Twenty Year FTC “Privacy Audit” Intended To Punish, Make Example Of Google

As you read earlier the US Federal Trade Commission concluded its investigation of Google over the company’s supposedly “deceptive privacy practices in Google’s rollout of its Buzz social network.” My view after talking to people at Google following the Buzz launch is that Google was not intentionally seeking to deceive users. Rather it was overzealous with the rollout and underestimated how strongly people would feel about privacy.

Not Worse than Facebook

There’s nothing more egregious here than comparable privacy screw-ups Facebook has made in the past. Google Buzz was a botched rollout with clumsy messaging.

Here’s my paraphrase of how Google characterized what happened shortly after the Buzz launch: “We failed to fully appreciate the wide range of differing privacy expectations that Buzz would confront at launch.”

Yet to Google’s credit it almost immediately addressed those privacy concerns. It still got sued (and later settled for $8.5 million) and the FTC complaint also ensued after Congressional calls for investigations (as are going on now around antitrust).

WTF, 20 Years?

The FTC action, concluded today, yielded two concrete outcomes:

  1. Google is now required to make more prominent privacy disclosures to users (and obtain their consent for any data sharing)
  2. Google will have to submit to twenty years of privacy audits

Regarding the first one: fine, good. But the second one strikes me as pretty excessive.

Here’s how Google casually described the “penalties” in a blog post: “We’ll receive an independent review of our privacy procedures once every two years, and we’ll ask users to give us affirmative consent before we change how we share their personal information.”

By contrast, here’s what the FTC itself said about the settlement:

The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.

How about five years, even 10 years — but 20 years? It’s a little like taking a kid who forgot to turn in his homework and expelling him from school. So why the harsh penalty?

FTC Wants to “Send a Message”

I believe two things are going on. The first, and less significant of the two, is payback by the FTC for past Google victories in high profile investigations (e.g., the AdMob acquisition). Much more importantly the FTC is also trying to make an example of Google to the rest of the industry, signaling that it takes this privacy thing very seriously.

Perhaps this is also an indication that any privacy rules that come down from the FTC or Congress are going to be much tougher than people think.

I have conversations with ad executives all the time about privacy and hear a range of predictions about what’s coming. Despite the strict new privacy rules (“explicit consent”) being imposed on marketers in Europe, most US ad industry professionals are fairly nonchalant and don’t believe the future online environment will be that different than today.

Coming Privacy Regulation

The hope is that modest “self-regulation” will be sufficient for Congress and the FTC. But the consumer privacy rules that ultimately come into being — and there will be some new rules — might be much stricter than what industry insiders are envisioning.

There are multiple bills being developed, the most prominent of which is Kerry-McCain. Here’s a legal analysis of that bill’s potential impact:

  • The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data.  The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
  • The draft also states that businesses should “seek” to collect only as much “covered information” as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service.
  • “Covered information” is defined broadly and would include not just “personally identifiable information” (such as name, address, telephone number, social security number), but also “unique identifier information,” including a customer number held in a cookie, a user ID, a processor serial number or a device serial number.  Unlike definitions of “covered information” that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
  • The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service “or for a reasonable period of time if the service is ongoing.”
  • The draft contemplates enforcement by the FTC and state attorneys general.  Notably — and in contrast to Rep. Rush’s bill — the draft does not provide a privacy right of action for individuals who are affected by a violation.
  • Nor does the bill specifically address the much-debated “Do Not Track” opt-out mechanism that was recommended in the FTC’s recent staff report on consumer privacy.  (You can read our analysis of that report here.)

FTC: We’ll Be a Tough Cop

Under most new privacy regulatory schemes the FTC would have a central role. An unresolved question is whether individuals and private litigants would be able to sue, as they can and do today.

Beyond remedying the privacy transgressions at Google, this tough FTC action is likely also an effort to send a strong signal to the market. The agency is putting marketers and publishers on notice that the FTC intends to be a tough privacy cop.

Related Entries

Related Topics: Channel: Industry | Features: Analysis | Google: Critics | Google: Legal | Legal: Privacy | Legal: Regulation


About The Author: is a Contributing Editor at Search Engine Land. He writes a personal blog Screenwerk, about SoLoMo issues and connecting the dots between online and offline. He also posts at Internet2Go, which is focused on the mobile Internet. Follow him @gsterling.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • david pavlicko

    Greg, This FTC ruling is a riot.
    Oh yeah, they’re really punishing ol’ Google on this privacy issue by ‘auditing them’ for the next 20 years. please…..let’s get real.

    Isn’t this the EXACT SAME FTC that let them off with a warning when they were caught RED HANDED illegally stealing personal data from Wi-Fi connections with their street view cars? And then let them actually KEEP the freaking data, to boot?

    That said, I do agree that you’d better be on your game if you’re an online marketer today. Make the wrong move these days, and they can simply seize your domain.

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide