The consent agreement would require Google to “establish . . . a comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [certain consumer] information.” The elements of the privacy program will be familiar to readers of the recent FTC staff report on consumer privacy, particularly the section discussing the principle of “privacy by design.” The report recommended that businesses incorporate substantive privacy and security protections into their everyday practices and at all stages of the development of their products and services. Under the preliminary agreement, “privacy by design” will be mandatory for Google–for the next 20 years. As the FTC noted in its press release, “[t]his is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information.”
Although all five commissioners voted to accept the agreement–subject to final approval–Commissioner J. Thomas Rosch filed a concurrence, noting some reservations about a part of the agreement that would require Google to obtain “affirmative consent” form users for any change from “stated sharing practices in effect at the time [Google] collected [the user’s information].” Rosch notes that this requirement is potentially of unprecedented breadth. While it is well-settled FTC policy to require companies to obtain affirmative consent from users before using personal information in a materially different way than claimed when the information was collected, the requirement in the consent agreement contains no materiality threshold. Google would have to obtain affirmative (i.e., opt-in) consent for any“new or additional” sharing of personal information not disclosed when the information is collected. You can read the full text of Rosch’s statement here.
The agreement will be subject to public comment for 30 days, beginning today and continuing through May 1, 2011. At that point, the Commission will decide whether to make the proposed consent order final. Inside Privacy will keep a close eye on the comments that are filed and will report on key stakeholders’ reactions to this proposed settlement.