With Google settlement, U.S. gets tough on privacy protection

With social networking emerging as the most potent force on the Internet, federal regulators are moving to limit how companies can exploit personal information.

Google Inc. just became Exhibit A.

In a settlement hailed as the first of its kind, the Federal Trade Commission said Google had agreed to strict new measures to protect the privacy of its users. Moreover, the company agreed to submit to independent audits for the next 20 years to ensure that it is following the rules.

The agreement settles claims that Google used deceptive tactics in recruiting its Gmail customers last year for its Buzz social network, a competitor to Facebook. In signing up for Buzz, many Gmail users unwittingly agreed to make public a list of the people with whom they emailed most frequently.

FTC officials said it was the first time the government had required a company to put in place a sweeping privacy policy to protect consumer data.

“When companies make privacy pledges, they need to honor them,” FTC Chairman Jon Leibowitz said in announcing the terms Wednesday. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.”


Privacy advocates said the action has far-reaching implications beyond Google, as Internet search and social network ventures rely heavily on the mining of user information to sell advertising.

Facebook, for example, sells targeted advertising to its users based on their stated preferences in movies and music. Google computers scan the contents of Gmail messages, looking for key words such as “camping,” say, to hit users with ads for camping gear. In both cases, the companies explain those features in their privacy notices.

“This will limit the data mining of social media companies that try to do it without a clear-cut explanation of what they’re doing,” said Joseph Turow, a professor at University of Pennsylvania’s Annenberg School for Communication. “The FTC is trying to stake out territory to say that when a company says it’s doing something to keep data private, it better do it.”

Even so, privacy experts said the FTC’s recent actions were evidence of a greater industrywide problem. The absence of strong federal privacy laws has allowed many technology companies to freely gather a great deal of information about consumers without their explicit permission — and without federal oversight.

The agreement came as Google once again launched into the social networking arena Wednesday with a tool, called +1, that lets users tag search results and advertisements so they can recommend them to friends.

The feature, aimed at competing with Facebook and getting a bigger foothold in social networking, connects to the same list of personal contacts that Buzz did. The idea is that users will trust Web page recommendations from friends over those from the computerized search engine.

Several of Google’s best-known products have attracted intense scrutiny and even penalties in the U.S. and abroad.

Google was fined 100,000 euros — about $141,300 — by the French government last week for improperly gathering private data for its Street View feature, which allows users of Google’s maps to view street-level photos of hundreds of thousands of homes and locations around the world.

Last year, officials discovered that the camera-equipped cars Google uses to gather the photos also had been collecting data from private Wi-Fi networks — in some cases passwords, personal emails and Web browsing histories.

Google has said it didn’t realize that it had been gathering that data and said it would erase the information as soon as possible.

The company also has come under pressure recently over whether its search engine unnecessarily shares data about users searches with commercial websites, as well as whether software on its Android smartphones too easily shares data about users’ geographic locations with advertisers.

Google’s settlement with the FTC emphasizes the government’s stepped-up scrutiny of privacy issues.

The FTC said this month that it settled with short-message site Twitter Inc. for “serious lapses” in which the company “deceived consumers and put their privacy at risk” by failing to adequately protect their information.

Twitter admitted the episode was a “very serious breach of security” and agreed to create a comprehensive information security plan, as well as to allow the FTC to audit the company every other year for 10 years.

Facebook and Apple Inc. each have come under scrutiny from lawmakers over concerns that they were sharing user information with third parties. Sen. John F. Kerry (D-Mass.), who is drafting a broad privacy bill, said the Google settlement showed the need for tough new laws.

“Google has admitted error, but Google is far from alone in the collection, use and distribution of immense amounts of our information,” Kerry said. “Every company should adhere to this kind of standard, not just Google.

Google has admitted that Buzz was beset with problems.

“The launch of Google Buzz fell short of our usual standards for transparency and user control — letting our users and Google down,” Alma Whitten, its director of privacy, product and engineering, wrote in a blog post Wednesday.

The settlement “thankfully put this incident behind us,” she said.

Under the terms, Google will be required to give users “clear and prominent notice” and obtain “express affirmative consent” before sharing the users’ information with any third party “in connection with a change, addition or enhancement to any product or service.”

The independent review every two years for two decades will certify that Google’s privacy policy adheres to standards set in the settlement. Google faces civil penalties of up to $16,000 for each violation.

“It’s a broad reaching order, applicable to all their products,” said Jessica Rich, deputy director of the FTC’s Bureau of Consumer Protection.

She noted that the FTC dismissed a complaint against Google for its Street View data collection last year because there was no violation of law. If a similar incident comes up now, it could violate the settlement and allow the FTC to take action, she said.

The Google case arose from a complaint filed last year with the FTC by the Electronic Privacy Information Center.

“The message to companies is they’re going to have to be more careful about the collection and use of information from users,” said Marc Rotenberg, EPIC’s executive director.