for disclosing his name to companies who participate in instant personalization.

Yet, while these lawsuits undoubtedly pose a public relations problem for Facebook, they might not pose much of a legal one. That's because the people who are suing haven't so far alleged that they suffered any economic injury as a result of Facebook's actions. In fact, the 9th Circuit Court of Appeals recently reaffirmed that consumers need to show they were harmed by privacy claims -- at least in some cases -- to proceed in court, attorney Venkat Balasubramani reports.

Of course, the plaintiffs in the Beacon case didn't allege monetary losses, but those consumers had a very specific federal law on their side -- the Video Privacy Protection Act. That 1988 law bans the disclosure of movie renters' names without their consent and also provides for $2,500 in damages per incident. Because Blockbuster was among the initial participants in Beacon, Facebook was potentially on the hook for a significant amount of money.

Litigation aside, Facebook still has to deal with Congress, the Federal Trade Commission, and authorities abroad -- where privacy laws are broader than in the U.S. Additionally, Facebook needs to placate its users somewhat; after all, the site is only valuable if people visit it.

To that end, Facebook recently has taken some steps to remedy its privacy problem. CEO Mark Zuckerberg recently announced revisions to the privacy policy, and just this week the company launched a new page devoted to addressing privacy concerns.

That's a start, but Facebook needs to do a lot more. The company needs to rethink its approach to any opt-out initiatives -- especially something like instant personalization, which so clearly goes against users' longstanding expectations. More fundamentally, in the future the company should consider privacy advocates' arguments before making changes to the site, rather than afterwards.