Earlier this month, the U.S. Federal Trade Commission (the "FTC”) entered into a proposed Consent Order with Google that would settle the FTC’s unfair trade practice complaint against the company. The complaint focused on the messy introduction of Google’s "Buzz” product in 2010. The proposed Google Consent Order is especially notable because it marks the first time that the FTC has required a company to implement a comprehensive privacy program and the first time that the FTC has taken action based on the failure by a registrant under the E.U.-U.S. Safe Harbor (the "Safe Harbor”) Framework to follow the Safe Harbor’s principles. This memorandum also briefly addresses recent consent orders between the FTC and Twitter and Chitika (a major online advertiser). Taken together these three consent orders illustrate how the FTC may implement some of the suggestions in its Privacy Report published late last year (a summary of which can be found here) in the absence of Congress finally passing comprehensive federal privacy legislation and the importance of taking privacy and information security into account when designing products and services.
Google launched its "Buzz” social networking service in February, 2010. Buzz was intended to be Google’s answer to Twitter, and was tacked on to Google’s e-mail service, Gmail. It appears that Google in its desire to quickly grow Buzz attempted to leverage existing Gmail users and their contact lists without much thought to privacy and the promises Google had made to Gmail users with respect to privacy. Google conscripted users of Gmail into Buzz, and populated the list of a user’s "followers” on Buzz automatically with the user’s Gmail contacts. As a result, Buzz potentially set users up to send updates to undesirables, e.g., abusive ex-husbands, who were still in the user’s contacts list. Also, the lists of followers were public, and resulted in the disclosure of confidential information, such as the clients of mental health professionals or attorneys. 2 Various user preferences from Gmail were not carried over to Buzz and even user optouts were not properly honored. The roll-out of Buzz caused a media firestorm at the time, resulted in thousands of consumer complaints and caused Google to make sweeping changes to the service almost immediately.
Under the Consent Order, Google must also implement a comprehensive privacy program to address privacy risks and protect the privacy and confidentiality of personal information in its possession. The program will need to be documented in writing and in a manner appropriate to Google’s size and complexity, the nature and scope of Google’s activities and the sensitivity of the personal information at issue. This program must also include the designation of responsible employees, employee training, identification of foreseeable risks, and provide for privacy in product design, development and research. The FTC required Google to submit to audits by independent, third party professionals (at its expense) every 2 years for 20 years to confirm compliance with its program.
The FTC dinged Twitter for failing to implement reasonable security measures, despite its promises to the contrary. Primarily, Twitter made it very easy for hackers to guess administrative passwords, and thereby access nonpublic personal information and hijack accounts.
Much like Google, but with a narrowed scope, the FTC in its Consent Order with Twitter required it to implement a comprehensive information security program to identify foreseeable risks, implement reasonable safeguards and to extend those safeguards to its subcontractors. As with Google, the Consent Order included an 3 obligation to submit to third-party audits every 2 years for 20 years to confirm compliance.
Chitika is an online advertising company that provided Internet users a flawed mechanism to opt-out of its tracking cookies. Although users were led to believe that their opt-out choice would be permanent, the poorly designed cookie would actually stop keeping track of the user’s preference after only ten days.
In its Consent Order with Chitika, the FTC mandated that Chitika post a clear and prominent notice on its homepage and its advertisements informing Internet users about its collection activities. If a user did opt-out, his or her preference must be honored by Chitika for at least 5 years, unless the user deleted his or her cookies or otherwise disabled the mechanism. Lastly, the FTC punished Chitika by forcing it to destroy all user or device identifiable data collected prior to March 1, 2010. Per standard FTC practice, the Consent Order with Chitika lasts 20 years.
While comprehensive federal privacy legislation slowly winds through Congress, it appears that the FTC had decided to aggressively prosecute companies that violate their own privacy policies or otherwise defeat consumers’ choices about the use and disclosure of their personal information.
We believe that there are several lessons to be learned by research organizations from these three consent orders:
The FTC continues to strictly enforce its longstanding rule that personal information collected under one set of promises can only be used for a modified purpose or shared with different third parties with affirmative "opt-in” from the consumer.
The failure to implement basic security measures to protect personal information continues to be an unfair trade practice.
One of the major themes from the FTC’s recent Privacy Report, and one that is likely to be included in any comprehensive federal privacy legislation, is the requirement that organizations implement organizational-wide privacy programs, such as the program described in the Google Consent Order. Research organizations should consider and document how personal information is currently collected, used, disclosed and safeguarded and ensure that development teams creating new products and services consider privacy and information
security concerns from the outset.