5 April 2011

FTC RFC on Google Settlement of Unfair Buzz

[Federal Register: April 5, 2011 (Volume 76, Number 65)]
[Notices]               
[Page 18762-18765]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05ap11-66]                         

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 102 3136]

 
Google, Inc.; Analysis of Proposed Consent Order To Aid Public 
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices or unfair methods of competition. The attached Analysis to 
Aid Public Comment describes both the allegations in the draft 
complaint and the terms of the consent order--embodied in the consent 
agreement--that would settle these allegations.

DATES: Comments must be received on or before May 2, 2011.

ADDRESSES: Interested parties are invited to submit written comments 
electronically or in paper form. Comments should refer to ``Google, 
File No. 102 3136'' to facilitate the organization of comments. Please 
note that your comment--including your name and your state--will be 
placed on the public record of this proceeding, including on the 
publicly accessible FTC Web site, at http://www.ftc.gov/os/
publiccomments.shtm.
    Because comments will be made public, they should not include any 
sensitive personal information, such as an individual's Social Security 
Number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. Comments also 
should not include any sensitive health information, such as medical 
records or other individually identifiable health information. In 
addition, comments should not include any ``[t]rade secret or any 
commercial or financial information which is obtained from any person 
and which is privileged or confidential * * * as provided in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and Commission Rule 4.10(a)(2), 
16 CFR 4.10(a)(2).'' Comments containing material for which 
confidential treatment is requested must be filed in paper form, must 
be clearly labeled ``Confidential,'' and must comply with FTC Rule 
4.9(c), 16 CFR 4.9(c).\1\
---------------------------------------------------------------------------

    \1\ The comment must be accompanied by an explicit request for 
confidential treatment, including the factual and legal basis for 
the request, and must identify the specific portions of the comment 
to be withheld from the public record. The request will be granted 
or denied by the Commission's General Counsel, consistent with 
applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR 
4.9(c).
---------------------------------------------------------------------------

    Because paper mail addressed to the FTC is subject to delay due to 
heightened security screening, please consider submitting your comments 
in electronic form. Comments filed in electronic form should be 
submitted by using the following weblink: https://
ftcpublic.commentworks.com/ftc/googlebuzz and following the 
instructions on the web-based form. To ensure that the Commission 
considers an electronic comment, you must file it on the web-based form 
at the weblink: https://ftcpublic.commentworks.com/ftc/googlebuzz. If 
this Notice appears at http://www.regulations.gov/search/index.jsp, you 
may also file an electronic comment through that Web site. The 
Commission will consider all comments that regulations.gov forwards to 
it. You may also visit the FTC Web site at http://www.ftc.gov/ to read 
the Notice and the news release describing it.
    A comment filed in paper form should include the ``Google, File No. 
102 3136'' reference both in the text and on the envelope, and should 
be mailed or delivered to the following address: Federal Trade 
Commission, Office of the Secretary, Room H-113 (Annex D), 600 
Pennsylvania Avenue, NW., Washington, DC 20580. The FTC is requesting 
that any comment filed in paper form be sent by courier or overnight 
service, if possible, because U.S. postal mail in the Washington area 
and at the Commission is subject to

[[Page 18763]]

delay due to heightened security precautions.
    The Federal Trade Commission Act (``FTC Act'') and other laws the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding as appropriate. The Commission will 
consider all timely and responsive public comments that it receives, 
whether filed in paper or electronic form. Comments received will be 
available to the public on the FTC Web site, to the extent practicable, 
at  http://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission makes every effort to remove home contact 
information for individuals from the public comments it receives before 
placing those comments on the FTC Web site. More information, including 
routine uses permitted by the Privacy Act, may be found in the FTC's 
privacy policy, at http://www.ftc.gov/ftc/privacy.shtm.

