The FTC-Google consent order isn’t just meant for Google; according to a recent tweet by FTC lead attorney Kathryn Ratte, all companies that handle consumer data should be paying attention to the order, as it is intended to “serve as a guide to industry.”
So, why should industry pay close attention to the FTC-Google Consent? And are there important lessons here for companies that are trying to align their privacy programs with the best practices outlined in the order?
First, let’s recap the facts: the FTC filed a complaint against Google over the launch of its Buzz social networking service, which was launched in February 2010 (I had my own thoughts about the Buzz launch, read them here). Specifically, the FTC found that Google – contrary to its privacy promises – had used Gmail user data in its launch of the Buzz service without first obtaining the user’s consent. The FTC alleged that these practices were deceptive or unfair under the FTC Act, and were also in violation of the Choice and Notice Principles of the EU-US Safe Harbor Framework.
To settle the allegations, the FTC and Google agreed to a proposed consent order last week; under its terms, Google will develop a comprehensive privacy program that is “reasonably designed” to address both the privacy risks related to new and existing products and services for consumers,” and the protection of “covered information.” Google will need to give notice to users about its data collection and use practices – including secondary uses – and obtain express consent before sharing a consumer’s data with any third parties.
Reading through the Google consent, I see a lot of similarities between the best practices outlined in the FTC Order and the principles of TRUSTe’s Privacy Program Requirements – transparency, accountability and choice.
1. Think Expansively about “Covered Information”
TRUSTe takes an expansive view of “covered information” i.e. the information that can be used to identify an individual, recognizing that discrete data elements – while lacking identifying characteristics on their own – can be used in combination to personally identify a consumer. This is consistent with the approach that the FTC appears to be taking – both in the consent agreement with Google and the FTC Staff’s Privacy Report.
2. Get Comprehensive about Privacy
Its not just about your policy. If you haven’t already, it’s time to get comprehensive, and implement privacy processes around the collection and use of consumer data – particularly if you are just venturing into areas like behavioral advertising or social networking online. This was something TRUSTe addressed recently in the updates to our program requirements; our clients that engage in online behavioral advertising and social networking must now comply with requirements that address these specific business practices as part of our privacy seal certification program.
3. Give Notice and Choices
Google’s use of Gmail user data to launch Buzz was certainly the egregious act at the center of the FTC’s complaint. In my experience it’s always best to get the user’s consent before using their data to launch related products or services. In addition to being a good business and compliance practice, getting a user’s consent beforehand shows them that users that you respect their data and abide by your privacy promises – which in turn, will create trust and solidify your user relationship.
TRUSTe program requirements mandate notice and choice for third party sharing, and just-in-time notice if data is shared for a third party’s secondary use.
4. Gain Consent for Material Changes
The inadvertent third party sharing which followed Google’s transformation of a user’s Gmail account into a Buzz social networking page, was arguably the impetus behind the provisions in the Google consent dealing with third party sharing. Under the terms of the FTC-Google consent, companies must provide notice to users about third-party data sharing practices – especially when these practices are a change from stated practice, and result from any “change, addition, or enhancement,” to existing products and services (or under TRUSTe’s program, a “material change”).
Trust was the thinking behind TRUSTe’s procedures around material change; we required notice and user consent before material changes are implemented. We define this concept as a degradation in the rights and obligations associated with the collection, disclosure or use of personally identifiable data is considered a material change under TRUSTe’s program requirements.
5. Third Party Review
Finally, I note the consent order requires oversight of compliance by an independent, “qualified” third party. At TRUSTe, we know the role of “trusted third party” well – having certified the online privacy practices for hundreds of companies for well over a decade. Our program requirements include specific provisions to help companies establish the controls and processes that make them accountable internally and externally for their privacy practices – data governance, dispute resolution, etc. Kudos to the FTC and Google for recognizing the important role that trusted third parties can play in compliance!