The FTC Google Consent Order isn’t just Meant for Google

According to a recent tweet by FTC lead attorney Kathryn Ratte, all companies that handle consumer data should pay attention to the order, as it is intended to “serve as a guide to the industry.”

So, why should the industry pay close attention to the FTC-Google Consent?

Are there important lessons for companies trying to align their privacy programs with the best practices outlined in the order?

First, let’s recap the facts: the FTC filed a complaint against Google over the launch of its Buzz social networking service, which was launched in February 2010.

Specifically, the FTC found that Google, contrary to its privacy promises, had used Gmail user data in its launch of the Buzz service without first obtaining the user’s consent.

The FTC alleged that these practices were deceptive or unfair under the FTC Act, and were also in violation of the Choice and Notice Principles of the EU-US Safe Harbor Framework.

To settle the allegations, the FTC and Google agreed to a proposed consent order last week.

Under its terms, Google will develop a comprehensive privacy program that is reasonably designed to address the privacy risks related to new and existing products and services for consumers, and the protection of covered information.

Google will need to give notice to users about its data collection and use practices, including secondary uses, and obtain express consent before sharing a consumer’s data with any third parties.

Reading through the Google consent order, I see a lot of similarities between the best practices outlined in the FTC Order and the principles of TrustArc’s Assurance and Certification Program Standards.

Transparency, accountability and choice.

To meet the best practices outlined in the order, businesses should consider the following.

Think Expansively about Covered Information

Covered information is the information that can be used to identify an individual. An expensive approach recognizes that discrete data elements can be used in combination to personally identify a consumer.covered information

While own its own an IP address may seem harmless, when combined with other data such as name, physical address, phone numbers, purchase history, etc., it becomes personally identifiable information.

In the Google consent agreement and the FTC Staff’s Privacy Report we can see this is the stance the FTC is taking.

Get Comprehensive about Privacy

It’s more than your privacy policy. If you haven’t already, it’s time to get comprehensive, and implement privacy processes around the collection and use of consumer data.

Especially if you are just venturing into areas like behavioral advertising or social networking online. This was something TrustArc addressed recently in the updates to our program requirements.

Clients that engage in online behavioral advertising and social networking must now comply with requirements that address these specific business practices as part of our privacy seal certification program.

Give Consumers Notice and Choices

consumer dataGoogle’s use of Gmail user data to launch Buzz was certainly the egregious act at the center of the FTC’s complaint.

It’s always best to get the user’s consent before using their data to launch related products or services.

In addition to being a good business and compliance practice, getting user consent beforehand shows you respect their data and abide by your privacy promises – creating trust and solidifying your relationship.

TrustArc program requirements mandate notice and choice for third party sharing, and just-in-time notice if data is shared for a third party’s secondary use.

Gain Consent for Material Changes

The inadvertent third party sharing which followed Google’s transformation of a user’s Gmail account into a Buzz social networking page, was arguably the impetus behind the provisions in the consent order.

Under the terms of the FTC Google consent order, companies must provide notice to users about third-party data sharing practices.

Notice is required especially when these practices are a change from stated practice, and result from any change, addition, or enhancement, or material change to existing products and services.

Trust was the thinking behind TrustArc’s procedures around material change; we required notice and user consent before material changes are implemented.

Third Party Review

The consent order requires oversight of compliance by an independent, qualified third party.

At TrustArc, we know the role of trusted third party well – having certified the online privacy practices for thousands of companies for well over two decades.

Our program requirements include specific provisions to help establish the controls and processes that make businesses accountable internally and externally for their privacy practices.

Kudos to the FTC and Google for recognizing the important role that trusted third parties can play in compliance!