The Decision and Order settling charges by the Federal Trade Commission that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010 became final as of October 24, 2011. Google is barred from future privacy misrepresentations, is required to implement a comprehensive privacy program, and must submit to independent privacy audits every other year, for the next 20 years.
The finalization of the Order gave me an opportunity to refresh my recollections about the terms of the settlement, and reflect upon them. There are, indeed, many lessons to learn from the FTC – Google settlement:
What is a Comprehensive Privacy Program
The Google settlement order is the first one where the FTC requires a company to implement a comprehensive privacy program to protect the privacy of consumers’ personal information. As a result, there is now FTC guidance on the components of a comprehensive privacy program: from designating an individual responsible for the program, to identifying and assessing the risks that could result from the unauthorized collection, use or disclosure of personal information, to designing and implementing reasonable privacy controls and procedures, and training the personnel and supervising service providers.
What Personal Information is to be Protected
The Google settlement applies to “covered information.” The size of the universe of personal information to be protected is significant. It is much broader than “sensitive information” i.e. social security numbers, credit card and financial information, identity information, and the like, a limited, narrow group of personal information that too many view as the only personal information that must be protected. The “covered information” (or protected information) in the Google order encompasses all of the information that is collected from or about an individual, including, but not limited to, an individual’s:
- First and last name;
- Home or other physical address, including street name and city or town;
- Email address or other online contact information, such as a user identifier or screen name;
- Persistent identifier, such as IP address;
- Telephone number, including home telephone number and mobile telephone number;
- List of contacts;
- Physical location; or
- Any other information from or about an individual consumer that is combined with the above.
In other words, if you collect it, you have to protect it. This is a reminder that personal information need not be confidential, secret, or strategic to require protection.
How to Make a Material Change to a Policy
There is also specific guidance on how to implement a change in policy with respect to the sharing of personal information. If the personal data handling practices that were in effect when the company collected personal information change, the company must:
- Obtain express, affirmative users’ consent before sharing their information with third parties, and
Safe Harbor Promises Must be Kept
The Google settlement order is also the first time that the FTC has alleges violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. Safe Harbor promises must be kept. It not enough to fill out a form and ignore the commitments made.
Privacy Promises Must be Kept
Misrepresenting the extent to which the privacy and confidentiality of personal information is maintained is not acceptable. A company may not misrepresent the purposes for which it collects and uses the information, and the extent to which consumers may exercise control over the collection, use, or disclosure of personal information. When promises are made, they must be kept.
If one Product fails, the Entire Company will Bear the Consequences
Finally, the FTC Settlement does not cover just the Google Buzz and Gmail products. It applies broadly to all products and services of Google. For a large company like Google, the repercussions of a single error are extensive and significant. Do not assume that a little mistake can only have little consequences.
Now, Google has twenty years to think about what it could have done better, and how it could have avoided to be elected to the FTC’s Hall of Shame. May the lessons from the FTC Google settlement order be learned by other companies.