In Unprecedented Move, FTC Will Make Google Get Users’ OK To Share Data

When Google (NSDQ: GOOG) launched Buzz last year, users were given two options: “Sweet! Check out Buzz” or “Nah, go to my Inbox.” The problem is, you became part of Buzz no matter which one users clicked on. Some folks understandably freaked out, since the program revealed to others which contacts people had emailed and chatted with the most. But Google’s Buzz program wasn’t just an annoying failure as a product-it violated the law, according to the Federal Trade Commission.
Now the FTC has reached a settlement with Google, forcing the search giant to meet a privacy rule that no other internet company is currently subject to-it must ask users to “opt-in” before sharing their information.
This is the first legal action in which the FTC has required a company to make significant alterations to its privacy policy, and it’s suggestive of what the FTC would like to see going forward.
The problem with Buzz. Google had promised in its written privacy policy to only use only use information collected in Gmail to provide e-mail service. “Instead, Google used this information to populate its new social network,” the FTC writes in its complaint [PDF].
The FTC said today that resulted in thousands of consumer complaints to Google. The fact that Gmail users had contacted ex-spouses, patients, students, employers, or competitors was revealed to the world. Google did quickly make changes to adjust some of the worst aspects of Buzz, but it refused to separate it from Gmail, as many critics demanded.
What Google has to do now. The most significant change is that it will have to “obtain express affirmative consent” from users before sharing with any third parties. That means sticking information in front of user’s face telling him or her what information will be shared, who it will go to, and what the purpose of the sharing is. The order says this disclosure has to be done in addition to any written privacy policy, end user license agreement, or “terms of use” page. That’s a significant departure from the industry norm.
And, Google will be subject to an independent privacy audit every two years for the next 20 years.
In a statement today on its official blog, Google apologized again for Buzz but downplayed the FTC action, simply saying the agency “wanted more detail about what went wrong,” which the company provided. The statement also suggests Google’s current information-sharing practices will be “grandfathered” in. “We’ll ask users to give us affirmative consent before we change how we share their personal information,” writes Google’s privacy director (emphasis mine).
What happens next. There will be a 30-day comment period before the consent agreement goes into effect. We can expect comment from both advocacy groups and Google’s competitors. After the comment period is over, Google may have to start offering users some new opt-ins with regards to their private information. The wording of the consent order, like Google’s statement, suggests that the company won’t need to ask permission for some current practices, because it refers to the opt-in being required only for “new or additional” information sharing. The covered information includes IP addresses, email addresses, and online identifiers like screen names used in Google services.
One big question is whether Google’s competitors will ultimately be subject to similar rules. If Google alone labors under “opt-in” rules, it will be at a significant disadvantage in the marketplace-especially against a competitor like Facebook, which often shares information about users by default.
What this says about the FTC’s privacy enforcement strategy. The agreement suggests what kind of privacy practices the FTC would like to see from internet companies. Simple disclosures, separate from privacy policies, that say 1) what information is being shared, 2) who it’s going to, and 3) why the sharing is happening. It isn’t good enough to bury it in a privacy policy that most users never see, and the question needs to be asked when the information is being shared.
Right now, the FTC still doesn’t have the legal authority to go around demanding these tighter privacy policies, however. The Chitika and Google cases show that the agency’s strategy, for now, is going to be taking action against companies that are violating their own written policies. In the agency’s view, that constitutes deceptive behavior and violates the FTC Act. However, that strategy has limits. Chris Soghoian, a privacy researcher at Indiana University who has done work for the FTC (but not on this case involving Google), says that he expects companies will now take a close look at their privacy policies to make sure they aren’t deceptive. But that might not be to consumers’ benefit.
“The FTC is clearly breaking new ground in a positive direction, but they still have very limited enforcement power because they have to tie their actions to ‘deception’ or ‘unfairness,'” says Soghoian. “Deception is going to prove to be limiting in the years to come,” because companies will alter their privacy policies to just be more wishy-washy. “They’ll err on the side of not disclosing anything-that’s how you’ll avoid the FTC in the future.”
»  FTC Press Release
»  Google Statement
»  FTC v. Google Complaint [PDF]
»  FTC v. Google Proposed Settlement [PDF]
See where Google ranks on our latest list, The paidContent 50: The Most Successful Digital Media Companies In The U.S.