Regulatory Buzzsaw? Google Settles With FTC over Privacy Charges Related to Google Buzz

Earlier today, the Federal Trade Commission announced that Google agreed to settle charges that parts of its Google Buzz social network violated federal law.  Specifically, in a draft complaint, the FTC alleged that Google’s practices were deceptive and in violation of Google’s announced privacy policies. While Google entered into a settlement agreement to address this potential regulatory buzzsaw, other service providers and web companies should consider taking a fresh look at their privacy practices and policies, using the proposed settlement as their lens. 

The proposed settlement, which remains subject to final FTC approval, stems from Google’s highly publicized efforts in 2010 to use its Gmail webmail service as a springboard for launching Google Buzz. According to the FTC complaint, Google provided Gmail users with a message announcing the service and two options: “Sweet! Check out Buzz” and “Nah, go to my inbox.”  The FTC alleged that, among other things, the opt-out was not fully effective, that the opt-in did not fully disclose that some of the user’s information would be made public by default and that the company’s “Turn Off Buzz” option did not fully remove the user from the Buzz network. The FTC also charged that Google misrepresented its compliance with the U.S.-EU Safe Harbor Framework relating to transfer of data to the United States from the European Union.  In a blog post today, Google apologized for “the mistakes we made with Buzz,” and stated that it reached agreement with the FTC “to address their concerns.”  

Under the proposed settlement, Google does not admit any legal violation with respect to the draft FTC complaint and does not have to pay heavy financial penalties to the U.S government. However, Google does agree to a set of new, extensive regulatory obligations, including: 

  • No misrepresentation. Google agrees not to misrepresent “in any manner, expressly or by implication” the extent to which Google maintains and protects privacy and confidentiality of “covered information,” including the purposes for which such information is collected and used and the extent to which consumers may exercise control over collection, use or disclosure of such information. “Covered information” here includes first and last name; home or other physical address; email address or other online contact information (such as a user identifier or screen name); persistent identifier (such as IP address); telephone number (home and mobile); list of contacts; and physical location.
  • New disclosure and opt-out requirements. These conditions would apply in each instance of new or additional sharing of a Google user’s specified information with any third party as a result of a change from stated policies at the time of collection or as a result of any change, addition or enhancement to Google’s products or services. These requirements include clear and prominent disclosure that the information will be disclosed to one or more third parties, the identity or specific categories of such third parties and the purposes for the sharing.
  • Comprehensive privacy program. Google must implement a new program to address privacy risks associated with new and existing products and to protect the privacy and confidentiality of covered information. Google also must disseminate the order now and in the future to principals, officers, directors, managers and other personnel with relevant supervisory responsibilities.
  • Assessments. Google will be subject to initial and biennial assessments by an independent professional of the company’s privacy controls and privacy protections.  These requirements will apply for 20 years
  • New recordkeeping requirements will apply, such as records regarding the company’s “widely disseminated statements” regarding maintenance and protection of covered information, any relevant customer complaints, documents that “contradict, qualify, or call into question” Google’s compliance with the order and all materials replied upon to prepare the assessments mentioned above. Some records must be retained for as long as five years.
  • Notification. Google must notify the FTC about major corporate changes (e.g., mergers, dissolution, bankruptcy) that may affect its compliance obligations. 

The FTC’s announcement is full of lessons for service providers and website operators.  

  • First, the settlement sets a baseline for future FTC privacy enforcement and some “best practices” considerations for privacy policies. The settlement does not include any financial penalty, and given Google’s vast resources, this fact suggests that the FTC sought to make a broader policy statement rather than simply seeking financial penalties. That said, the FTC could seek civil penalties for violations of the order. 
  • Second, the presence of the opt-in condition, if broadly applied, could have a dramatic effect on Google’s business practices and innovation. It remains to be seen whether the condition will slow down deployment of new services, even those that may be closely related to existing services.
  • Third, the definition of “covered information” provides the latest insight over what the FTC likely considers to be personally identifiable information that must be protected.
  • Fourth, the complaint teaches a litany of lessons in terms of ensuring that companies take precautions to ensure that their privacy practices are consistent with their published privacy policies.  

The FTC is accepting public comment on the proposed consent order through May 2, 2011. While the full Commission must still approve the order for it to become final, the FTC today sent a clear message about its enforcement priorities for privacy.

Court Recognizes Privacy Rights for Email Subscribers; Addresses the Role of Internet Service Providers

Just in time for the holiday season, a federal appeals court has presented Internet Service Providers (ISPs) with a “worry issue” that’s as welcome as a re-gifted fruitcake.  How should ISPs respond to law enforcement requests for copies of their subscribers’ email when the government doesn’t provide a search warrant?  While the issue isn’t new, thanks to the court’s recent decision, the ISP’s concerns have become more complicated.

In U.S. v. Warshak, a panel of the U.S. Court of Appeals for the 6th Circuit found that an ISP subscriber had a reasonable expectation of privacy in his emails and thus was entitled to the Fourth Amendment’s protections against unreasonable searches and seizures by the government.  The case involved a complex federal criminal prosecution involving the principals of a company that distributed “an herbal supplement purported to enhance male sexual performance.”  The Appeals Court found that the government violated the defendant’s constitutional rights by compelling the ISP to turn over the defendant’s emails without first obtaining a search warrant supported by probable cause. 

