Following a six-month public comment period, Google’s settlement with the Federal Trade Commission over Google Buzz was approved in late October. In the settlement order, the FTC agreed with complainant, the Electronic Privacy Information Center (EPIC), that Google used deceptive tactics and violated its own privacy promises to consumers through their recently launched social network, Google Buzz. The terms of the settlement require Google to implement a more comprehensive and transparent privacy program, bars Google from any future privacy misrepresentations, and requires the company to submit to regular privacy audits for the next twenty years.
The basis of the allegations in the FTC complaint were that while Google led Gmail users to believe that joining the network was optional, the preferences for declining or leaving the social network were ineffective. Furthermore, for those users who joined the network, their ability to limit the sharing of personal information was confusing and difficult to navigate. For example, on the day of Buzz’s launch, Gmail users could click to “check out Buzz,” and those who did were not warned that upon clicking “check out Buzz” the identity of individuals they emailed most frequently would automatically be made public.
Based on these, and other privacy violations, Google settled with the FTC. The settlement was announced on March 30, 2011, with a public comment period to follow. On October 14, 2011, Google announced that Google Buzz would be shut down together with the Buzz API in order to focus on Google+ instead. The final settlement agreement was approved unanimously by the FTC and released to the general public on October 24, 2011. (But, read the Concurring Statement of Commissioner J. Thomas Rosch in the original vote for settlement pending public comment and final approval, where Commissioner Rosch voices hesitation as to whether this settlement is in the public interest, here.)
Google’s FTC settlement is unique in two respects. First, no other FTC settlement order has required a company to implement a “comprehensive privacy program” in order to protect consumers. It is yet to be determined exactly what this program wi look like. Second, this is the first time the U.S.-EU Safe Harbor Framework (a method for U.S. companies to transport data privately and lawfully between the EU and the United States) has been invoked to allege violations of substantive privacy requirements. The FTC claimed that Google failed to adhere to the Safe Harbor principles when it failed to give consumers notice and choice before using their information for a purpose other than the one for which it was actually collected. These aspects of the settlement order may well be consequential for other similarly-situated companies who violate federal consumer privacy protections.
For more information: In the Matter of Google Inc., a corporation, FTC File No. 102-3136.