The Federal Trade Commission and Google have agreed to settle charges that it violated its own privacy promises to consumers when it launched its social network, Google Buzz. The FTC said the settlement “bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program and calls for regular, independent privacy audits for the next 20 years.”
This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information, and the first time the FTC has alleged violations of the privacy requirements of the U.S.-EU Safe Harbor Framework.
“When companies make privacy pledges, they need to honor them,” FTC Chairman Jon Leibowitz said in a statement. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
The Electronic Privacy Information Center filed the complaint in February 2010, saying that the launch of Google’s new feature converted Gmail users’ private and personal information into public information. The application automatically pulled contacts from users’ Gmail accounts into a social network without informing them.
In response to user complaints, Google made some tweaks to the feature and launched an effort to better explain Buzz and its privacy settings.
Jeffrey Chester, executive director of the Center for Digital Democracy, called the settlement a major victory for privacy advocates. “This shows FTC has woken up from long digital data slumber,” Chester said in a phone interview. “For years the FTC was a regulatory lapdog; now its becoming a more seasoned watchdog.”
Katie Ratte, an attorney from the FTC answered questions on Twitter about the settlement using the hashtag #FTCpriv.
In a Twitter Q&A, Ratte said that if Google violates the consent decree it could be subject to civil penalties in the amount of $16,000 per violation.
She wrote that one goal of this order is increasing transparency & control for third party disclosures.
As to a broader privacy framework, Ratte said that a comprehensive privacy program is a “good idea for all companies” but that it should be “flexible and scalable” according to business practices and the sensitivity of data. She also said the best practices set forth in the order should serve as a guide to the rest of the industry.
This post has been updated since it was first published.