By Mehmet Munur
The Federal Trade Commission announced
on March 30th
that it settled
with Google over the rollout of its Buzz
The FTC complaint
explains how Google rolled out its Buzz service to its Gmail users with a splash screen that introduced them to Google Buzz, a social networking service allowing users to share updates much like any other social networking service. The users were given two options: “Sweet! Check out Buzz” or “Nah, go to my inbox.” (The screenshots are included in the exhibits
to the complaint.) The complaint further explains that even if users selected “Nah, go to my inbox,” the users could be followed by others who were enrolled in Buzz, their public profiles could appear in the profiles of others who had enrolled, and could be automatically enrolled if they later clicked on the Buzz link in their inbox, among other issues. In short, the FTC alleges that users were enrolled in a product without their explicit consent or an explanation of how their actions may affect their public profiles.
states that it would not use personal information in a manner other than for the purposes for which the information was initially collected or as later consented to by the user, as Google was required to do under the EU Safe Harbor
and probably the FTC Toysmart settlement
. Therefore, the FTC concludes that the automatic enrollment of users in the Buzz program in the absence of an explicit consent while representing that Google would get the user’s consent was a deceptive trade practice.
A. the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.
B. the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework.
The settlement agreement shares attributes of the previous settlement agreements that FTC reached with Sears, Twitter, and others. It requires Google to implement a proactive privacy program, one that is reminiscent of privacy by design
action, is likely to be carried on to other FTC privacy enforcement actions.
The FTC Google Buzz enforcement action is also the first substantive Safe Harbor enforcement. FTC’s first enforcement action against Balls of Kryptonite
was more focused on fees, service, and shipment policies of an ecommerce merchant than privacy. The second set of Safe Harbor settlements
were technical violations of the Safe Harbor. Six companies represented that they were part of the Safe Harbor when their certifications had expired years ago. However, the Google Buzz enforcement action represents the next stage. Google failed to live up to the Notice and Choice Principles of the Safe Harbor, with which it promised to comply.
The enforcement action also stands in distinction with the FTC’s unwillingness to take any action against Google regarding the Wi-Fi gate. While the FTC closed
the Wi-Fi gate without an enforcement action, to my knowledge, it is the first privacy regulator to act on the Buzz issues. On the other hand, the French Data Protection Authority recently imposed a €100,000 fine
on the same issue. However, considering that Google’s actions took place not on a website, but in a car
, the FTC may instead be allowing the State Attorneys General
to take a closer look at that issue.
Finally, I would like to take issue with Google’s use of “Sweet! Check out Buzz” and “Nah, go to my inbox” to attempt to allow users to accept or decline an offer. Agreements need not always be replete with legalese. Google was not required to state “I hereby represent that I have read and agreed to the Terms and Conditions
” in the splash page. Even if it had, due to its practices, it would still have likely violated the Section 5 of the FTC Act. However, Google’s use of such fluffy provisions are not the most effective means of forming agreements online nor of informing users about their rights. One can agree to an offer in many ways, including using the word awesome!
, but proving this assent in a court of law may be challenging.
In conclusion, the FTC Google Buzz enforcement action provides an interesting mix of issues by throwing together privacy by design
, the EU Safe Harbor, aligning privacy policies with privacy practices, and enforcement of agreements online.
Labels: Enforcement Action, Federal Trade Commission, FTC, Safe Habor