FTC Announces Proposed Google Buzz Settlement: First Time FTC Requires Comprehensive Privacy Program

The Federal Trade Commission (“FTC”) today announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when Google launched its social network "Google Buzz". The vote of the Commission to accept the settlement was 5-0.
For the first time ever, the FTC is requiring a "Comprehensive Privacy Program" and affirmative consent to any new or additional uses of previously collected data.
In February 2010, Google rolled out Google Buzz, which was a social networking program integrated with many of Google’s services, including Gmail. In its complaint against Google, the FTC alleged that Google violated both Section 5 of the FTC Act and the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. The proposed consent order would impose significant requirements on Google privacy practices for the next twenty years, including a requirement that Google implement a comprehensive privacy program and undergo regular, independent privacy audits.
Section 5 Violations
In its complaint, the FTC alleges that Google users were not given adequate notice that information that was previously private would be shared publicly through Buzz. The choices presented to users were “Sweet! Check out Buzz” or “Nah, go to my Inbox.”
According to the FTC, the Google process did not give users a full picture of the information sharing that was done through Google Buzz, which included the public display of lists of people a user chatted or emailed with most often. This automatic generation of lists of “followers” led to the generation of lists for certain users that included: “individuals against whom [a user] had obtained [a] restraining [order]; abusive ex-husbands; clients of mental health professionals; clients of attorneys; children; and recruiters [the user] had emailed regarding job leads.”
The FTC also noted that even if a user clicked “Nah, go to my inbox,” he might still be enrolled in certain Buzz features. The FTC also alleges that privacy controls for Google Buzz were complicated and difficult to locate, making it hard for users to control privacy settings or to turn off the Buzz service. According to the FTC, these representations gave some users a mistaken belief that they had opted out of or exercised control over Buzz functionality. This failure adequately to disclose exactly how Buzz worked and what a user must do not to have his data shared amounted to a deceptive act or practice in the eyes of the FTC.
The FTC based its Section 5 allegations of deceptive acts or practices on the fact that Google’s actions when it launched Buzz violated terms in its own privacy policies. At the time Buzz was launched, Google’s Gmail privacy policy made the following representation:

"Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you."

In addition, the following representation was included in Google’s privacy policy that applies to all of Google’s products:

"When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."

The FTC alleges that Google did not use information received from users who signed up for Gmail only for the purpose of providing the user with Gmail service, but rather Google used this information to populate Google Buzz. Additionally, the FTC alleges that Google did not seek user consent before using information provided by Gmail users for Google Buzz.
U.S.-EU Safe Harbor Framework Violations
Since 2005, Google has maintained self-certification with the Department of Commerce under the U.S.-EU Safe Harbor Framework (“Safe Harbor”). The Safe Harbor is a voluntary framework that allows a U.S. company to transfer E.U. data lawfully to the U.S. in compliance with the E.U. Data Directive’s adequacy standard, which requires EU Member States to have laws that prohibit transfers of data to countries outside of the EU unless the European Commission has made a determination that a country’s laws ensure adequate data protection. In order to join the Safe Harbor, Google certified that it complied with seven principles that have been deemed to meet the EU’s adequacy standard.
The FTC alleges that Google’s actions when launching Buzz did not adhere to certain Safe Harbor principles, including the notice and choice principles. The notice principle requires a company to inform individuals about the purposes for which it collects and uses personal information. The choice principle requires that a company must allow individuals to exercise certain choices about the way their data is used. The FTC claims that Google did not give Gmail users notice or choice about data that was collected by Gmail and subsequently used for Google Buzz. Notably, this is the first time the FTC has alleged violations of the privacy requirement imposed by self-certification to the U.S.-EU Safe Harbor Framework.
Terms of Proposed Settlement
The FTC released a consent order, which outlines the terms of the settlement between the FTC and Google. The proposed settlement bars Google from making any misrepresentations relating to: (i) Google’s collection and use of user data; (ii) the extent to which Google users can exercise control over the collection, use, or disclosure of data; and (iii) the extent to which Google is in compliance with the U.S.-EU Safe Harbor Framework or other government-sponsored compliance programs.
The proposed consent order also requires Google to clearly and prominently disclose any “new or additional” data sharing with third parties of personal information that Google has previously collected across all of Google’s products and services.
This disclosure is not limited to just “material” new or additional data sharing and must include the identity of the third parties and the purpose for Google’s sharing the data. Google must also obtain affirmative consent from Google users before sharing this information.
Google is also required to establish and maintain a comprehensive privacy program. This is the first time the FTC has required a company to implement a comprehensive privacy program. This privacy program must be documented in writing and be reasonably designed to address privacy risks and protect the privacy and confidentiality of user data. According to the FTC’s analysis of the consent order, the order requires Google to:

• designate an employee or employees to coordinate and be responsible for the privacy program;
• identify reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
• design and implement reasonable privacy controls and procedures to control the risks identified through the privacy risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls and procedures;
• develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from respondent, and require service providers by contract to implement and maintain appropriate privacy protections; and
• evaluate and adjust its privacy program in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its privacy program.

Within 180 days, and every two years thereafter for the next twenty years, Google must obtain a privacy assessment and report from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.” Further, Google will be subject to certain compliance and reporting requirements, allowing the FTC to inspect copies of various documents for various time periods, including:

• “widely disseminated [privacy] statements” for three years;
• consumer complaints alleging unauthorized collection, use, or disclosure of personal information for six years;
• documents that “contradict, qualify, or call into question Google’s compliance with the consent order” for five years; and
• materials relied on to prepare the privacy assessment discussed above for three years.

The consent order would apply for twenty years, subject to extension if Google is found to be in violation of the order.
Consenting Opinion of Commissioner J. Thomas Rosch
Commissioner Rosch accepted the proposed consent agreement, however he wrote a separate concurring statement to indicate that he has concerns about the provision that requires Google to notify and obtain affirmative consent before any new or additional uses of previously collected data. Commissioner Rosch points out that Google’s privacy policy did not indicate that it would obtain opt-in consent from consumers. He fears that this requirement goes beyond what Google has promised consumers in its privacy policy and that this requirement may be contrary to public interest. He explains:

"In short, on the face of it, Part II seems to be contrary to Google’s self-interest. I therefore ask myself if Google willingly agreed to it, and if so, why it did so. Surely it did not do so simply to save itself litigation expense. But did it do so because it was being challenged by other government agencies and it wanted to “get the Commission off its back”? Or did it do so in hopes that Part II would be used as leverage in future government challenges to the practices of its competitors? In my judgment, neither of the latter explanations is consistent with the public interest."

Google Response to Proposed Settlement
Alma Whitten, Google’s Director of Privacy, Product & Engineering, released a statement on the Official Google Blog. Whitten wrote:

"[W]e don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control—letting our users and Google down. While we worked quickly to make improvements, regulators—including the U.S. Federal Trade Commission—unsurprisingly wanted more detail about what went wrong and how we could prevent it from happening again. Today, we’ve reached an agreement with the FTC to address their concerns. We’ll receive an independent review of our privacy procedures once every two years, and we’ll ask users to give us affirmative consent before we change how we share their personal information.

We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward."

Comments on Consent Order
A description of the consent agreement will be published by FTC in the Federal Register. The agreement is open for public comment for thirty days – through May 1, 2011. After the comment period, the FTC will decide whether to make the proposed order final.