Skip to Content
Notice

Google, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

Action

Proposed Consent Agreement.

Summary

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices or unfair methods of competition. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.

 

Table of Contents Back to Top

DATES: Back to Top

Comments must be received on or before May 2, 2011.

ADDRESSES: Back to Top

Interested parties are invited to submit written comments electronically or in paper form. Comments should refer to “Google, File No. 102 3136” to facilitate the organization of comments. Please note that your comment—including your name and your state—will be placed on the public record of this proceeding, including on the publicly accessible FTC Web site, at http://www.ftc.gov/os/publiccomments.shtm.

Because comments will be made public, they should not include any sensitive personal information, such as an individual's Social Security Number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, comments should not include any “[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential * * * as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and Commission Rule 4.10(a)(2), 16 CFR 4.10(a)(2).” Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c), 16 CFR 4.9(c). [1]

Because paper mail addressed to the FTC is subject to delay due to heightened security screening, please consider submitting your comments in electronic form. Comments filed in electronic form should be submitted by using the following weblink: https://ftcpublic.commentworks.com/ftc/googlebuzz and following the instructions on the web-based form. To ensure that the Commission considers an electronic comment, you must file it on the web-based form at the weblink: https://ftcpublic.commentworks.com/ftc/googlebuzz. If this Notice appears at http://www.regulations.gov/search/index.jsp, you may also file an electronic comment through that Web site. The Commission will consider all comments that regulations.gov forwards to it. You may also visit the FTC Web site at http://www.ftc.gov/ to read the Notice and the news release describing it.

A comment filed in paper form should include the “Google, File No. 102 3136” reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, NW., Washington, DC 20580. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

The Federal Trade Commission Act (“FTC Act”) and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives, whether filed in paper or electronic form. Comments received will be available to the public on the FTC Web site, to the extent practicable, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.shtm.

FOR FURTHER INFORMATION CONTACT: Back to Top

Kathryn Ratte (202-326-3514), FTC Bureau of Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Back to Top

Pursuant to section 6(f) of the Federal Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and § 2.34 of the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for March 30, 2010), on the World Wide Web, at http://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington, DC 20580, either in person or by calling (202) 326-2222.

Public comments are invited, and may be filed with the Commission in either paper or electronic form. All comments should be filed as prescribed in the ADDRESSES section above, and must be received on or before the date specified in the DATES section.

Analysis of Agreement Containing Consent Order To Aid Public Comment Back to Top

The Federal Trade Commission has accepted, subject to final approval, a consent agreement from Google Inc. (“Google”).

The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order.

On February 9, 2010, Google launched a social networking service called Google Buzz (“Google Buzz” or “Buzz”) within Gmail, its web-based email product. Google Buzz is a platform that allows users to share updates, comments, photos, videos, and other information through posts or “buzzes” made either publicly or privately to individuals or groups of users. Google used the information of consumers who signed up for Gmail, including first and last name and email contacts, to populate the social network, which, in many instances, resulted in certain previously private information being made public.

The Commission's complaint alleges that Google violated Section 5(a) of the FTC Act by falsely representing to users signing up for Gmail that it would use their information only for the purpose of providing them with web-based email. The complaint also alleges that Google falsely represented to consumers that it would seek their consent before using their information for a purpose other than that for which it was collected. The complaint further alleges that Google deceived consumers about their ability to decline enrollment in certain features of Buzz. In addition, the complaint alleges that Google failed to disclose adequately that certain information would become public by default through the Buzz product. Finally, the complaint alleges that Google misrepresented its compliance with the U.S.-EU Safe Harbor Framework, a mechanism by which U.S. companies may transfer data from the European Union to the United States consistent with European law.

The proposed order contains provisions designed to prevent Google from engaging in the future in practices similar to those alleged in the complaint with respect to all Google products and services, not only Gmail or Buzz.

Part I of the proposed order prohibits Google from misrepresenting the privacy and confidentiality of any “covered information,” as well as the company's compliance with any privacy, security, or other compliance program, including but not limited to the U.S.-EU Safe Harbor Framework. “Covered information” is defined broadly to include an individual's: (a) First and last name; (b) home or other physical address, including street name and city or town; (c) email address or other online contact information, such as a user identifier or screen name; (d) persistent identifier, such as IP address; (e) telephone number, including home telephone number and mobile telephone number; (f) list of contacts; (g) physical location; or any other information from or about an individual consumer that is combined with (a) through (g) above.

Part II of the proposed order requires Google to give Google users a clear and prominent notice and to obtain express affirmative consent prior to sharing the Google user's information with any third party in connection with a change, addition or enhancement to any product or service, where such sharing is contrary to stated sharing practices in effect at the time the Google user's information was collected. This provision is limited to users of Google's products and services whom Google has identified at the time it shares their information with third parties, for example, users who are logged into a Google product.

Part III of the proposed order requires Google to establish and maintain a comprehensive privacy program that is reasonably designed to: (1) Address privacy risks related to the development and management of new and existing products and services, and (2) protect the privacy and confidentiality of covered information. The privacy program must be documented in writing and must contain privacy controls and procedures appropriate to Google's size and complexity, the nature and scope of its activities, and the sensitivity of covered information. Specifically, the order requires Google to:

  • Designate an employee or employees to coordinate and be responsible for the privacy program;
  • Identify reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
  • Design and implement reasonable privacy controls and procedures to control the risks identified through the privacy risk assessment and regularly test or monitor the effectiveness of the safeguards' key controls and procedures;
  • Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from respondent, and require service providers by contract to implement and maintain appropriate privacy protections; and
  • Evaluate and adjust its privacy program in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its privacy program.

