Today, the Federal Trade Commission announced that it has accepted, subject to final approval, a consent agreement from Google that would resolve the Commission’s allegations that Google engaged in deceptive trade practices when it launched its “Buzz” social networking service in February 2010. The FTC’s complaint alleges, among other things, that the launch violated Google’s  privacy policy in effect at the time, which promised users that Google would not use personal information “in a manner different than the purpose for which it was collected [without] your consent prior to such use.” The complaint alleges that notwithstanding this promise, Google used information it had collected from users who signed up for Gmail to establish Buzz. Moreover, the Commission alleges that Gmail users were in many instances automatically set up with Buzz “followers” and were also automatically set up to “follow” other users. Because these connections to other users were based on the number of emails exchanged between users, the connections–which were public by default–indirectly revealed information about users’ correspondence on Gmail. The Commission alleges that Google failed to adequately disclose that this information would be made public, and, in light of representations that users could control access to this information, Google’s failure was a deceptive act or practice.

The consent agreement would require Google to “establish . . . a comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [certain consumer] information.” The elements of the privacy program will be familiar to readers of the recent FTC staff report on consumer privacy, particularly the section discussing the principle of “privacy by design.” The report recommended that businesses incorporate substantive privacy and security protections into their everyday practices and at all stages of the development of their products and services. Under the preliminary agreement, “privacy by design” will be mandatory for Google–for the next 20 years. As the FTC noted in its press release, “[t]his is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information.”

Although all five commissioners voted to accept the agreement–subject to final approval–Commissioner J. Thomas Rosch filed a concurrence, noting some reservations about a part of the agreement that would require Google to obtain “affirmative consent” form users for any change from “stated sharing practices in effect at the time [Google] collected [the user’s information].” Rosch notes that this requirement is potentially of unprecedented breadth. While it is well-settled FTC policy to require companies to obtain affirmative consent from users before using personal information in a materially different way than claimed when the information was collected, the requirement in the consent agreement contains no materiality threshold.  Google would have to obtain affirmative (i.e., opt-in) consent for any“new or additional” sharing of personal information not disclosed when the information is collected. You can read the full text of Rosch’s statement here

The agreement will be subject to public comment for 30 days, beginning today and continuing through May 1, 2011. At that point, the Commission will decide whether to make the proposed consent order final. Inside Privacy will keep a close eye on the comments that are filed and will report on key stakeholders’ reactions to this proposed settlement.