FOR FURTHER INFORMATION CONTACT: Kathryn Ratte (202-326-3514), FTC 
Bureau of Consumer Protection, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec.  2.34 of 
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given 
that the above-captioned consent agreement containing a consent order 
to cease and desist, having been filed with and accepted, subject to 
final approval, by the Commission, has been placed on the public record 
for a period of thirty (30) days. The following Analysis to Aid Public 
Comment describes the terms of the consent agreement, and the 
allegations in the complaint. An electronic copy of the full text of 
the consent agreement package can be obtained from the FTC Home Page 
(for March 30, 2010), on the World Wide Web, at http://www.ftc.gov/os/
actions.shtm. A paper copy can be obtained from the FTC Public 
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington, 
DC 20580, either in person or by calling (202) 326-2222.
    Public comments are invited, and may be filed with the Commission 
in either paper or electronic form. All comments should be filed as 
prescribed in the ADDRESSES section above, and must be received on or 
before the date specified in the DATES section.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, a consent agreement from Google Inc. (``Google'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    On February 9, 2010, Google launched a social networking service 
called Google Buzz (``Google Buzz'' or ``Buzz'') within Gmail, its web-
based email product. Google Buzz is a platform that allows users to 
share updates, comments, photos, videos, and other information through 
posts or ``buzzes'' made either publicly or privately to individuals or 
groups of users. Google used the information of consumers who signed up 
for Gmail, including first and last name and email contacts, to 
populate the social network, which, in many instances, resulted in 
certain previously private information being made public.
    The Commission's complaint alleges that Google violated Section 
5(a) of the FTC Act by falsely representing to users signing up for 
Gmail that it would use their information only for the purpose of 
providing them with web-based email. The complaint also alleges that 
Google falsely represented to consumers that it would seek their 
consent before using their information for a purpose other than that 
for which it was collected. The complaint further alleges that Google 
deceived consumers about their ability to decline enrollment in certain 
features of Buzz. In addition, the complaint alleges that Google failed 
to disclose adequately that certain information would become public by 
default through the Buzz product. Finally, the complaint alleges that 
Google misrepresented its compliance with the U.S.-EU Safe Harbor 
Framework, a mechanism by which U.S. companies may transfer data from 
the European Union to the United States consistent with European law.
    The proposed order contains provisions designed to prevent Google 
from engaging in the future in practices similar to those alleged in 
the complaint with respect to all Google products and services, not 
only Gmail or Buzz.
    Part I of the proposed order prohibits Google from misrepresenting 
the privacy and confidentiality of any ``covered information,'' as well 
as the company's compliance with any privacy, security, or other 
compliance program, including but not limited to the U.S.-EU Safe 
Harbor Framework. ``Covered information'' is defined broadly to include 
an individual's: (a) First and last name; (b) home or other physical 
address, including street name and city or town; (c) email address or 
other online contact information, such as a user identifier or screen 
name; (d) persistent identifier, such as IP address; (e) telephone 
number, including home telephone number and mobile telephone number; 
(f) list of contacts; (g) physical location; or any other information 
from or about an individual consumer that is combined with (a) through 
(g) above.
    Part II of the proposed order requires Google to give Google users 
a clear and prominent notice and to obtain express affirmative consent 
prior to sharing the Google user's information with any third party in 
connection with a change, addition or enhancement to any product or 
service, where such sharing is contrary to stated sharing practices in 
effect at the time the Google user's information was collected. This 
provision is limited to users of Google's products and services whom 
Google has identified at the time it shares their information with 
third parties, for example, users who are logged into a Google product.
    Part III of the proposed order requires Google to establish and 
maintain a comprehensive privacy program that is reasonably designed 
to: (1) Address privacy risks related to the development and management 
of new and existing products and services, and (2) protect the privacy 
and confidentiality of covered information. The privacy program must be 
documented in writing and must contain privacy controls and procedures 
appropriate to Google's size and complexity, the nature and scope of 
its activities, and the sensitivity of covered information. 
Specifically, the order requires Google to:
     Designate an employee or employees to coordinate and be 
responsible for the privacy program;
     Identify reasonably-foreseeable, material risks, both 
internal and external, that could result in the unauthorized 
collection, use, or disclosure of covered information and assess the 
sufficiency of any safeguards in place to control these risks;
     Design and implement reasonable privacy controls and 
procedures to control the risks identified through the privacy risk 
assessment and regularly

[[Page 18764]]

test or monitor the effectiveness of the safeguards' key controls and 
procedures;
     Develop and use reasonable steps to select and retain 
service providers capable of appropriately protecting the privacy of 
covered information they receive from respondent, and require service 
providers by contract to implement and maintain appropriate privacy 
protections; and
     Evaluate and adjust its privacy program in light of the 
results of the testing and monitoring, any material changes to its 
operations or business arrangements, or any other circumstances that it 
knows or has reason to know may have a material impact on the 
effectiveness of its privacy program.
    Part IV of the proposed order requires that Google obtain within 
180 days, and on a biennial basis thereafter for twenty (20) years, an 
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that: it has in 
place a privacy program that provides protections that meet or exceed 
the protections required by Part III of the proposed order; and its 
privacy controls are operating with sufficient effectiveness to provide 
reasonable assurance that the privacy of covered information is 
protected.
    Parts V through IX of the proposed order are reporting and 
compliance provisions. Part V requires that Google retain all ``widely 
disseminated statements that describe the extent to which respondent 
maintains and protects the privacy and confidentiality of any covered 
information, along with all materials relied upon in making or 
disseminating such statements, for a period of three (3) years. Part V 
further requires Google to retain, for a period of six (6) months from 
the date received, all consumer complaints directed at Google, or 
forwarded to Google by a third party, that allege unauthorized 
collection, use, or disclosure of covered information and any responses 
to such complaints. Part V also requires Google to retain for a period 
of five (5) years from the date received, documents that contradict, 
qualify, or call into question its compliance with the proposed order. 
Finally, Part V requires that Google retain all materials relied upon 
to prepare the third-party assessments for a period of three (3) years 
after the date that each assessment is prepared.
    Part VI requires dissemination of the order now and in the future 
to principals, officers, directors, and managers, and to all current 
and future employees, agents, and representatives having supervisory 
responsibilities relating to the subject matter of the order. Part VII 
ensures notification to the FTC of changes in corporate status. Part 
VIII mandates that Google submit an initial compliance report to the 
FTC and make available to the FTC subsequent reports. Part IX is a 
provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of the analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed order or to modify its terms in any way.

