Earlier today, the Federal Trade Commission announced that Google agreed to settle charges that parts of its Google Buzz social network violated federal law. Specifically, in a draft complaint, the FTC alleged that Google’s practices were deceptive and in violation of Google’s announced privacy policies. While Google entered into a settlement agreement to address this potential regulatory buzzsaw, other service providers and web companies should consider taking a fresh look at their privacy practices and policies, using the proposed settlement as their lens.
The proposed settlement, which remains subject to final FTC approval, stems from Google’s highly publicized efforts in 2010 to use its Gmail webmail service as a springboard for launching Google Buzz. According to the FTC complaint, Google provided Gmail users with a message announcing the service and two options: “Sweet! Check out Buzz” and “Nah, go to my inbox.” The FTC alleged that, among other things, the opt-out was not fully effective, that the opt-in did not fully disclose that some of the user’s information would be made public by default and that the company’s “Turn Off Buzz” option did not fully remove the user from the Buzz network. The FTC also charged that Google misrepresented its compliance with the U.S.-EU Safe Harbor Framework relating to transfer of data to the United States from the European Union. In a blog post today, Google apologized for “the mistakes we made with Buzz,” and stated that it reached agreement with the FTC “to address their concerns.”
Under the proposed settlement, Google does not admit any legal violation with respect to the draft FTC complaint and does not have to pay heavy financial penalties to the U.S government. However, Google does agree to a set of new, extensive regulatory obligations, including:
- No misrepresentation. Google agrees not to misrepresent “in any manner, expressly or by implication” the extent to which Google maintains and protects privacy and confidentiality of “covered information,” including the purposes for which such information is collected and used and the extent to which consumers may exercise control over collection, use or disclosure of such information. “Covered information” here includes first and last name; home or other physical address; email address or other online contact information (such as a user identifier or screen name); persistent identifier (such as IP address); telephone number (home and mobile); list of contacts; and physical location.
- New disclosure and opt-out requirements. These conditions would apply in each instance of new or additional sharing of a Google user’s specified information with any third party as a result of a change from stated policies at the time of collection or as a result of any change, addition or enhancement to Google’s products or services. These requirements include clear and prominent disclosure that the information will be disclosed to one or more third parties, the identity or specific categories of such third parties and the purposes for the sharing.
- Comprehensive privacy program. Google must implement a new program to address privacy risks associated with new and existing products and to protect the privacy and confidentiality of covered information. Google also must disseminate the order now and in the future to principals, officers, directors, managers and other personnel with relevant supervisory responsibilities.
- Assessments. Google will be subject to initial and biennial assessments by an independent professional of the company’s privacy controls and privacy protections. These requirements will apply for 20 years.
- New recordkeeping requirements will apply, such as records regarding the company’s “widely disseminated statements” regarding maintenance and protection of covered information, any relevant customer complaints, documents that “contradict, qualify, or call into question” Google’s compliance with the order and all materials replied upon to prepare the assessments mentioned above. Some records must be retained for as long as five years.
- Notification. Google must notify the FTC about major corporate changes (e.g., mergers, dissolution, bankruptcy) that may affect its compliance obligations.
The FTC’s announcement is full of lessons for service providers and website operators.
- First, the settlement sets a baseline for future FTC privacy enforcement and some “best practices” considerations for privacy policies. The settlement does not include any financial penalty, and given Google’s vast resources, this fact suggests that the FTC sought to make a broader policy statement rather than simply seeking financial penalties. That said, the FTC could seek civil penalties for violations of the order.
- Second, the presence of the opt-in condition, if broadly applied, could have a dramatic effect on Google’s business practices and innovation. It remains to be seen whether the condition will slow down deployment of new services, even those that may be closely related to existing services.
- Third, the definition of “covered information” provides the latest insight over what the FTC likely considers to be personally identifiable information that must be protected.
- Fourth, the complaint teaches a litany of lessons in terms of ensuring that companies take precautions to ensure that their privacy practices are consistent with their published privacy policies.
The FTC is accepting public comment on the proposed consent order through May 2, 2011. While the full Commission must still approve the order for it to become final, the FTC today sent a clear message about its enforcement priorities for privacy.