The FTC's settlement with Google: Part 4

Business practices at odds with promises in the company’s privacy policy. The failure to disclose adequately that the contacts with whom users emailed and chatted the most would become public by default. Confusing and hard-to-find controls to limit the sharing of personal info. False claims about adherence to the U.S.-EU Safe Harbor privacy framework.

Those were the allegations in the FTC’s complaint against Google. What changes will the agency’s proposed settlement bring about at the company?

Most notable about the consent order is that it’s the first time an FTC settlement has required a business to implement a comprehensive program to protect the privacy of consumers’ information.

Part I of the order makes it clear that Google can’t misrepresent the extent to which it maintains the privacy and confidentiality of “covered information” — a term defined to include info Google collects from or about a person, like their first and last name, physical address, email address or screen name, IP address, phone number, list of contacts, or any other data about them that’s combined with one of those pieces of information.

Under Part II of the order, before sharing a Google user’s information with a third party in a way that’s different from what the user was told when the info was collected and that results from any change to a Google product, Google has to get that person’s express affirmative consent. To give people the facts they need to make an informed choice, Google has to clearly and prominently disclose:

1. that their information will be disclosed to a third party;
2. who the information will be shared with; and
3. why it’s being shared.

The order makes it clear that the disclosure has to be separate and apart from any end user license agreement, privacy policy, terms of use page, or similar document.

Part III requires Google to put a comprehensive privacy program in place immediately. The program has to address privacy risks related to the development and management of both new and existing products and services for consumers, and protect the privacy and confidentiality of covered information. Under the program, Google will implement privacy controls appropriate to its size and complexity, the nature of the company’s activities, and the sensitivity of the covered information. The scope of the program is broad and the order imposes detailed requirements.

Part IV requires Google to get initial and every-other-year assessments from a qualified, objective, independent third-party professional and report back to the FTC within six months and every two years for the next 20 years.

Of course, the settlement applies just to Google, but the practices spelled out in the order offer useful guidance to the industry. What messages should businesses take from the case?

Mean what you say and say what you mean. It should be an obvious point, but companies have to live up to their privacy promises. If you haven’t reviewed it lately, read your privacy policy. Now read it again through the eyes of your customers.

Bake it in. Thinking about introducing a new product or service? Consider privacy from the get-go. Attempting to mix in protections after preparations are underway can be a recipe for trouble.

Evaluate your privacy ecosystem. The comprehensive privacy program required by the order covers a broad range of Google’s business practices — from risk assessment and testing to training and monitoring of staff and service providers. Is it time to take a 360° look at your company’s privacy practices?