Today, the FTC announced a settlement with Google, concerning allegations that Google used deceptive practices and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010.
Significantly, this is the first time an FTC settlement order has required a company to implement a comprehensive privacy program; and this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
In its administrative complaint, the Commission alleges that when Google launched its social network service called Google Buzz through its Gmail web-based email product, Google led Gmail users to believe that they could choose whether they wanted to join the network. Specifically, on the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the complaint alleges that some Gmail users who clicked on “Nah” were nonetheless enrolled in certain features of the social network; and for those Gmail users who clicked on “Sweet!,” they were not adequately informed that the identity of individuals they emailed would be shared publicly by default. The FTC finds that while Google also offered a “Turn Off Buzz” option, that option did not fully remove the user from the social network. The FTC also finds that certain personal information of Gmail users was shared without consumers’ permission through the Buzz social network.
The FTC complaint notes that in response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts, which included ex-spouses, patients of mental health professionals, clients of attorneys, and children.
In alleging violations of the FTC Act, the Commission charged that Google:
• did not use information from consumers only for the purpose of providing them with a web-based e-mail service; instead, Google used the information to populate its new social networking service;
• did not seek consumers’ consent before using the information they provided;
• falsely represented the features of the Buzz social network; and
• falsely represented that consumers would be able to exercise control over what information would be made public through their Google public profile.
The FTC complaint also finds that Google’s failure to adhere to the U.S. Privacy Principles of Notice and Choice issued by the Department of Commerce in connection with the U.S.-EU Safe Harbor Framework constitutes a deceptive act or practice.
The proposed consent order prohibits Google from misrepresenting the privacy and confidentiality of any “covered information” (defined broadly) as well as Google’s compliance with any privacy or compliance program, including the U.S.-EU Safe Harbor Framework. The proposed order also requires Google to establish a privacy program to (i) address privacy risks related to the development and management of new and existing products and services; and (ii) protect the privacy of covered information. The proposal also requires Google to obtain an assessment and report biennially from an independent professional for 20 years, making certain certifications concerning compliance with the order.
Key Takeaways:
• When companies intend to develop new products or services, they need to determine how these changes impact their current privacy policies and practices and whether the core principles set forth by the FTC as well as the Department of Commerce in their recent papers are being adhered to;
• The FTC intends to enforce aggressively the issues relating to privacy and to protect consumers’ expectations concerning the disclosure of their personal information; and
• The FTC intends to actively influence the current debate on privacy.