The FTC and Google recently entered a consent agreement concerning Google’s Buzz platform. Launched in February of 2010, Google Buzz is said to be Google’s version of Facebook or Twitter, enabling users to communicate with other users over a social networking platform. The FTC’s complaint alleged that Google engaged in misleading and deceptive practices by publicly disclosing Gmail users’ information without notice, and without their consent. When Buzz was first launched, Gmail users automatically saw a message announcing the new service and giving the options of “Sweet! Check out Buzz” and “Nah, go to my inbox.” The users who chose the former option were enrolled in certain features of the Google Buzz social network without being informed of which features, and some of the users who chose the latter “nah” option were nonetheless also enrolled in certain features of the Buzz network. Enrollment in the Buzz network meant that users were automatically signed up to follow other Gmail contacts in Buzz, and their Gmail contacts in Buzz were signed up to follow them. The default setting for items posted in Google Buzz was “public,” meaning anything posted was shared with all of a user’s followers and searchable on the internet, and the option to privatize was difficult to find. If a Buzz user wanted to direct a comment through the Buzz network to an individual from the user’s email contact list, that individual’s private email address would be exposed to all followers of the user and searchable by search engines. Gmail users could also find themselves being followed by individuals they had blocked on Gchat, or by individuals showing up as “unknown” with no first or last name, and were not able to block the unknown users.
The complaint stated that users complained about the following problematic cases of both exposed email addresses and followers not able to be blocked: abusive ex-husbands individuals who had restraint orders filed against them, clients of attorneys, patients of mental health professionals, children, recruiters for potential jobs. The “turn off Buzz” option did not remove Gmail users from being followers on other users’ Buzz pages and Google profiles.
Additionally, the complaint alleged that Google, as a registered member of the U.S. E.U. Safe Harbor framework since 2005, breached the US Safe Harbor Privacy Principles of Notice and Choice. Participation in the Safe Harbor allows a company to transfer personal data lawfully from the European Union to the United States. The Safe Harbor Privacy Principles of Notice and Choice require the participating organization to “inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquires or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure,” and to “offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual.” Although, in the past, the FTC has found companies to have falsely stated that they possessed safe harbor certifications, is the first time the FTC has alleged substantive violations of the privacy requirements of the U.S.-E.U. Safe Harbor framework. The FTC stated that failing to give Gmail users notice before using the information collected for Gmail for a purpose other than that for which it was collected, and failing to give Gmail users choice also constitutes unfair or deceptive acts or practices in violation of the FTC Act.
The proposed consent agreement requires Google to obtain affirmative consent from the Google user before sharing the user’s information. Google is also ordered to develop and implement a comprehensive privacy program to address privacy risks related to new and existing services for consumers, and to protect the privacy of covered information. Google must lay out its plan in writing, and include details such as the designation of employees responsible for the new program, identification of reasonable risks, and the plan to retain service providers that can implement the privacy protections. Google is also required to hire a third-party to report on its privacy program, six months after the initial assessment, and then every two years afterwards for the next twenty years. Lastly, the proposed consent agreement requires Google to make available certain documents for inspection by the FTC. The agreement is subject to public comment up through May 1, 2011.
The FTC seems to be sending a clear message that it will use its Section 5 authority against social media platforms that collect and distribute personal information without providing adequate disclosure of their information practices and/or accurate information about their compliance with privacy regimes.