Skip to main content

Business practices at odds with promises in the company’s privacy policy. The failure to disclose adequately that the contacts with whom users emailed and chatted the most would become public by default. Confusing and hard-to-find controls to limit the sharing of personal info. False claims about adherence to the U.S.-EU Safe Harbor privacy framework.

Those were the allegations in the FTC’s complaint against Google. What changes will the agency’s proposed settlement bring about at the company?

Most notable about the consent order is that it’s the first time an FTC settlement has required a business to implement a comprehensive program to protect the privacy of consumers’ information.

Part I of the order makes it clear that Google can’t misrepresent the extent to which it maintains the privacy and confidentiality of “covered information” — a term defined to include info Google collects from or about a person, like their first and last name, physical address, email address or screen name, IP address, phone number, list of contacts, or any other data about them that’s combined with one of those pieces of information.

Under Part II of the order, before sharing a Google user’s information with a third party in a way that’s different from what the user was told when the info was collected and that results from any change to a Google product, Google has to get that person’s express affirmative consent. To give people the facts they need to make an informed choice, Google has to clearly and prominently disclose:

  1. that their information will be disclosed to a third party;
  2. who the information will be shared with; and
  3. why it’s being shared.

The order makes it clear that the disclosure has to be separate and apart from any end user license agreement, privacy policy, terms of use page, or similar document.

Part III requires Google to put a comprehensive privacy program in place immediately. The program has to address privacy risks related to the development and management of both new and existing products and services for consumers, and protect the privacy and confidentiality of covered information. Under the program, Google will implement privacy controls appropriate to its size and complexity, the nature of the company’s activities, and the sensitivity of the covered information. The scope of the program is broad and the order imposes detailed requirements.

Part IV requires Google to get initial and every-other-year assessments from a qualified, objective, independent third-party professional and report back to the FTC within six months and every two years for the next 20 years.

Of course, the settlement applies just to Google, but the practices spelled out in the order offer useful guidance to the industry. What messages should businesses take from the case?

Mean what you say and say what you mean. It should be an obvious point, but companies have to live up to their privacy promises. If you haven’t reviewed it lately, read your privacy policy. Now read it again through the eyes of your customers.

Bake it in. Thinking about introducing a new product or service? Consider privacy from the get-go. Attempting to mix in protections after preparations are underway can be a recipe for trouble.

Evaluate your privacy ecosystem. The comprehensive privacy program required by the order covers a broad range of Google’s business practices — from risk assessment and testing to training and monitoring of staff and service providers. Is it time to take a 360° look at your company’s privacy practices?

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates