In the Matter of Google Inc.
File No. 102 3136
Comments of Privacy Rights Clearinghouse
Submitted May 2, 2011
The Privacy Rights Clearinghouse (PRC) respectfully submits the following comments to the Federal Trade Commission (Commission) regarding the proposed consent order between Google and the FTC In the matter of Google Inc., File No. 1023136. [1]
The PRC is a non-profit consumer privacy organization engaging in consumer education and advocacy. Over the course of our 19-year history, PRC staff members have worked directly with tens of thousands of consumers concerned about their privacy. Our comments regarding the proposed consent order reflect, in large part, our observations based on direct communication with individual consumers.
The Commission filed a complaint against Google alleging a violation of the FTC Act concerning its rollout of the Google Buzz social networking service. According to the complaint, Google violated the FTC act by engaging in deceptive acts or practices when it represented “that it used, and would use, information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service”[2] and instead used the information to populate a new social network. Google also failed to disclose to consumers what information would be public by default, and allegedly deceived consumers as to their ability to decline enrollment in Buzz. The complaint also alleged that Google misrepresented its compliance with the U.S.-EU Safe Harbor Framework when it in fact did not adhere to the privacy principles of Notice and Choice.[3]
The PRC supports the Commission’s proposed consent order, and we hope to see it finalized in a manner that imposes clearer privacy requirements on Google and creates meaningful privacy protections for Google users. Given the extensive scope of Google’s products and services, and the fact that the agreement applies to them all, this proposed order arguably has the potential to expand privacy protections for most Internet users.
“Express affirmative consent” should be defined within the consent order and should extend beyond third parties
Part II of the settlement requires Google to obtain express affirmative consent prior to sharing user information with any third party.[4] As a consumer privacy organization, we advocate for consumer control over personal data, and believe that this portion of the settlement may hold the most potential for concerned Google users. However, the settlement’s failure to define “express affirmative consent” may do little to improve consumer choice. For example, this could potentially come in the form of Google using pre-checked boxes so that the “express affirmative consent” is effectively an opt-out rather than an opt-in. We therefore encourage the Commission to adopt a definition of “express affirmative consent” in the finalized consent order that will require Google to provide users with clear, understandable, and meaningful choice in sharing information with third parties.
Furthermore, due to Google’s size and pervasiveness, we urge the commission to require “express affirmative consent” from consumers whenever Google intends to use the information across its own products and services. This is especially important when it creates or acquires new products and/or services that may use the information in a manner unanticipated by a user.
The Commission should enhance the requirements for maintaining a “comprehensive privacy program”
Part III of the settlement requires Google to maintain a comprehensive privacy program “designed to address privacy risks related to the development and management of new and existing products and services for consumers” and to “protect the privacy and confidentiality of covered information.”[5] We support the Commission’s requirement that Google maintain such a program, but urge the Commission to require certain elements within the program that will help hold Google accountable to its users.
For example, we believe that all Gmail and other cloud-based products and services Google provides should encrypt data on a routine basis. Google should also be subject to data retention limitations. Furthermore, Google should be required to clearly disclose to its users its data retention policy, and the data it collects, stores, and discloses to other parties or among its own products and services. Users should be able to control the use and collection of their data to the widest extent possible. The PRC believes that the requirements should explicitly extend to Google’s mobile platform as well.
If the Commission does not add specific requirements to this portion (Part III) of the settlement, Google may argue that its current practices fall in line with the requirement as it stands, therefore potentially negating the purpose of the consent order.
In conclusion, when finalizing its consent order with Google, we urge the Commission to consider both defining “express affirmative consent” and requiring it in situations extending beyond third party transactions, and adding specific requirements for maintaining a “comprehensive privacy program.”
Respectfully submitted,
Beth Givens, Director
Privacy Rights Clearinghouse
[1] Federal Trade Commission, In the Matter of Google Inc., Agreement Containing Consent Order File No. 102 3136, Mar. 30, 2011 [hereinafter “Consent Order”], available at http://www.ftc.gov/os/caselist/1023136/110330googlebuzzagreeorder.pdf.
[2] Federal Trade Commission, In the Matter of Google Inc., Complaint, at 5, available at http://www.ftc.gov/os/caselist/1023136/110330googlebuzzcmpt.pdf.
[3]Id. at 7.
[4] See Consent Order, supra note 1, at 4
[5] Id. at 4.
