Google Settles FTC Privacy Charges Over Social Networking Service

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.

Google, Inc. has agreed to settle Federal Trade Commission charges that it violated Gmail users’ privacy and acted deceptively when it introduced its social networking service Google Buzz last year. Google Buzz allows Gmail users to share status updates, comments, photos, and videos.

This is the first time the FTC has required a company to implement a comprehensive privacy program, the agency said in a March 30 news release.

Privacy advocates expressed concern about Buzz from the day it was launched. The FTC initiated its investigation in response to a complaint by the Electronic Privacy Information Center (EPIC) one week after Buzz made its debut. Google tweaked Buzz in response to criticism, but its practices failed to alleviate the agency’s concerns.

In its complaint against Google, the FTC delineated several deceptive or misleading practices it considered to be violations of Section 5(a) of the FTC Act.

The FTC alleged that Google’s Gmail Privacy Policy falsely represented that (1) Google would use Gmail users’ messages, contacts, and other account data only for providing Gmail services, and (2) Google would ask for users’ consent before using their personal information for a purpose other than for which is was collected.

In fact, Google used Gmail users’ information to populate Buzz without seeking users’ prior consent, according to the complaint.

The agency also contended that Google acted deceptively when it launched Buzz by (1) failing to disclose to Gmail users that Buzz’s default settings would publicly share certain previously private information, such as frequent email contacts and (2) misrepresenting Gmail users’ ability to opt-out of Buzz services.

User controls for limiting the sharing of personal information were “confusing and difficult to find,” the FTC said.

According to the FTC, Google’s Privacy Policy also falsely represented that Google complied with the US-EU Safe Harbor Framework. Google’s sharing of user information without obtaining consent allegedly violated the U.S. Safe Harbor Privacy Principles of Notice and Choice.

Under the proposed agreement and consent order, Google would be required, among other things, to:

• Comply with its stated information sharing practices;

• Not misrepresent the privacy and confidentiality of “covered information.” Covered information is defined to include first and last name, street address, physical address, location, telephone number, email address or other online contact information, such as user ids or screen names, lists of contacts, and persistent identifiers, such as static IP addresses;

• Establish and maintain a comprehensive privacy program designed to protect the privacy and confidentiality of covered information;

• Assess privacy risks associated with existing and when developing new products and services;

• Establish privacy controls and procedures; and

• Permit an independent privacy audit every other year for 20 years.

In a March 30 blog post (“An Update on Buzz”), Google apologized “for the mistakes we made with Buzz.”

Acknowledging that the launch of Google Buzz “fell short of our usual standards for transparency and user control—letting our users and Google down,” Google reassured users that “we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward.”

Further information about In the matter of Google, Inc. File No. 102 3136, is available here on the FTC’s website.

A description of the agreement and consent order will be published soon in the Federal Register. Interested parties may submit written comments electronically or in paper form through May 2, 2011. Comments in electronic form should be submitted here.