On March 30, 2011, the Federal Trade Commission announced that Google agreed to settle charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. According to the FTC’s complaint (main document, exhibits), Google led Gmail users to believe that they could choose whether or not they wanted to join Google Buzz. The options for declining or leaving Google Buzz, however, were ineffective. For those who joined Google Buzz, the controls for limiting the sharing of their personal information were difficult to locate and confusing. Furthermore, the FTC charged that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance. Finally, the FTC alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor framework because it failed to give consumers notice and choice before using their information for a different purpose from that for which it was collected.
The proposed settlement requires Google to obtain consumers’ consent before sharing their information with third parties if Google modifies its sharing practices as a result of changes to Google’s products or services. Google also must establish and maintain a comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information. Google is required to obtain initial and biennial assessments for 20 years from an independent auditor to ensure that it is following the required comprehensive privacy program.
The proposed settlement with Google marks the first time that the FTC will require a company to implement a comprehensive privacy program (as opposed to a comprehensive security program), with biennial audits for 20 years, and it contains the FTC’s first substantive privacy allegations regarding failure to comply with the U.S.-EU Safe Harbor Program. Previous Safe Harbor-related enforcement actions focused on organizations that falsely claimed membership in the program even after their certifications had lapsed.