Google submits to privacy audits in Buzz settlement
Agreement marks first time FTC requires a privacy program
- By Kathleen Hickey
- Apr 01, 2011
Internet giant Google has agreed to 20 years of independent privacy audits under a settlement with the Federal Trade Commission for violating consumer privacy with its Buzz social network.
The agency charged Google with using deceptive tactics and violating its own privacy rules with Buzz, which launched last year. The settlement is the first time the FTC has required a company to implement a comprehensive privacy program and the first time the agency has charged a company with violations of the U.S. – European Union Safe Harbor Framework, according to a statement from the agency.
The U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data lawfully from the EU to the United States. Google was also charged under the FTC Act.
“The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years,” the release stated.
Google issued an apology to users in a blog on the subject the same day.
“We don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control — letting our users and Google down,” wrote Alma Whitten, Google's director of privacy, product and engineering. “We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward.”
Google launched its Buzz product through its Web-based e-mail product, Gmail, in February 2010. The company immediately received thousands of complaints from consumers who were concerned about public disclosure of their e-mail contacts, which included, in some cases, former spouses, patients, students, employers, or competitors.
In its complaint, the FTC alleged that Google’s opt-out option of Buzz was ineffective and the controls for limiting the sharing of personal information were confusing and difficult to find. Users were also “not adequately informed that the identity of individuals they e-mailed most frequently would be made public by default. Google also offered a ‘Turn Off Buzz’ option that did not fully remove the user from the social network,” according to the release.
Google’s privacy statement states that the company will ask users’ permission prior to using personal information “in a manner different than the purpose for which it was collected." The FTC charged that the company violated its own privacy policies by using information provided for Gmail for another purpose -- social networking -- without obtaining consumers’ permission in advance. As a result, the FTC also charged Google with failing to comply with the voluntary Safe Harbor principles because it did not follow its own privacy policies.
Shortly after Buzz was launched, the Electronic Privacy Information Center filed a complaint with the FTC regarding privacy concerns, stating that the service was deceptive and broke consumer privacy protection law.
This week, EPIC objected to a class-action settlement last year in which Google agreed to set up a $6 million fund for groups advocating privacy issues, according to Reuters. The settlement provided funds for groups such as the American Civil Liberties Union and the Brookings Institution but none for EPIC. In its objection, EPIC claimed that the fund's recipients "receive support from Google for lobbying, consulting, or similar services," Reuters reported.
Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by EPIC shortly after the service was launched.
The agreement is open to public comment for 30 days, through May 2, after which the commission will decide whether to make the proposed consent order final. The FTC noted that violations of final consent orders may result in a civil penalty of up to $16,000 per violation.