The defendant sought to have the trial court exclude thousands of emails obtained by the government.  Warshak held that the defendant enjoyed a reasonable expectation of privacy in the emails due to his subjective expectations (because the emails contained sensitive material) and because the ISP served as an intermediary for the defendant’s messages, not as an intended recipient.  Prosecutors argued that government agents acted in reliance on a federal statute (the Stored Communications Act [“SCA”]) that permits disclosure of the contents of electronic communications in certain circumstances.  The Appeals Court found the SCA to be partially unconstitutional but declined to exclude the emails, finding that the government agents acted in good faith reliance on the SCA.

The case has several important takeaways for ISPs.  First, ISPs may need to take a fresh look at their potential liability to their subscribers if they provide the subscriber’s emails to the government.  Even if the ISP controls the emails and the service agreement provides it with limited rights of access, a court may find that a subscriber likely has a “reasonable expectation of privacy” and therefore Fourth Amendment protections.

Such an expectation does not exist in all cases – the Appeals Court noted that an ISP’s expressed intention to “audit, inspect, and monitor” emails may render the expectation of privacy unreasonable.  Accordingly, ISPs may wish to review their service agreements to determine what they are telling subscribers about the ISP’s inspection of emails, about how the ISP will respond to legal processes designed to access subscriber emails and what notices, if any, will be given to subscribers in these instances. 

Second, the ruling also impacts business issues.  Consumers demand private, secure communications and more generally, privacy concerns permeate many aspects of Internet services.  An enhanced expectation of privacy by consumers may translate into additional costs for service providers. 

Third, many federal and state laws address privacy in electronic communications, so the contours of this privacy right are a work in progress, particularly in light of technological changes.  For example, the SCA was enacted in 1986 -- years before email was widely used and available.  As a result, don’t expect the Warshak decision to be the last word.  While the ruling applies directly in states within the 6th Circuit (i.e., Kentucky, Michigan, Ohio and Tennessee), it can be deemed persuasive authority elsewhere, but other jurisdictions also may reach different conclusions.  The U.S. Supreme Court also may be expected to weigh in at some point given the importance of the issue.

"Do Not Track" Gains Momentum in Washington

As the Federal Trade Commission considers addressing Internet privacy through “Do Not Track” proposals, these efforts recall a line from Jack Lemmon’s 1960s film The Apartment: “that’s the way it crumbles … cookie-wise.” With the Internet economy’s heavy reliance on targeted advertising as a revenue generator, overregulation in this space could leave crumbs everywhere.

In this particular cautionary tale, the notion of personal space is more fluid than in The Apartment’s darkly comic fable about the repeated invasions of a clerk’s apartment by his bosses. In the Internet space, the innovation and functionality that consumers demand requires reasonable compromises as far as consumer data is concerned. Companies that engage in behavioral advertising and/or the collection, use and dissemination of online browsing data – often through the use of Internet “cookies” – work to generate revenues amid their users’ expectations of privacy. Advertising and tracking services deploy new and complex ways to follow users’ steps through the Internet, such as monitoring purchasing behavior and other activities. These efforts often benefit consumers as well -- content can be tailored to those users’ browsing habits and may provide a level of personalization through storing commonly used information, site preferences or other methods.

Nevertheless, despite efforts by many websites to craft privacy policies to address users’ concerns, some consumers are unaware of these tracking methods or of the data being collected. Some advocates support a “Do Not Track” approach to permit consumers to reject the collection and use of their data, and the FTC has weighed in with its support. In its December 1, 2010 report on Consumer Privacy, the FTC proposes a framework for enhancing consumer privacy on the Internet. Existing FTC regulation focuses on increasing notice to consumers about privacy practices, on promoting consumer choice for data practices and on consumer protection through FTC enforcement. The FTC’s new approach has several components: 1) Companies should adopt a “privacy by design” approach toward building privacy protections into their business practices; 2) Companies should provide simpler and more streamlined notice to consumers about data practices, and consumers should be afforded the opportunity to make informed and meaningful choices; and 3) Companies should make data practices more transparent to consumers.

Most significantly, the FTC supports the use of “Do Not Track” as part of the enhanced “notice” approach. “Do Not Track” would involve the use of a “persistent setting” on the consumer’s browser that would prevent tracking and targeted ads as the user browses or searches the Internet. In concept, the approach takes it cue from the wildly popular “Do Not Call” registry adopted by Congress several years ago. The impact of “Do Not Track” – and the potential unintended consequences – may be more significant. Early reports indicate that there are many technical challenges to implementation of a universal approach, and some useful website functionality may be disabled. More importantly, the potential for systemic blocking of targeted ads threatens the ad-based revenue model that dominates Internet commerce.

The FTC’s proposals are sure to draw much attention in the industry and among policymakers. As with “Do Not Call,” implementation and enforcement of “Do Not Track” likely requires some sort of federal legislation, and Congress has begun holding hearings on the matter in recent days. Expect “Do Not Track” to be a hot button issue in 2011, and keep an eye on the cookie jar.