Google has consented to the entry of a proposed Agreement Containing Consent Order with the US Federal Trade Commission, subjecting the company to sweeping government oversight of its privacy disclosure and product development and release practices, nominally arising out of the roll-out of its Buzz product in February 2010. The auditing and reporting requirements are staggering in scope, breadth and duration, reaching Google’s entire business, not merely online communication products such as Gmail. One interpretation of the (rather amazing) document is that the FTC is attempting to demonstrate to an EU audience skeptical of the utility or reliability of the US–EU Safe Harbor structure that the agency has both the legal tools and will to live up to the promises stated in the Safe Harbor documents.
The proposed Agreement (which is now subject to notice and comment) is notable not only for the astonishing sweep and breadth of government oversight it imposes on the world’s largest online business, but also for the clues to the current Commission’s expectations for consumer disclosures, privacy practice management, and EU Safe Harbor requirements. In its sweep and definitions (defining covered information to include location and IP address, for example), the agreement reads in some ways as the CNIL’s “Google Street View order”, with an eye toward EU scrutiny of Google’s (reportedly inadvertent) collection of wireless transmissions from European residents while building out that service.
As Jessica Rich, deputy director of the FTC’s Bureau of Consumer Protection, stated on a press call on Wednesday,
this order technically applies only to Google. However, we think many of the provisions in this order are good business practices we’d expect to see widely followed across the industry.
The Electronic Privacy Information Center (EPIC) filed a complaint and an amended complaint soon after Google launched Buzz. EPIC complained the options to decline or leave the Buzz social network were ineffective, and that controls for limiting sharing of users’ content (including notably a user’s personal list of contacts) were confusing and difficult to locate. EPIC further contended that Google violated its own privacy policies by using info provided for Gmail for another purpose without users’ permission. When Buzz was introduced the Personal Information section of the Gmail Privacy Notice promised users the company would only use contact lists “in order to provide the service to you.” Buzz compiled a social networking list based upon frequent email and chat contacts to third parties (i.e., people on the list) was deemed a material change to “the service,” requiring specific notice and opt-in. The changes were further alleged to violate the substantive privacy requirements of the US-EU Safe Harbor Framework.
The agency agreed that these practices violated the FTC Act and did not adhere to the US Safe Harbor Privacy Principles of Notice and Choice, which Google had pledged to follow in its Safe Harbor registration. In particular, the agency complained that Google did not give Gmail users notice before using the information collected for Gmail for a purpose other than that for which it was originally collected. Google also did not give Gmail users choice about using their information for a purpose that was incompatible with the purpose for which it was originally collected.The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years.
“Privacy by design,” for Google, will be more than a buzz word from the FTC’s report on online behavioral advertising, if the agreement is adopted as proposed. It may also alter the direction and momentum of conversations on Capitol Hill about privacy legislation. Sen. John Kerry (D-Mass.), for example, issued a statement Wednesday praising the Buzz settlement, but adding, “Everyone will be better off with clear rules of the road rooted in a specific law.” Republicans, on the other hand, may use the fact of the agreement to shore up arguments that the agency has sufficient legal authority under existing laws to police privacy practices on the internet, without adding a specific regulatory burden.
Key elements and take-aways for online businesses, which track past guidance, but place an exclamation point at the end of those guiding statements:
- Important changes (such as sharing contact lists, here) require opt-in consent, not merely notice on the home page (the common practice, where notice is even provided).
- In the online world, “Personal information” is a very broad concept, here, including location information, and IP Address “or other persistent identifier.” Narrow definitions are suited to data breach notification laws, perhaps, but the FTC is singling that personal information has a looser, more situationally-defined definition when it comes to online notice and choice.
- Privacy by design is more than a buzz word; the FTC expects it to be an operational reality, though one scaled to size and nature of the affected business. The terms of the proposed agreement impose a fairly standard management approach to comprehensive privacy controls (similar in concept to HIPAA or FTC standard terms imposed upon companies who experienced information security gaps leading to data breaches):
- Designate a person responsible for a comprehensive privacy program
- Identify and document risks for unauthorized collection, use or disclosure of “Covered Information” early in the product development process, focusing on employee management and training, and product design, development and research
- Design and monitor reasonable privacy controls
- Include HIPAA business associate-type (or EU SCC compliant) controls on service providers who receive Covered Information
- Update and modify the privacy program regularly