On March 31, 2011, the Federal Trade Commission announced that it reached a settlement with Google concerning allegations that Google used deceptive practices and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The FTC's complaint alleged that when Google launched its social network service called Google Buzz through its Gmail Web-based email product, Google led Gmail users to believe that they could choose whether they wanted to join the network, when in reality, the users were enrolled in certain features of the social network regardless of whether they opted out. The complaint also alleged that certain personal information of Gmail users was shared without consumers' permission through the Buzz social network. Specifically, the complaint alleged that the users' email contacts, which included ex-spouses, patients of mental health professionals, clients of attorneys, and children, were publicly disclosed without adequate notice to the users. The proposed consent order prohibits Google from misrepresenting the privacy and confidentiality of any "covered information" (defined broadly), as well as Google's compliance with any privacy or compliance program, including the U.S.-EU Safe Harbor Framework. The proposed order also requires Google to establish a privacy program to (i) address privacy risks related to the development and management of new and existing products and services; and (ii) protect the privacy of covered information. The proposal further requires Google to obtain an assessment and report biennially from an independent professional for 20 years, making certain certifications concerning compliance with the order. Significantly, this is the first time an FTC settlement order has required a company to implement a comprehensive privacy program; and this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
Tip: Companies should adopt privacy policies which accurately inform consumers how their information will be used, and should monitor their compliance with their policies.