In the complaint and the accompanying memorandum, EPIC alleges that the manner in which Google changed its privacy practices violated the FTC Google Buzz consent order, and that the FTC has failed to take action to hold Google to the privacy commitments the company made in that settlement agreement.
EPIC has identified several core mandates of the Google Buzz consent order that it alleges Google has violated:
- Prohibition against misrepresenting the extent to which Google (1) maintains and protects the privacy and confidentiality of the information that the company collects about individuals, and (2) complies with privacy and security programs, such as the U.S.-EU Safe Harbor Framework;
- Requirement that any deviations from Google’s then current third party data sharing practices that result from a change or addition to a service must be subject to user notice and consent; and
- Requirement to implement a privacy program reasonably designed to protect the privacy and confidentiality of the information that Google collects about individuals.
EPIC alleges that Google has violated the Google Buzz consent order by:
- Misrepresenting the extent to which the company maintains and protects the privacy and confidentiality of user information. Specifically, EPIC alleges that Google’s announcement fails to disclose or adequately explain that user data will be consolidated for the purposes of benefiting advertisers through improved targeting of users. EPIC appears to allege that the alleged expansion of behavioral advertising activities should be subject to users’ express affirmative consent.
- Failing to obtain affirmative consent from users prior to sharing their information with third parties. Specifically, EPIC has alleged that changes in Google’s privacy practices will make it possible for advertisers to access personal information which was previously unavailable to them. Thus, according, to EPIC, Google will share new or additional information with third party advertisers without first obtaining express affirmative consent from Google users, in violation of the Google Buzz consent order.
- Misrepresenting the extent to which Google complies with the U.S.-EU Safe Harbor Framework. EPIC makes this allegation based on the assertion that European regulators have strongly questioned Google’s compliance with European data protection laws. It appears that EPIC implies that Google cannot be in compliance with the Safe Harbor if the company’s compliance with European data protection laws is being questioned by regulators.
- Failing to comply with the consent order’s requirement to maintain a comprehensive privacy program. Specifically, EPIC alleged that in the Google Buzz consent order the FTC required Google to maintain a privacy program in response to Google’s improper combining of user data from different company services. EPIC argues that Google’ present plans are inconsistent with the mandated comprehensive privacy program, which should have prevented precisely the type of data combination Google seeks to accomplish now.
To demonstrate the harm, EPIC uses Google email (Gmail) as an example, alleging that Gmail users will not be able to keep separate from other Google services the personal information they provided to Google for the sole purpose of using the email service. EPIC supports this allegation by quoting from Google’s official blog: “In short, we’ll treat you as a single user across all our products . . . .”
Google has responded to EPIC’s allegations through various news outlets. For example, WebproNews reports that, when asked to comment on EPIC’s complaint, Google has taken the position that the company:
- Is keeping users’ private information private;
- Is not changing how any personal information is shared outside of Google;
- Is continuing to offer choice and control over how people use Google services; and
- Has created a world-class privacy compliance program.
The reaction to Google’s announcement suggests that the society’s level of awareness of privacy issues continues to increase. The result of this awareness is the pressure on businesses to maintain fair and transparent privacy practices. This pressure can take various forms, such as “shaming” by the media and consumer advocates, hearings and negative statements by legislators, new guidance or enforcement by regulators, or, as is the case here, private efforts to compel the FTC to act.
Despite these developments, in-house data protection counsel continue to face challenges convincing their internal clients that privacy matters. More and more, however, they are able to point to the enforcement actions, negative publicity avalanches, and unwelcome attention from legislators and regulators to bring home the risks associated with mismanaging privacy. We are also noticing that business customers are compelling their service providers and business partners to ensure that the privacy practices relevant to the business relationship are appropriate.
Our law clerk, Michael Murray, assisted in the preparation of this post.