Google Buzz Settlement Requires Bi-Annual Privacy Audits

Google was in the news several times this week.  That in itself is not terribly surprising for the Internet search giant.  One story that was of particular interest to privacy advocates was when the Federal Trade Commission announced that it had reached a settlement with the Mountain View, California company over violations of its privacy policy.  The deal with Google resulted from Google’s bungled foray into social media known as Google Buzz.  Debuting to mixed reviews more than a year ago (Feb. 2010), Buzz combines aspects of Google’s Gmail service with a social network-style platform for sharing information with friends.  Buzz landed Google in hot water when users complained that Buzz added people to a network of contacts and then shared sensitive information, such as a person’s most-emailed contacts and other kinds of data by default.  The volume of information that suddenly became public stunned privacy watchdogs and prompted a complaint to the FTC.

So, why did the Federal Trade Commission get involved?  Unlike financial or medical information, there’s no specific law against setting up a social networking service or disclosing names of people you know to the general public.  It turns out, however, that Buzz’s disclosure of contact lists was in conflict with Google’s stated privacy policy at the time.  Believe it or not, those policies are very important contracts protecting consumers, even if those consumers never bother to read them.  I’ve rarely given them a second thought  because I’m always getting new ones at random times of the year–either as a pamphlet in the mail with microscopic text or emails with links to follow when all you want to do is clean out your inbox and watch Fringe on Hulu.  It always just seemed like a waste of time because there’s very that little you, personally, can do if the company violates that policy.  There are hundreds of examples of other companies getting slapped with fines and penalties for violating their privacy policies, but this settlement goes a long way to reassuring customers (and warning other businesses) that they are actually documents that can be relied upon, even against major Internet companies like Google.

It turns out that privacy policies are kind of a big deal.  Everything centers around reasonable expectations of privacy.  Companies don’t have to issue privacy policies, but it’s so frequently demanded by consumers that they have become a de facto business procedure.  The Federal Trade Commission gets involved when companies create an expectation of privacy by issuing a privacy policy, but then do something that violates that policy.  While this would ordinarily be an issue to be resolved by individual or possibly class action law suit for breach of contract, privacy polices are special.  The FTC is in charge of enforcing the Federal Trade Commission Act, a combination of laws aimed at protecting consumers and creating a level playing field for commerce. Section 5 of the FTC Act is concerned with false and deceptive trade practices and empowers the FTC to create rules and enforce them.  The law is mostly concerned with false or misleading advertising.  You probably know it best for being law responsible for all the unreadable text and Micro Machines Man-styled legalese at the end of car commercials.  With the rise of companies doing business online, the regulators at the FTC have adapted to deal with these ubiquitous online standard form contracts.  They are particularly helpful in addressing the above concerns because they have the power and resources of the U.S. government to go after companies that engage in false or misleading advertising or other practices that individual consumers most often lack.

This brings us back to the Google Buzz settlement.  Google had a privacy agreement in place with its Gmail customers stating that it would only use information it had collected for those email accounts for certain purposes, none of which included joining a social network.  Yet when it launched Buzz, according to the FTC report, Google led Gmail users to believe that they could choose whether or not they wanted to join the social network, even though the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.  The report goes on to detail how privacy controls and details about what would be shared were misleading, deceptive or just plain sloppy.

“When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.”

The settlement requires Google to obtain users’ consent before sharing their information with third parties if the company changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.  Considering how many different aspects of the Internet Google is involved with, having the government looking over it’s shoulder for the next two decades should have a major impact on future developments in the privacy arena.  Not only will Google have to be more careful about the services it launches, but other companies will no doubt be wary that the FTC will come knocking on its doors.  This is a big win for privacy, but it’s a fight that has only just begun.

 

About these ads

About Justin Kwong

An attorney in the Twin Cities and adjunct professor at William Mitchell College of Law where I teach a seminar on the law of virtual worlds.
This entry was posted in Legal Developments, Privacy, Regulation and Rule-making and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s