When Google (NSDQ: GOOG) launched Buzz last year, users were given two options: “Sweet! Check out Buzz” or “Nah, go to my Inbox.” The problem is, you became part of Buzz no matter which one users clicked on. Some folks understandably freaked out, since the program revealed to others which contacts people had emailed and chatted with the most. But Google’s Buzz program wasn’t just an annoying failure as a product-it violated the law, according to the Federal Trade Commission.
Now the FTC has reached a settlement with Google, forcing the search giant to meet a privacy rule that no other internet company is currently subject to-it must ask users to “opt-in” before sharing their information.
The FTC said today that resulted in thousands of consumer complaints to Google. The fact that Gmail users had contacted ex-spouses, patients, students, employers, or competitors was revealed to the world. Google did quickly make changes to adjust some of the worst aspects of Buzz, but it refused to separate it from Gmail, as many critics demanded.
And, Google will be subject to an independent privacy audit every two years for the next 20 years.
In a statement today on its official blog, Google apologized again for Buzz but downplayed the FTC action, simply saying the agency “wanted more detail about what went wrong,” which the company provided. The statement also suggests Google’s current information-sharing practices will be “grandfathered” in. “We’ll ask users to give us affirmative consent before we change how we share their personal information,” writes Google’s privacy director (emphasis mine).
What happens next. There will be a 30-day comment period before the consent agreement goes into effect. We can expect comment from both advocacy groups and Google’s competitors. After the comment period is over, Google may have to start offering users some new opt-ins with regards to their private information. The wording of the consent order, like Google’s statement, suggests that the company won’t need to ask permission for some current practices, because it refers to the opt-in being required only for “new or additional” information sharing. The covered information includes IP addresses, email addresses, and online identifiers like screen names used in Google services.
One big question is whether Google’s competitors will ultimately be subject to similar rules. If Google alone labors under “opt-in” rules, it will be at a significant disadvantage in the marketplace-especially against a competitor like Facebook, which often shares information about users by default.
Right now, the FTC still doesn’t have the legal authority to go around demanding these tighter privacy policies, however. The Chitika and Google cases show that the agency’s strategy, for now, is going to be taking action against companies that are violating their own written policies. In the agency’s view, that constitutes deceptive behavior and violates the FTC Act. However, that strategy has limits. Chris Soghoian, a privacy researcher at Indiana University who has done work for the FTC (but not on this case involving Google), says that he expects companies will now take a close look at their privacy policies to make sure they aren’t deceptive. But that might not be to consumers’ benefit.
“The FTC is clearly breaking new ground in a positive direction, but they still have very limited enforcement power because they have to tie their actions to ‘deception’ or ‘unfairness,'” says Soghoian. “Deception is going to prove to be limiting in the years to come,” because companies will alter their privacy policies to just be more wishy-washy. “They’ll err on the side of not disclosing anything-that’s how you’ll avoid the FTC in the future.”
See where Google ranks on our latest list, The paidContent 50: The Most Successful Digital Media Companies In The U.S.