The FTC today announced it has reached a settlement with Google concerning privacy complaints about how the company launched its Buzz social networking service last year. The consent decree runs for a standard twenty-year term and provides that Google shall (i) follow certain privacy procedures in developing products involving user information, subject to regular auditing by an independent third party, and (ii) obtain opt-in consent before sharing certain personal information. Here’s my initial media comment on this:
For years, many privacy advocates have insisted that only stringent new regulations can protect consumer privacy online. But today’s settlement should remind us that the FTC already has sweeping powers to punish unfair or deceptive trade practices. The FTC can, and should, use its existing enforcement powers to build a common law of privacy focused on real problems, rather than phantom concerns. Such an evolving body of law is much more likely to keep up with technological change than legislation or prophylactic regulation would be, and is less likely to fall prey to regulatory capture by incumbents.
I’ve written in the past about how the FTC can develop such a common law. If the agency needs more resources to play this role effectively, that is what we should be talking about before we rush to the assumption that new regulation is necessary. Anyway, a few points about Part III of the consent decree, regarding the procedures the company has to follow:
- The company has to assess privacy risks raised by new products as well as existing products, much like data security assessments currently work. The company would have to assess, document and address privacy risks—and then subject those records to inspection by the independent auditor, who would determine whether the company has adequately studied and dealt with privacy risks.
- Google is agreeing to implement a version of Privacy by Design, in that the company will do even more to bake privacy features into its offerings.
- This is intended to avoid instances where the company makes a privacy blunder because it lacked adequate internal processes to thoroughly vet new offerings or simply to avoid innocent mistakes—as with the its inadvertent collection of content sent over unsecured Wi-Fi hotspots because the engineer designing its Wi-Fi mapping program mistakenly left that code in the system, even though it wasn’t necessary for what Google was doing. I wrote more on that here.
As to Part II of the consent decree, express affirmative consent for changes in the sharing of “identified information”: It’s well-worth reading Commissioner Rosch’s concurring statement. I have my differences with him on some issues (like his sometimes overly zealous approach to antitrust), but I’ve found him to be a welcome voice of skepticism on the Commission. Here, he retiterates his concerns in his earlier concurring statement on the FTC’s Preliminary Staff Privacy Report that an opt-in, if mandated by law, might reduce competition. I appreciate his sensitivity to the danger of regulatory capture; regulators should be asking these questions a lot more than they do! But in this particular case, I’m not sure the opt-in for changes in sharing practices would really advantage Google over its rivals, as the Commissioner fears.
An opt-in for changes in sharing practices would seem to be most difficult for incumbents like Google who have large installed user bases for products like Gmail that they try to adapt with add-ons like Buzz. These changes often require changes in what data is shared and how in order to roll out new tools that meet demands from users with evolving privacy expectations. Getting “express affirmative consent” will really slow down user adoption and prevent many of these new tools from reaching critical mass. Google Buzz has clearly failed to meet the hopes of those who thought it would be a Twitter-killer, illustrating just how hard it can be for even a giant like Google to make a new product succeed. By contrast, such an opt-in isn’t a problem for a new company that enters a space with a wholly new model of dealing with user data, like Twitter or even Facebook before it. Wouldn’t such companies thus have an advantage over Google, even if they all operated under the same opt-in rule regarding sharing changes? I’m sure there’s more to the story here, but I’d be careful about leaping to assumptions that there’s a dark cloud to this silver lining—as so many in the privacy advocacy community are prone to do.