Google Buzz Settlement Includes Two Privacy Settlement “Firsts” for the FTC
Google has agreed to settle Federal Trade Commission (“FTC”) claims alleging that the 2010 launch of Google Buzz, a social networking feature linking Gmail users with other people on Google’s network, involved deceptive tactics and violated Google’s privacy policy. The proposed settlement includes two firsts for the FTC:
- First FTC settlement that requires a company to implement a comprehensive privacy program
- First FTC settlement involving alleged violations of the U.S.-EU Safe Harbor Framework privacy requirements
The FTC Complaint
In its administrative complaint, the FTC alleged that: (1) some Gmail users who declined to enroll in Google Buzz were enrolled anyway; (2) Gmail users that enrolled in Google Buzz were not adequately informed that the people they email most frequently would be publicly disclosed through the “following/followers” function; and (3) the identities of Gmail users that later “turned off” Google Buzz were not removed from the social network. Google’s privacy policy stated that information would never be used “in a manner different than the purpose for which it was collected” without the user’s prior consent; however, the FTC alleged that use of information provided to Gmail was used for another purpose, the Google Buzz social networking feature, without the users’ consent.
Also, the FTC alleged that the practices were deceptive as they did not adequately disclose that certain private information identifying who the Gmail user emailed most frequently would be made public, and that certain user privacy settings in Gmail were not carried over to the privacy settings in Google Buzz. Further, the FTC alleged that these practices violated the US Safe Harbor Privacy Principles of Notice and Choice, as Gmail users were not given adequate notice that information collected in Gmail would be used for a new purpose, and were not given adequate choice about whether they agreed to such new use.
Terms of the Proposed Settlement
The proposed settlement, which is subject to public comment through May 2, 2011, imposes robust requirements on Google, including the following:
- Before sharing user information with a third party in a manner different from Google’s practices in effect when the information was collected, and which results from a change, addition, or enhancement to its products or services, Google must:
- Disclose (1) the information that will be shared, (2) the identity or categories of the third parties that will receive the information, and (3) the purpose for sharing the information. Notably, this disclosure must be separate from any “end user license agreement,” “privacy policy,” or “terms of use;” and
- Obtain express affirmative consent to the sharing from the user.
- Google must develop, implement and maintain a written comprehensive privacy program including designated employees responsible for the program, identification of reasonably foreseeable risks and safeguards used to mitigate risks; and establishing steps to select and retain service providers.
- Google must hire a third party privacy and data security professional to conduct assessments of Google’s practices every two years for the next twenty years.
Google had previously faced scrutiny from international data protection authorities that noted disappointment and concern regarding Google’s privacy practices related to Google Buzz. Additionally, in October 2010, Google settled class action claims that Google Buzz violated Federal and California privacy, computer, and consumer protection laws based on the automatic creation of “follower/follow” lists. The claims were settled for $8.5 million.
What this Means for Business
This FTC action should serve as a reminder that when developing new products, businesses should evaluate whether their privacy practices are and will remain consistent with promises made in their policies and whether they provide adequate disclosures, offer clear choices and obtain meaningful consent from customers when these practices may change. With this important settlement, the FTC has signaled that it intends to raise the bar with respect to future privacy-related enforcement activity regarding the handling of consumers’ personal information.
This post was written by the Kelley Drye & Warren LLP Privacy and Information Security Practice Group.