Google must undergo an independent audit every two years for the next 20 years and must get permission from users before shares their information under the terms of a Federal Trade Commission settlement reached on Wednesday.
Google risks a $16,000-per-violation fine if it violates the agreement over privacy issues related to the rollout of its social-networking service Buzz.
“When companies make privacy pledges, they need to honor them,” FTC Chairman Jon Leibowitz said in a statement. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
The Internet giant annoyed a range of privacy groups, not to mention users, when it launched Buzz last year and automatically signed up its e-mail users for the service, using their Gmail contacts as a list of suggested Buzz friends. Google moved quickly to address concerns over those features and provide users with more choices, but controversy continued to plague the service for months after the launch.
The commission said on Wednesday that Google has agreed to settle complaints that it used deceptive practices when it launched Buzz and violated its own privacy promises as well as the FTC Act.
The settlement with the dominant player in the Internet search and advertising market comes as lawmakers are crafting privacy legislation that could affect how such companies do business on the Internet. Sen. John Kerry, D-Mass., chairman of the Commerce Communications Subcommittee, is working on privacy legislation that would require companies to provide greater notice about information they are collecting and how it is used, allow consumers to opt out of such activities, and require firms to build privacy protections into their products.
A similar bill has been introduced in the House by Rep. Bobby Rush, D-Ill., and Rep. Cliff Stearns, R-Fla., is crafting a narrower bill that he said he plans to introduce soon.
Kerry said in a statement that the Google settlement underscores the need for Congress to pass legislation providing consumers with baseline privacy protections.
“Today’s settlement is rooted in the idea that if an entity is going to engage in the collection of people’s personally identifiable information, then it must build strong privacy protections into all of its operations,” Kerry said. “Every company should adhere to this kind of standard, not just Google, and it’s best for businesses and consumers alike to have certainty about the rules and standards going forward.”
The FTC alleged that even though Google allowed consumers to turn off Buzz, the company did not notify consumers that they would still be enrolled in certain features of the service and failed to offer them as much control over what personal information was made public as it promised.
"Google was just plain wrong when it opted people into Buzz without their consent. This should be a wake-up call for online businesses -- both large and small -- of the need to be clear and honest about how the personal information of consumers is collected and used," Senate Commerce Chairman Jay Rockefeller, D-W.Va., said in a statement.
The commission also said that this is the first time a U.S. firm has been accused of violating promises made as part of the U.S.-EU Safe Harbor agreement, which allows companies that adhere to a set of privacy principles to be deemed in compliance with European Union data-privacy rules. The agreement ensures that firms can legally send personal information from Europe to the United States.
FTC was not authorized to levy a financial penalty. In a conference call with reporters, Jessica Rich, deputy director of the FTC’s consumer-protection bureau, said that if Google violates the settlement, it could be subject to a $16,000 fine for each violation, although she did not elaborate on how such a penalty would be applied.
Rich noted that while the settlement does not relate directly to a separate controversy over Google’s collection of unsecured Wi-Fi data, it would cover practices outlined by that incident. Last fall, FTC closed its probe into Google’s admission that vehicles collecting images for the firm’s Street View service, which provides street-level images of locations around the world, also had “mistakenly” collected data from unsecured Wi-Fi networks in homes and businesses.
“While today’s announcement thankfully [puts] this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward,”
The FTC settlement stems from a complaint filed last year by the Electronic Privacy Information Center that alleged Google violated consumer privacy with the launch of Buzz. EPIC and other privacy groups praised the outcome.
“The FTC settlement with Google is far-reaching. It is the most significant privacy decision by the commission to date,” EPIC said in a statement. “For Internet users, it should lead to higher privacy standards and better protection for personal data.”
Jeff Chester of the Center for Digital Democracy argued that the settlement underscores privacy advocates’ claims that “online marketing companies are not being candid about their digital ad practices.”