Google just settled with FTC over agency’s accusations of “deceptive privacy practices” in the rollout of its social communications tool Buzz. The FTC issued a release here (we’ve pasted it below) and you can also access Google’s Blog post on the subject here. Updating.
The FTC claims that Google’s “deceptive tactics” when launching Buzz (i.e. not adequately informing users of the privacy issues surrounding the product), violated the FTC act. Specifically, the FTC says that Google didn’t properly inform users of the choice of declining or leaving the social network. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, says the FTC.
The agency also claims that those who did join the network didn’t realize that the identity of individuals they emailed most frequently would be made public by default within the network. Google also offered a “Turn Off Buzz” option that did not fully remove the user from the social network. Apparently, Google received “thousands of complaints” from users who were upset and worried about the public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors.
Jon Leibowitz, Chairman of the FTC said in the release: “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.”
The settlement bars the search giant from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits by independent third parties for the next 20 years. The charge also requires Google to obtain users’ consent before sharing their information with third parties. And the FTC says this is the first time in history where a settlement has required a company to conduct a privacy program of this kind.
Google writes in its blog post announcing the settlement: We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward. The company also admitted that the launch of Google Buzz “fell short of our usual standards for transparency and user control—letting our users and Google down.”
I think the question lingering in everyone’s minds is when is Google going to finally “sunset” Buzz?
FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network
Google Agrees to Implement Comprehensive Privacy Program to Protect Consumer Data
WASHINGTON, March 30, 2011 /PRNewswire-USNewswire/ — Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
“When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.”
According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
On the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the FTC complaint alleged that some Gmail users who clicked on “Nah…” were nonetheless enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on “Sweet!,” the FTC alleges that they were not adequately informed that the identity of individuals they emailed most frequently would be made public by default. Google also offered a “Turn Off Buzz” option that did not fully remove the user from the social network.
In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
The agency also alleges that by offering options like “Nah, go to my inbox,” and “Turn Off Buzz,” Google misrepresented that consumers who clicked on these options would not be enrolled in Buzz. In fact, they were enrolled in certain features of Buzz.
The complaint further alleges that a screen that asked consumers enrolling in Buzz, “How do you want to appear to others?” indicated that consumers could exercise control over what personal information would be made public. The FTC charged that Google failed to disclose adequately that consumers’ frequent email contacts would become public by default.
Finally, the agency alleges that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The complaint alleges that Google’s assertion that it adhered to the Safe Harbor principles was false because the company failed to give consumers notice and choice before using their information for a purpose different from that for which it was collected.
The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.
Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.
The Commission vote to issue the administrative complaint and accept the consent agreement package containing the proposed consent order for public comment was 5-0, with Commissioner J. Thomas Rosch issuing a separate concurring statement. Commissioner Rosch concurs with accepting, subject to final approval, the consent order for the purpose of public comment. The reasons for his concurrence are described in the attached separate statement.
The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 1, 2011, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following web link: https://ftcpublic.commentworks.com/ftc/googlebuzz and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.