FTC Settlement with Google Establishes New Norm for Privacy Enforcement

Continuing a recent flurry of activity in the privacy realm, the Federal Trade Commission (“FTC”) on March 20 announced a proposed settlement with Google that arose out of the FTC’s claims that Google used “deceptive tactics and violated its own privacy promises to consumers” during the company’s launch of its social networking service known as Buzz. 

According to the FTC’s allegations, Google led Gmail users to believe that they had a choice about whether they wanted to enroll in the Buzz networking feature when, in practice, some users did not. The FTC claimed that, for users who joined Buzz, controls for limiting the sharing of their personal information were confusing and difficult to find. When Buzz launched, Gmail users got two options: “Sweet! Check out Buzz” or “Nah, go to my inbox.”  According to the FTC, some Gmail users who opted for the “Nah” option were nevertheless enrolled in certain parts of Buzz. The FTC staff also noted that those Gmail users who opted for the “Sweet!” option were not informed adequately that their most frequent email contacts would be made public by default.  

At the time of the launch of Buzz, Google’s privacy policy stated: “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.”  The FTC claimed that Google violated its policy by sharing subscriber data via Buzz without prior consent. The FTC also alleged that, while Google claimed it safeguarded personal information from the European Union in accordance with the Safe Harbor framework,¹ it failed to do so. 

The proposed settlement requires Google to implement opt-in requirements and to adopt a comprehensive privacy protection program. With respect to these obligations, Google’s requirements will apply to “covered information,” which has been defined broadly to include not only traditional categories of personal information such as name and address, but also email addresses, screen names, physical location and lists of contacts. The proposed statement provides that Google must obtain express opt-in consent from a user before it introduces new services that will involve the public disclosure of that user’s information.  

The proposed settlement also (i) requires Google to implement a comprehensive privacy program and to have privacy audits conducted for the next 20 years, and (ii) is specific in defining the elements on the privacy program. Specifically, Google will be required to: 

• Designate an employee or employees to coordinate and be responsible for the privacy program; 
• Identify reasonably foreseeable, material risks, both internal and external, that could result in the unauthorized collection, use or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;  
• Design and implement reasonable privacy controls and procedures to control the risks identified through the privacy risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls and procedures;  
• Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from respondents, and require service providers by contract to implement and maintain appropriate privacy protections; and 
• Evaluate and adjust its privacy program in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its privacy program.  

Implications

 While the FTC has been flexing its advisory and enforcement muscles in recent months, this case is particularly notable. There are a number of important lessons to be learned from the proposed Google settlement: 

• The proposed settlement establishes a new norm for privacy enforcement. Given the terms of the settlement, companies should be concerned not only about ensuring they are keeping the promises that they make to users, they should also consider whether they are giving users a genuine choice before publicly disclosing information previously submitted as private. 
• The FTC and privacy experts have been mentioning the concept of “privacy by design” fairly often. By emphasizing the concept in this settlement, the FTC shows that “privacy by design” is here to stay, and that companies that fail to address privacy considerations risk being called to task for failing to do so. 
• The terms of the proposed settlement apply to the broadly defined “covered information.” Using these terms, the FTC has established that users maintain a privacy interest in a wide range of personal information, including such information that has not been traditionally viewed as constituting “personal information.” 
• The proposed settlement has important implications for companies considering offering new products and services that will make use of data that was previously collected. Companies rolling out such new products or services are well advised to consider the related privacy implications and, where necessary, obtain appropriate consents for any new uses and/or disclosures. 
• The action emphasizes the importance of ensuring representations made regarding compliance with the Safe Harbor program are accurate.

Resources

The draft FTC complaint, the proposed FTC consent order and an analysis of the proposed settlements are all available for viewing online.