It took a year, but the feds have finally extracted a settlement from Google over the search giant’s botched foray into social networking, called Buzz, which infuriated privacy advocates and prompted a public apology from the company.
In a statement, the FTC said the settlement “bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years.”
The settlement does not require Google to pay a fine.
It’s the first time the FTC has required a company to implement a “comprehensive privacy program to protect the privacy of consumers’ information,” according to the agency. It’s also the first time the FTC has alleged violations of the “substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States,” the agency said.
Alma Whitten, Google’s Director of Privacy, Product & Engineering, said in a company blog post that Google “fell short of our usual standards for transparency and user control — letting our users and Google down.” A Google spokesperson declined to comment beyond the blog post.
Last February, the Electronic Privacy Information Center filed a complaint with the FTC, charging that Google engaged in “unfair and deceptive acts and practices,” by using private email contacts to build a public online community. The group asserted that Google violated federal consumer protection laws.
“When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.”
Buzz incorporated social networking features into Gmail, and it was supposed to ease Google’s entrance into the booming real-time social space led by Facebook and Twitter. Instead, the product quickly turned into embarrassment for Google after users discovered many of their private contacts were displayed publicly.
“The FTC has sent a powerful message to Google and the online data collection giants: we are watching you as you watch consumers,” Jeffrey Chester, executive Director of the Center for Digital Democracy, said in an email to Wired.com. “The consumer protection team created by Chairman Leibowitz — under the direction of David Vladeck — will force the country’s most powerful online marketer to behave more responsibly.”
“The commission’s requirement that an independent outside privacy auditor is needed for Google for the next 20 years demonstrates what consumer advocates have been saying — that Google and other online marketing companies are not being candid about their digital ad practices,” Chester added.
The settlement with the FTC is an embarrassment for Google, but as Wired.com’s Ryan Singel pointed out last year, “in the grand scheme of privacy invasions, this one ranks a ‘Grenada’ — even though it has provided some cautionary lessons — not the least of which that Google shouldn’t limit pre-release testing to its unrepresentative army of coders.”
John M. Simpson, director of Consumer Watchdog’s Privacy Project, said the FTC should have gone further and actually fined the search giant. “Nothing will completely stop Google from invading users’ privacy until it gets hit where it hurts, its bank accounts,” he said in a statement.
Now that the FTC has dispensed with Google over privacy, presumably we can expect it to move on to other targets.
Here’s the full Google statement:
An update on Buzz
3/30/2011 07:30:00 AM
User trust really matters to Google. That’s why we try to be clear about what data we collect and how we use it—and to give people real control over the information they share with us. For example, Google Dashboard lets you view the data that’s stored in your Google Account and manage your privacy settings for different services. With our Ads Preferences Manager, you can see and edit the data Google uses to tailor ads on our partner websites—or opt out of them entirely. And the Data Liberation Front makes it easy to move your data in and out of Google products. We also recently improved our internal privacy and security procedures.
That said, we don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control—letting our users and Google down. While we worked quickly to make improvements, regulators—including the U.S. Federal Trade Commission—unsurprisingly wanted more detail about what went wrong and how we could prevent it from happening again. Today, we’ve reached an agreement with the FTC to address their concerns. We’ll receive an independent review of our privacy procedures once every two years, and we’ll ask users to give us affirmative consent before we change how we share their personal information.
We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward.
Posted by Alma Whitten, Director of Privacy, Product & Engineering