The Federal Trade Commission today announced the terms of a proposed settlement with Google over charges the company used "deceptive tactics and violated its own privacy promises to consumers" during last year's launch of "Buzz," a social networking service. The settlement will establish a set of new norms for how companies can use consumers' personal information.
The consent decree states in no uncertain terms that before Google introduces new services that publicly disclose a user’s information, it must first obtain express opt-in consent from that user. When Buzz launched, CDT called the service “a textbook example of how to violate the principles of Privacy by Design.” For this reason, CDT is glad to see that the consent decree requires that Google develop and implement “a comprehensive privacy program” that will put into practice the principles of Privacy by Design and will be subject to a biennial independent audit. This requirement sets a clear expectation that all online service providers adopt similar accountable privacy practices.
Although the terms of the order specifically apply to Google, the Commission today also put the industry on notice about what it expects going forward from companies that handle online consumer information. "The best practices set forth in the order should serve as guide to industry," wrote Katie Ratte, the FTC's Privacy and Identity Protection Division lead attorney during a Twitter Q&A session the agency held for the public.
"The terms of this agreement will have a far reaching effect on how industry develops and implements new technologies and services that make personal information public," said CDT President Leslie Harris. The settlement creates a "new norm" for any company that wants to launch a service that has the potential to make consumers' information public: companies not only have to keep the promises they make to users, they must give users a real choice before they make public previously private personal information.
Both the opt-in and Privacy by Design requirements apply to information the FTC refers to as “covered information,” a category that the Commission has defined to include not only traditional identifiers such as name and address, but also email addresses, screen names, physical location, and lists of contacts. The FTC has established, in no uncertain terms, that users maintain a privacy interest in a wide range of personal information and that companies cannot abuse their access to that information.
Finally, the consent decree faults Google for failing to live up to its obligations under the US-EU Safe Harbor privacy framework. As a US-based company that stores EU citizens’ data in the US and participates in the framework, Google is required to self-assert that it complies with a particular set of privacy principles. The consent decree states that Google made a false assertion of compliance, a strong admonition to all US-based companies that they should not take their obligations under the framework lightly.
The terms of the consent degree are a real game changer: the FTC is reminding all online service providers that privacy is not a feature that they can afford to kick to the curb and that if they do, they face the scrutiny of an agency willing to use its enforcement power.