Google, Inc agreed to a proposed consent order over charges that it used deceptive tactics and violated its privacy promises to consumers when it launched its social network, Google Buzz. The Agency alleged in its Complaint that Google's information practices violated Section 5 of the FTC Act.

As background, in February 2010, Google launched Buzz, a social networking service within Gmail, its web-based email product. Google used the information of Gmail users, including first and last name and email contacts, to populate the social network. Gmail users were, in many instances, automatically set up with “followers” (people that followed the user or people that the user followed). According to the FTC's Complaint, even if a user did not enroll in Buzz, the user's information was shared in a number of ways (e.g., a user who did not enroll in Buzz could still be followed by other Gmail users who enrolled in Buzz). The FTC also alleges that the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the FTC alleges that certain personal information of Gmail users was shared without consumers' permission through Buzz (e.g., some information was searchable on the Internet and could be indexed by Internet search engines).

Part I of the proposed consent order prohibits Google from misrepresenting the privacy and confidentiality of any “covered information,” as well as the company’s compliance with its other any privacy and security program, including the U.S.-EU Safe Harbor Framework. The term "covered information" is defined very broadly to include an individual's first and last name, physical address, email address, screen name, persistent identifier (e.g., IP address), list of contacts, and physical location. The FTC noted in its press release [http://www.ftc.gov/opa/2011/03/google.shtm] that this is the first time it has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework.

Part II of the proposed consent order requires Google to give its users a "clear and prominent" notice and choice. Under the terms of the proposed consent order, Google must obtain express affirmative consent before sharing any user's covered information with a third party in connection with: (1) a change, addition or enhancement to any product or service, (2) where such sharing is contrary to stated sharing practices in effect at the time the information was collected. The proposed opt-in disclosure must appear separately from any end user license agreement, privacy policy, website terms of use or similar document and prominently disclose: (1) that the Google user’s information will be disclosed to one or more third parties, (2) the identity or specific categories of such third parties, and (3) the purpose(s) for Google’s sharing of the information.

Part III of the proposed order requires Google to establish and maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to the development and management of new and existing products and services. The program must be documented in writing and must contain privacy controls appropriate to Google’s size and complexity, the nature and scope of its activities, and the sensitivity of covered information. Part IV through IX of the proposed order contain reporting and compliance provisions, including obtaining ongoing biennial assessments from a qualified third-party professional about Google's privacy practices, requiring that Google retain consumer complaints for a period of six months, and mandating that Google submit an initial compliance report to the FTC and make available to the FTC subsequent reports. If finalized, the proposed consent order would remain in effect (with ongoing compliance requirements) for twenty years.

Commissioner Rosch, in a concurring statement, expressed "substantial reservations" about Part II. He said that Google never intended in its original Privacy Policy that the consent it would seek would was "opt-in" (as opposed to "opt-out"), and that such a requirement was "brand new". Also, Commissioner Rosch made note of the fact that the proposed consent order seems to apply to "any" new or additional sharing of previously collected personal information, not just any "material" new or additional sharing of information.

The proposed consent order will be placed on the public record for thirty days until May 2, 2011 for public comment. After thirty days, the Commission will consider comments and decide whether to make the proposed consent order final. Bottom line, this case should serve as a reminder that companies must align their business practices with the promises contained in their Privacy Policies.