FTC Adds Google Privacy Requirements Following Buzz Fiasco

Google must create and maintain a “comprehensive” privacy program and submit to independent third-party privacy audits for the next 20 years, the settlement said. “We expect Google to take a look at what the risks are to privacy and put in place reasonable privacy controls around those procedures,” said Mark Eichorn, assistant director at the FTC’s Bureau of Consumer Protection. The biennial privacy audits will be conducted by an FTC-approved company of Google’s choosing, Eichorn told us. “The comprehensive privacy program and the auditing requirement are the first of their kind,” said Eichorn. “This is solid relief that will put privacy in the forefront of Google’s framework moving forward.”

The FTC banned Google from misrepresenting the privacy and confidentiality of individuals’ information and the company must comply with any other “privacy, security, or compliance programs,” including the U.S.-EU Safe Harbor framework, the settlement said. Furthermore Google must now obtain users’ consent to share information with any third party if the company changes its products or services. If Google violates any of the conditions of the consent agreement it will be liable for a civil penalty up to $16,000 for each violation, the agreement said.

Google launched the Buzz social network through its Gmail service in 2010. On the day it debuted, users were offered two options: “Sweet! Check out Buzz,” or “Nah, go to my inbox.” Those who selected “Sweet! Check out Buzz,” discovered that the identities of individuals they emailed most frequently were made public by default. Users who selected “Nah, go to my inbox” were also enrolled in certain features of the Google Buzz social network, the FTC alleged. Consumers immediately became concerned about public disclosure of their email contacts and the lack of control they had over who could follow them (WID Feb 16/10 p6).

The FTC charged that Google violated its privacy policies by using Gmail information for social networking purposes without obtaining consumers’ prior consent. Google’s privacy policy at the time that Buzz was launched said: “When you sign up for a particular service that requires registration we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected then we will ask for your consent prior to such use.” Google did not properly ask for consent, controls for limiting the sharing of personal information were confusing, and Google failed to disclose that consumers’ frequent email contacts would become public by default, the FTC said.

The FTC voted unanimously to accept the consent agreement package, but Commissioner Rosch had “substantial reservations” about it, saying in his concurring statement the “opt-in” requirement was inconsistent with the public interest and could be used as leverage in dealing with the practices of other competitors. The commissioner also said the settlement over-expanded the FTC’s reach, and was not forward-thinking. The proposed consent order “seems to be contrary to Google’s self-interest,” said Rosch. “I therefore ask myself if Google willingly agreed to it, and if so, why it did so.”

Google said in a brief entry on the official Google blog Buzz “fell short” of its own privacy and transparency policies. “We'd like to apologize again for the mistakes we made with Buzz,” wrote Alma Whitten, Google’s director of privacy, product and engineering. “While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward.” Google said it will adhere to the conditions of its agreement with the FTC and the company will ask users to give “affirmative consent before we change how we share their personal information” in the future.

Some consumer groups said it’s the agreement that fell short and the FTC should do more to punish Google’s privacy abuse. “Fines of $16,000 for violating the provisions of its own privacy policy are hardly a deterrent to a company worth $180 billion,” said Morgan Reed, executive director at the Association for Competitive Technology, a group affiliated with Google rival Microsoft. “The FTC needs to take decisive action against Google that is strong enough to deter them from repeatedly violating consumer privacy.” Consumer Watchdog said Google got off easy and the FTC should levy more substantial fines for Google’s privacy abuse. “Nothing will completely stop Google from invading users’ privacy until it gets hit where it hurts, its bank accounts,” said John Simpson, director of Consumer Watchdog’s Privacy Project.

Lawmakers said better privacy protections should be applied to the framework of all Internet companies, not just Google. Senate Communications Subcommittee Chairman John Kerry, D-Mass., said the agreement validates the call for a privacy bill of rights. “If an entity is going to engage in the collection of people’s personally identifiable information then it must build strong privacy protections into all of its operations,” Kerry said in a press release. “Every company should adhere to this kind of standard, not just Google, and it’s best for businesses and consumers alike to have certainty about the rules and standards going forward.” Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., hailed in a press release the FTC’s agreement as a “wake-up call for online businesses.” “Google was just plain wrong when it opted people into Buzz without their consent,” Rockefeller said. There is a need to be “clear and honest about how the personal information of consumers is collected and used,” he said.

Industry players like Google must develop a better privacy framework to help users control their own privacy provisions, said the Center for Democracy & Technology. “This settlement sends the message that companies not only have to keep the promises they make to consumers, they must give users control over any technologies that make their information public,” said CDT President Leslie Harris. “We expect industry to quickly adopt the new requirement for opt-in consent before launching any new service that will publicly disclose personal information,” Harris said. The settlement shows the FTC has sufficient and “sweeping powers” to protect consumer privacy online, said TechFreedom. “The FTC can, and should, use its existing enforcement powers to build a common law of privacy focused on real problems, rather than phantom concerns,” said Berin Szoka, president of TechFreedom. Some tech trade groups opposed a provision to expand FTC authority in a House financial reform bill last year (WID May 5 p5).

The FTC will publish a description of the consent agreement package in the Federal Register “shortly,” the commission said. The public may submit comments on the agreement through May 1, after which the Commission will decide whether to make the agreement final. Comments can be submitted at http://xrl.us/bjg5z9.