Twenty Year FTC “Privacy Audit” Intended To Punish, Make Example Of Google
As you read earlier the US Federal Trade Commission concluded its investigation of Google over the company’s supposedly “deceptive privacy practices in Google’s rollout of its Buzz social network.” My view after talking to people at Google following the Buzz launch is that Google was not intentionally seeking to deceive users. Rather it was overzealous […]
As you read earlier the US Federal Trade Commission concluded its investigation of Google over the company’s supposedly “deceptive privacy practices in Google’s rollout of its Buzz social network.” My view after talking to people at Google following the Buzz launch is that Google was not intentionally seeking to deceive users. Rather it was overzealous with the rollout and underestimated how strongly people would feel about privacy.
Not Worse than Facebook
There’s nothing more egregious here than comparable privacy screw-ups Facebook has made in the past. Google Buzz was a botched rollout with clumsy messaging.
Here’s my paraphrase of how Google characterized what happened shortly after the Buzz launch: “We failed to fully appreciate the wide range of differing privacy expectations that Buzz would confront at launch.”
Yet to Google’s credit it almost immediately addressed those privacy concerns. It still got sued (and later settled for $8.5 million) and the FTC complaint also ensued after Congressional calls for investigations (as are going on now around antitrust).
WTF, 20 Years?
The FTC action, concluded today, yielded two concrete outcomes:
- Google is now required to make more prominent privacy disclosures to users (and obtain their consent for any data sharing)
- Google will have to submit to twenty years of privacy audits
Regarding the first one: fine, good. But the second one strikes me as pretty excessive.
Here’s how Google casually described the “penalties” in a blog post: “We’ll receive an independent review of our privacy procedures once every two years, and we’ll ask users to give us affirmative consent before we change how we share their personal information.”
By contrast, here’s what the FTC itself said about the settlement:
The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
How about five years, even 10 years — but 20 years? It’s a little like taking a kid who forgot to turn in his homework and expelling him from school. So why the harsh penalty?
FTC Wants to “Send a Message”
I believe two things are going on. The first, and less significant of the two, is payback by the FTC for past Google victories in high profile investigations (e.g., the AdMob acquisition). Much more importantly the FTC is also trying to make an example of Google to the rest of the industry, signaling that it takes this privacy thing very seriously.
Perhaps this is also an indication that any privacy rules that come down from the FTC or Congress are going to be much tougher than people think.
I have conversations with ad executives all the time about privacy and hear a range of predictions about what’s coming. Despite the strict new privacy rules (“explicit consent”) being imposed on marketers in Europe, most US ad industry professionals are fairly nonchalant and don’t believe the future online environment will be that different than today.
Coming Privacy Regulation
The hope is that modest “self-regulation” will be sufficient for Congress and the FTC. But the consumer privacy rules that ultimately come into being — and there will be some new rules — might be much stricter than what industry insiders are envisioning.
There are multiple bills being developed, the most prominent of which is Kerry-McCain. Here’s a legal analysis of that bill’s potential impact:
- The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data. The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
- The draft also states that businesses should “seek” to collect only as much “covered information” as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service.
- “Covered information” is defined broadly and would include not just “personally identifiable information” (such as name, address, telephone number, social security number), but also “unique identifier information,” including a customer number held in a cookie, a user ID, a processor serial number or a device serial number. Unlike definitions of “covered information” that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
- The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service “or for a reasonable period of time if the service is ongoing.”
- The draft contemplates enforcement by the FTC and state attorneys general. Notably — and in contrast to Rep. Rush’s bill — the draft does not provide a privacy right of action for individuals who are affected by a violation.
- Nor does the bill specifically address the much-debated “Do Not Track” opt-out mechanism that was recommended in the FTC’s recent staff report on consumer privacy. (You can read our analysis of that report here.)
FTC: We’ll Be a Tough Cop
Under most new privacy regulatory schemes the FTC would have a central role. An unresolved question is whether individuals and private litigants would be able to sue, as they can and do today.
Beyond remedying the privacy transgressions at Google, this tough FTC action is likely also an effort to send a strong signal to the market. The agency is putting marketers and publishers on notice that the FTC intends to be a tough privacy cop.
- Privacy Issues Make Google Reconsider Product Strategy
- Google: “With Buzz We Failed To Appreciate That Users Have Differing Privacy Expectations”
- Google Settles Buzz Lawsuit With $8.5 Million Payment
- Google Apologizes, Continues To Tweak Buzz
- FTC Commissioner: Google’s Buzz Launch Was ‘Irresponsible Conduct’
- Google Buzz: The Good, Bad, & Ugly Reactions
- Lawmakers Want FTC To Investigate Google Buzz
- Is Google Buzz Dead Already?
- A Closer Look At The Google Buzz Privacy Settlement
- Google Buzz: Google Takes On Twitter, Facebook & Even Foursquare