Part IV of the proposed order requires that Google obtain within 180 days, and on a biennial basis thereafter for twenty (20) years, an assessment and report from a qualified, objective, independent third-party professional, certifying, among other things, that: it has in place a privacy program that provides protections that meet or exceed the protections required by Part III of the proposed order; and its privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.

Parts V through IX of the proposed order are reporting and compliance provisions. Part V requires that Google retain all “widely disseminated statements that describe the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three (3) years. Part V further requires Google to retain, for a period of six (6) months from the date received, all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use, or disclosure of covered information and any responses to such complaints. Part V also requires Google to retain for a period of five (5) years from the date received, documents that contradict, qualify, or call into question its compliance with the proposed order. Finally, Part V requires that Google retain all materials relied upon to prepare the third-party assessments for a period of three (3) years after the date that each assessment is prepared.

Part VI requires dissemination of the order now and in the future to principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having supervisory responsibilities relating to the subject matter of the order. Part VII ensures notification to the FTC of changes in corporate status. Part VIII mandates that Google submit an initial compliance report to the FTC and make available to the FTC subsequent reports. Part IX is a provision “sunsetting” the order after twenty (20) years, with certain exceptions.

The purpose of the analysis is to aid public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed order or to modify its terms in any way.

By direction of the Commission.

Donald S. Clark,

Secretary.

Concurring Statement of Commissioner J. Thomas Rosch Back to Top

I concur in accepting, subject to final approval, a consent agreement from Google Inc. (“Google) for public comment. However, it should be emphasized that this consent agreement is being accepted, subject to final approval. I have substantial reservations about Part II of the consent agreement. My concerns are threefold. Before I describe them, however, I want to make clear that I do not mean to defend Google. Google can—and should—speak for itself. However, I believe that, as a Commission, we must always be concerned that a consent agreement, like a litigated decree, is consistent with the public interest. For that reason, I am opposed to accepting consent agreements that may be contrary to the public interest because a party is willing to agree to terms that hurt other competitors as much or more than the terms will hurt that party. That may occur, for example, when a consent agreement is used as “leverage in dealing with the practices of other competitors.” Part II of the proposed consent order may be susceptible to this happening.

More specifically, the crux of the violation alleged in the Complaint is that Google represented in its general “Privacy Policy” that “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different from the purpose for which it was collected, then we will ask for your consent prior to such use. However, when Google initiated its social networking service (“Google Buzz”) it used personal information previously collected for other purposes without asking for users' consent prior to this use. Part II of the proposed consent order prohibits Google, without prior “express affirmative consent” (an “opt-in” requirement) from engaging in any “new or additional sharing” of previously collected personal information “with any third party” that results from “any change, addition, or enhancement” to any Google product or service. First, Google did not represent in its general “Privacy Policy” (or otherwise, according to the Complaint) that the “consent” it would seek would require consumers to “opt in” as required by Part II. Indeed, the Complaint does not allege that Google ever asked consumers to signify their “consent” by “opting in” (as opposed to “opting out”). To be sure, insofar as Google did not seek “consent” at all, its representation in its general “Privacy Policy” was deceptive in violation of Section 5. But the “opt in” requirement in Part II is seemingly brand new. It does not echo what Google promised to do at the outset. In the separate Statement that I issued when the staff issued its preliminary Privacy Report, I expressed concern about whether an “opt in” requirement in these circumstances might sometimes be contrary to the public interest. Then, as now, I was concerned that it might be used as leverage in consent negotiations with other competitors.

Second, Part II of the proposed consent order applies whenever Google engages in any “new or additional sharing” of previously collected personal information “with any third party” for the next twenty years, not just any “material” new or additional sharing of that information. Because internet business models (and technology) change so rapidly, Google (and its competitors) are bound to engage in “new or additional” sharing of previously collected information with third parties during that period. That means that Part II is certain to apply (and with some frequency) during that period as long as Google does not warn users or consumers in its “general Privacy Policy” that it may engage in such sharing in the future.

Third, Part II applies not just to Google's social networking services or products, but to every single Google service or product that undergoes some “change, addition, or enhancement” (terms that are not defined in Part II) that results from the sharing of certain information. As a practical matter, this means that Google is at risk that Part II will apply across the board to every existing product or service that Google offers, including any product or service that involves the tracking and sharing of identified Google users' browsing behavior.

In short, on the face of it, Part II seems to be contrary to Google's self-interest. I therefore ask myself if Google willingly agreed to it, and if so, why it did so. Surely it did not do so simply to save itself litigation expense. But did it do so because it was being challenged by other government agencies and it wanted to “get the Commission off its back”? Or did it do so in hopes that Part II would be used as leverage in future government challenges to the practices of its competitors? In my judgment, neither of the latter explanations is consistent with the public interest.

Nor am I comforted that the purpose and effect of Part II may be to “fence in” Google. I am aware of the teaching of Jacob Siegel Co. v. FTC, 327 U.S. 608 (1946) that a “fencing in” order may cover legal conduct as long as that conduct is “reasonably related” to the violation. Even if Part II may be considered to cover conduct that is “reasonably related” to the violation here, any consent order, whether litigated or negotiated, must be consistent with the public interest. I look forward to public comment about whether Part II of the proposed consent order meets that requirement.

[FR Doc. 2011-7963 Filed 4-4-11; 8:45 am]

BILLING CODE 6750-01-P

Footnotes Back to Top

1. The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR 4.9(c).

Back to Context
Site Feedback