Google recently settled charges by the Federal Trade Commission (FTC) that Google’s social networking service, Buzz, violated the FTC Act. The FTC-Google settlement prohibits Google from misrepresenting the extent to which it maintains and protects the confidentiality of users’ information and from misrepresenting its compliance with the US-EU Safe Harbor Framework. In that regard, the settlement represents two important “firsts” in FTC enforcement:
The first time a comprehensive privacy program (as opposed to a comprehensive security program) was required by an FTC consent decree.
The first time the FTC has enforced the US-EU Safe Harbor Principles for substantive non-compliance.
Unlike prior settlements in response to data security breaches where the FTC required the implementation of a comprehensive information security program as a remedial measure, the Buzz settlement requires Google to enact a comprehensive privacy program, consistent with the Commission’s “privacy by design” approach that we have previously blogged about. Specifically, the FTC’s proposed settlement requires Google to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.”
The settlement also requires Google to “clearly and prominently disclose” if a user’s information will be disclosed to third parties, the identity or specific categories of such third parties, and the purposes for sharing; and to obtain affirmative consent from the user regarding the sharing. In addition, the settlement requires Google to provide a report on the effectiveness of the company’s privacy program biennially to the FTC for the next twenty years.
The FTC’s Complaint that underlies the settlement alleges that Google launched the Buzz social networking service in February 2009 within its Gmail product. Upon logging into their Gmail accounts, users were presented with the option to “Check out Buzz” or proceed to their Gmail inbox. The FTC alleged that even if a user opted to go to his or her inbox, that user’s information was still shared with others in the Buzz network. The FTC claimed that Google therefore did not use the information that users provided to Google only for the purpose of providing them the company’s web-based email service (Gmail) – rather, Google also used this information in connection with the Buzz social networking service. Moreover, Google did not request users’ consent before using the information collected from Gmail users in connection with Buzz.
The FTC further alleged that if a user clicked a link to “Turn off Buzz” certain information about that user was still shared with others. Moreover, the FTC alleged that Buzz did not adequately communicate that certain previously-private information would be shared by default and certain personal information was shared without users’ permission. The FTC also claimed that the “Turn off Buzz” and options to go to the user’s inbox without signing into Buzz were false or misleading because they represented that a user either would not be enrolled in, or would be removed from, Buzz, when in fact a user was enrolled and not removed from the service consistent with these representations.
The FTC also alleged that Google failed to disclose how a user’s information would be shared. These allegations also amounted to a substantive violation of the US-EU Safe Harbor Framework, according to the FTC—particularly, the Notice and Choice and limited purpose principles.
In settling the FTC’s charges, Google did not admit the truth of any of the FTC’s substantive allegations.
This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. The settlement’s requirement that Google enact a comprehensive privacy program demonstrates that the FTC is serious about privacy and foreshadows potential future settlement terms. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.