- First FTC settlement that requires a company to implement a comprehensive privacy program
- First FTC settlement involving alleged violations of the U.S.-EU Safe Harbor Framework privacy requirements
The FTC Complaint
Also, the FTC alleged that the practices were deceptive as they did not adequately disclose that certain private information identifying who the Gmail user emailed most frequently would be made public, and that certain user privacy settings in Gmail were not carried over to the privacy settings in Google Buzz. Further, the FTC alleged that these practices violated the US Safe Harbor Privacy Principles of Notice and Choice, as Gmail users were not given adequate notice that information collected in Gmail would be used for a new purpose, and were not given adequate choice about whether they agreed to such new use.
Terms of the Proposed Settlement
The proposed settlement, which is subject to public comment through May 2, 2011, imposes robust requirements on Google, including the following:
- Before sharing user information with a third party in a manner different from Google’s practices in effect when the information was collected, and which results from a change, addition, or enhancement to its products or services, Google must:
- Obtain express affirmative consent to the sharing from the user.
- Google must develop, implement and maintain a written comprehensive privacy program including designated employees responsible for the program, identification of reasonably foreseeable risks and safeguards used to mitigate risks; and establishing steps to select and retain service providers.
- Google must hire a third party privacy and data security professional to conduct assessments of Google’s practices every two years for the next twenty years.
Google had previously faced scrutiny from international data protection authorities that noted disappointment and concern regarding Google’s privacy practices related to Google Buzz. Additionally, in October 2010, Google settled class action claims that Google Buzz violated Federal and California privacy, computer, and consumer protection laws based on the automatic creation of “follower/follow” lists. The claims were settled for $8.5 million.
What this Means for Business
This FTC action should serve as a reminder that when developing new products, businesses should evaluate whether their privacy practices are and will remain consistent with promises made in their policies and whether they provide adequate disclosures, offer clear choices and obtain meaningful consent from customers when these practices may change. With this important settlement, the FTC has signaled that it intends to raise the bar with respect to future privacy-related enforcement activity regarding the handling of consumers’ personal information.
This post was written by the Kelley Drye & Warren LLP Privacy and Information Security Practice Group.