    By direction of the Commission.
Donald S. Clark,
Secretary.

Concurring Statement of Commissioner J. Thomas Rosch

    I concur in accepting, subject to final approval, a consent 
agreement from Google Inc. (``Google) for public comment. However, it 
should be emphasized that this consent agreement is being accepted, 
subject to final approval. I have substantial reservations about Part 
II of the consent agreement. My concerns are threefold. Before I 
describe them, however, I want to make clear that I do not mean to 
defend Google. Google can--and should--speak for itself. However, I 
believe that, as a Commission, we must always be concerned that a 
consent agreement, like a litigated decree, is consistent with the 
public interest. For that reason, I am opposed to accepting consent 
agreements that may be contrary to the public interest because a party 
is willing to agree to terms that hurt other competitors as much or 
more than the terms will hurt that party. That may occur, for example, 
when a consent agreement is used as ``leverage in dealing with the 
practices of other competitors.'' Part II of the proposed consent order 
may be susceptible to this happening.
    More specifically, the crux of the violation alleged in the 
Complaint is that Google represented in its general ``Privacy Policy'' 
that ``When you sign up for a particular service that requires 
registration, we ask you to provide personal information. If we use 
this information in a manner different from the purpose for which it 
was collected, then we will ask for your consent prior to such use. 
However, when Google initiated its social networking service (``Google 
Buzz'') it used personal information previously collected for other 
purposes without asking for users' consent prior to this use. Part II 
of the proposed consent order prohibits Google, without prior ``express 
affirmative consent'' (an ``opt-in'' requirement) from engaging in any 
``new or additional sharing'' of previously collected personal 
information ``with any third party'' that results from ``any change, 
addition, or enhancement'' to any Google product or service. First, 
Google did not represent in its general ``Privacy Policy'' (or 
otherwise, according to the Complaint) that the ``consent'' it would 
seek would require consumers to ``opt in'' as required by Part II. 
Indeed, the Complaint does not allege that Google ever asked consumers 
to signify their ``consent'' by ``opting in'' (as opposed to ``opting 
out''). To be sure, insofar as Google did not seek ``consent'' at all, 
its representation in its general ``Privacy Policy'' was deceptive in 
violation of Section 5. But the ``opt in'' requirement in Part II is 
seemingly brand new. It does not echo what Google promised to do at the 
outset. In the separate Statement that I issued when the staff issued 
its preliminary Privacy Report, I expressed concern about whether an 
``opt in'' requirement in these circumstances might sometimes be 
contrary to the public interest. Then, as now, I was concerned that it 
might be used as leverage in consent negotiations with other 
competitors.
    Second, Part II of the proposed consent order applies whenever 
Google engages in any ``new or additional sharing'' of previously 
collected personal information ``with any third party'' for the next 
twenty years, not just any ``material'' new or additional sharing of 
that information. Because internet business models (and technology) 
change so rapidly, Google (and its competitors) are bound to engage in 
``new or additional'' sharing of previously collected information with 
third parties during that period. That means that Part II is certain to 
apply (and with some frequency) during that period as long as Google 
does not warn users or consumers in its ``general Privacy Policy'' that 
it may engage in such sharing in the future.
    Third, Part II applies not just to Google's social networking 
services or products, but to every single Google service or product 
that undergoes some ``change, addition, or enhancement'' (terms that 
are not defined in Part II) that results from the sharing of certain 
information. As a practical matter, this means that Google is at risk 
that Part II will apply across the board to every existing product or 
service that Google offers, including any product or service that 
involves the tracking and sharing of identified Google users' browsing 
behavior.
    In short, on the face of it, Part II seems to be contrary to 
Google's self-interest. I therefore ask myself if Google willingly

[[Page 18765]]

agreed to it, and if so, why it did so. Surely it did not do so simply 
to save itself litigation expense. But did it do so because it was 
being challenged by other government agencies and it wanted to ``get 
the Commission off its back''? Or did it do so in hopes that Part II 
would be used as leverage in future government challenges to the 
practices of its competitors? In my judgment, neither of the latter 
explanations is consistent with the public interest.
    Nor am I comforted that the purpose and effect of Part II may be to 
``fence in'' Google. I am aware of the teaching of Jacob Siegel Co. v. 
FTC, 327 U.S. 608 (1946) that a ``fencing in'' order may cover legal 
conduct as long as that conduct is ``reasonably related'' to the 
violation. Even if Part II may be considered to cover conduct that is 
``reasonably related'' to the violation here, any consent order, 
whether litigated or negotiated, must be consistent with the public 
interest. I look forward to public comment about whether Part II of the 
proposed consent order meets that requirement.

[FR Doc. 2011-7963 Filed 4-4-11; 8:45 am]
BILLING CODE 6750-01-P