The proposed settlement requires Google to create a comprehensive privacy program, to be independently audited for the next 20 years. Any further privacy misrepresentations by Google will be subject to a $16,000 fine, the agency said.
The Google settlement marks the first time the FTC has ordered a company to implement a program to protect the privacy of consumers' information, which is noteworthy considering Google's position as the most trafficked site in the world.The Google case is also the first time the FTC has accused a company of violating the privacy requirements of an agreement that allows U.S. companies to legally transfer personal data of European Union citizens to the United States.
"When companies make privacy pledges, they need to honor them," Jon Leibowitz, Chairman of the FTC, said in a statement. "This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
Google launched its Buzz social network through its web-based Gmail service in February 2010, and the Electronic Privacy Information Center filed a complaint with the FTC soon afterward.
According to the FTC complaint, Google led Gmail users to believe they could decide whether to join the network, but offered ineffective means to opt-out. Those who did join found the controls for limiting the sharing of their personal information confusing and hard to find.
When Buzz was launched, Gmail users received a message announcing the service and were given two options: "Sweet! Check out Buzz," and "Nah, go to my inbox." But some Gmail users who clicked on "Nah" were enrolled in certain features of the Google Buzz social network anyway, the FTC alleged. Those who clicked on "Sweet!" weren't clearly informed that the identity of all the people they emailed most frequently would be made public by default.
Although Google offered a "Turn Off Buzz" option, it failed to remove users from the social network. As a result, Google was bombarded with thousands of complaints from consumers angry about the publicizing of their contacts, which included ex-spouses, patients, students, employers and competitors.
Alma Whitten, Google's Director of Privacy, Product & Engineering, addressed the FTC order and apologized to Google users on the company's blog.
For those who willfully enrolled in Buzz, a screen that asked them "How do you want to appear to others?" gave consumers the false impression they could control what personal information would be made public. In reality, their frequent email contacts were made public, which the FTC said Google failed to clearly disclose.
The FTC also charged Google with lying about its treatment of personal information from the European Union under the U.S.-EU Safe Harbor privacy framework. Google's claims about compliance with the agreement were false, the FTC said, since it failed to give E.U. residents notice and choice before using their information for purposes other than what it was collected for.
The proposed settlement forbids Google from misrepresenting the privacy or confidentiality of consumer information or compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. Google must also obtain the consent of users before sharing their information with third parties if it alters its products or services in a manner that invalidates any privacy promises made when a consumer's information was first collected.