The Federal Trade Commission (“FTC”) announced today that Google has agreed to settle FTC charges that it used deceptive tactics and violated its privacy promises when launching Google’s Buzz in 2010. Google will have to implement a “comprehensive privacy program,” as laid out in the proposed consent order. The agreement is subject to public comment through May 1, 2011, after which the FTC will decide whether to make the proposed consent order final.
The proposed consent order refers to both the FTC Act and to the US-EU Safe Harbor Framework, a reference that is likely to be well appreciated in the European Union.
Agreement containing consent order available here.
Complaint available here.
The 2010 complaint
Google launched in February 2010 a social network within Gmail, Google Buzz (“Buzz”). Gmail users were sometimes set up with followers automatically, and without prior notice (Complaint at 7). These followers were the persons they emailed and chatted with the most in Gmail (Complaint at 8). Even if Gmail users chose to opt out of Buzz, they could nevertheless be followed by other Buzz users, and their public profile, if they had indeed created one, would then appear on their follower’s Google public profiles (Complaint at 8 and at 9).
The FTC complaint alleged that Google had violated the FTC Act, when it represented to consumers signing up for a Gmail account that Google would only use their information to provide them this webmail service, whereas Google also used this information to sign them up to Buzz automatically and without their consent. Also, Google represented that consumers would be able to control whether their information would be made public or not.
The complaint also alleged that Google did not adhere to the Safe Harbor Framework Privacy Principles of Notice and Choice, as Google did not give notice to users before using their personal information for a purpose different that than the one for which the data was originally collected. Also, Gmail users were not given a choice when Google used their information for a purpose incompatible for the purpose for which it was originally collected (Complaint at 25).
The complaint alleged that Google did not communicate “adequately” that “certain previously private information would be shared publicly by default,” and that the controls allowing users to change the defaults were “confusing and difficult to find” (Complaint at 9). Also, certain personal information was shared without Gmail users’ permission (Complaint at 10). For instance, individuals blocked by a Gmail user were not blocked in Buzz, and could be thus be a follower on Buzz (Complaint at 10). Even more puzzling, it was not possible to block a follower who did not have a public Google profile, and the Gmail user could not even know this follower’s real identity (Complaint at 10). Also, Buzz offered an @reply function which sometimes led to private mail addresses of contacts to be exposed to every followers, and could thus be found by search engines.
Google made some changes following widespread criticism and thousands of customer complaints. Users were given the ability to disable Buzz. Followers were no longer added automatically based on Gmail contacts, but merely suggested. Users could also block any follower, and Buzz users were given the option not to show their followers’ list on their public profile. The @reply function would no longer make private addresses public.
However, the FTC nevertheless issued a complaint in 2010, and Google has now agreed to settle.
A comprehensive privacy program
The Buzz settlement is particularly interesting as it is the first time that an FTC settlement order requires a company to implement a comprehensive privacy program to protect the privacy of consumer data.
Indeed, the proposed consent order requires Google to implement a “comprehensive privacy program,” documented in writing, which must “(1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information” (proposed consent order p. 4). This program must designate which employees are responsible for the program. It must identify the reasonably foreseeable risks, external or internal, of Google collecting, using, or disclosing personal information without authorization, and put safeguards in place to prevent these risks. It must also design and implement “reasonable privacy controls and procedures, and regularly monitor the efficiency of privacy controls.” The program must also select service providers in charge of protecting personal data privacy, and enter into contracts with them. This comprehensive privacy program will be evaluated and adjusted if necessary, in light of its results (proposed consent order p. 4-5).
Also, Google will have to obtain from a qualified third-party professional an initial assessment, and then biennial assessments and reports, setting forth the specific privacy controls implemented by Google, explaining why such controls are appropriate, and explaining how they have been implemented. The third-party professional will also certify that such controls are effective (proposed consent order p. 5-6).
It will be interesting to see if U.S. companies will start to use the comprehensive privacy program framework as a reference for their own privacy programs, and if EU Data Protection Agencies will require U.S. organizations that have self-certified to the U.S.-EU Safe Harbor Framework to implement such a privacy program to be deemed compliant.