By Jennifer L. Saunders

Amid announcements Wednesday by the Federal Trade Commission (FTC) and Google that the two have reached a settlement agreement on privacy issues raised over last year’s introduction of the Google Buzz social network, FTC officials, privacy experts and advocates alike have been weighing in on the implications of the proposed settlement.

Under the proposed settlement, Google has agreed to provisions including the implementation of a comprehensive privacy program to include independent privacy audits for the next 20 years.

In its announcement, the FTC specifies, “The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-EU Safe Harbor or other privacy, security or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties...”

FTC Commissioner J. Thomas Rosch issued a separate statement on the proposed agreement, stressing that he has approved of accepting the consent decree for public comment purposes but has concerns that such an opt-in requirement in the agreement “might sometimes be contrary to the public interest.”

Elizabeth Johnson, a partner and the Privacy and Information Security Practice leader at Poyner Spruill LLP, shared insights into the implications of the proposed agreement with the Daily Dashboard following the announcement on Wednesday.

“There are really quite a lot of interesting things in the settlement,” she said, noting, “The requirements related to the implementation of a comprehensive privacy program are fascinating.”

Johnson pointed to the requirements the FTC is calling for to be layered with Google’s wide variety of products and services, suggesting, “The privacy program that should result will be epic in scale. Imagine the job of auditing it every other year for 20 years, even if Google never added another product or service, which is about as likely as the FTC never taking another enforcement action.” 

In terms of Safe Harbor, Johnson noted that through this agreement, “the FTC has put some teeth into the notice and choice principles with this action.”

Johnson also suggested the settlement will allow the FTC to advance the concept of privacy by design.

“The requirement that Google must identify privacy risks through an assessment process during ‘product design, development and research’ cries out for a privacy impact assessment and the resultant integration of privacy into products and services at their infancy,” she said.

Katie Ratte of the FTC’s Bureau of Consumer Protection told the Daily Dashboard that the proposed settlement “is groundbreaking for us because it’s the first time we’ve required a company to implement a privacy program to protect consumer data. We think this will help to protect the privacy of millions of consumers who use Google’s products and services. It’s something we called for in the FTC staff report, and we think it’s important for all businesses to incorporate into their business operations today.”

Google Global Privacy Counsel Jane Horvath, CIPP, CIPP/G, told the Daily Dashboard on Wednesday that the agreement is “a very strong consent decree, which will set up bi-annual reviews of our internal privacy process by outside experts—reviewed by the FTC—and mandates affirmative consent before we change how we share or disclose personal information.”

CNET, meanwhile, reports on reactions from both the Electronic Privacy Information Center (EPIC), which had asked the FTC to investigate Buzz, and TechFreedom, which CNET’s Declan McMcCullagh describes as a free-market think tank.

EPIC has called the settlement the FTC’s “most significant privacy decision,” while TechFreedom President Berin Szoka said that, in light of calls for federal privacy laws, the settlement “should remind us that the FTC already has sweeping powers to punish unfair or deceptive trade practices.”

“When companies make privacy pledges, they need to honor them,” FTC Chairman Jon Leibowitz said when the settlement was announced on Wednesday, adding, “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."

Alma Whitten, director of privacy for Google Product & Engineering, wrote on Wednesday that while Buzz’s launch “fell short of our usual standards for transparency and user control—letting our users and Google down…we are 100-percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward.”

Looking to the future, Johnson said she would expect that if the settlement is finalized, “The implications for the regulated community will be a monumental shift in thinking about how to implement privacy. Privacy impact assessments and privacy by design will no longer be best practices; they will be legally required to ensure that an organization does not run afoul of the FTC Act. Privacy professionals certainly saw that day was coming, but I don’t think any of us expected it would arrive so soon. It effectively arrived today.”

Public comments on the consent agreement are being accepted through May 2.

Staff Writer Angelique Carson contributed to this report.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Are You Ready for the GDPR?

Check out the IAPP GDPR Readiness Assessment Powered by TRUSTe and find out where you stand when it comes to GDPR compliance.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

The IAPP Asia Privacy Forum Returns

Delivering inspired education and discussion on the top data protection issues of today, you can’t miss it. Register now.

P.S.R.: Lewinsky to Explore Online Shaming

With three stellar keynotes confirmed, incl. Monica Lewinsky, we’ve opened registration early so you can secure your spot now.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»