By Dan McPheeters
The consent decree at the heart of this issue was entered into to avert further legal action against Google for perceived flaws in its handling of user information gathered by the now-defunct Buzz application. The full text can be found here. At the outset, the agreement explicitly denies wrongdoing on the part of Google, though the FTC is careful to state (and to have Google agree) that it had “reason to believe that [Google had] violated the Federal Trade Commission Act.” This is jurisdictional language that basically prevents Google from challenging the consent decree or the investigation as a whole as beyond the FTC’s authority. Boilerplate, yes, but it gives a strong indication of the purpose of the agreement. Here, it appears that while Google had not crossed a line, or else had entered into a realm that was not “illegal,” they had come sufficiently close that the FTC decided that it needed to step-in. Neither side wanted to engage in the bruising litigation that was sure to follow, and a compromise was struck that ensures Google’s actions are well within established legal limits, while giving the FTC a non-statutory remedy it may not otherwise have in the event they do not.
The content of the decree covers four primary areas: the communication of privacy policies to Google’s users; the implementation of on-going quality control measures to track and improve user privacy protections; third-party audits of the privacy policies and control measures; and record-keeping. The record-keeping provision is ministerial, and not relevant to the overall discussion here.
In communicating its privacy policies to users, Google is affirmative prohibited from misrepresenting “in any manner” the scope of information gathered, Google’s compliance with a privacy regime “sponsored by the government or any other entity,” and the extent to which consumers can control the “collection, use, or disclosure” of information gathered by Google. These are basic anti-fraud provisions, but the “in any manner” language strives for maximum transparency while likely placing a “plain language” requirement on Google’s communications to and agreements with its users. This latter point is borne out in Section II, which imparts on Google the duty to communicate any changes to its information disclosure policy to users independent of any prior end user-type agreements. In short, any time Google adjusts its policy with respect to selling or utilizing information with third parties, the company must share those changes with users. Google must also await an affirmative “opt in” from its users prior to disclosing or sharing information under the new policy.
Google is also bound to create a comprehensive privacy program that addresses risks to consumers and protects the privacy of information gathered by the company in a way “appropriate to [Google’s] size and complexity.” To this end, the company is required to hire a third-party consultant, approved by the FTC’s Associate Director of Enforcement, to provide assessments of its privacy control and assessment systems. This consultant is required to provide a biennial reports that explain and certify the systems and their compliance with this decree.
Understanding this agreement begins with acknowledging what it does NOT do; nowhere does this consent decree dictate a specific provision to Google’s privacy policies, absent the mandatory “opt in” item. Further, the bulk of the decree outlines a quality control and risk management system that Google is obliged to establish and will be subjected to 3rd party review. The third party review is critical; while the agreement allows Google to continue operating substantively as before, the assessments provided by the consultant will carry tremendous evidentiary weight. Because the consultant will be a “qualified, objective, independent third-party professional,” the FTC will get to apply a “reasonable person” test to Google’s controls by virtue of their ability to select the consultant who will render opinions, without subjecting the reports to a negative light in later litigation by reason of their being prepared by an agent of one of the parties to the dispute. This will likely force Google into relying on more conservative interpretations of and approaches to its privacy regime and restrain its expanding ability to gain access to users data, which were the primary goals of the FTC’s investigation in the first place.
In our next post, we will look at Google’s troubles in the EU, where it seems that claims of illegality have a stronger legal basis.