Google Buzz settlement would give Google new privacy rules

When Google launched Google Buzz last year in a bid to challenge Facebook and Twitter, it drew an angry backlash from consumers and privacy advocates who complained that the company had disclosed potentially sensitive personal information about users without their knowledge. That misstep, which Google quickly corrected, has now turned into a step forward for consumer privacy. The Federal Trade Commission announced Wednesday that it had reached an agreement with Google that establishes two important new principles about what companies must do before disclosing their customers’ personal details.

Buzz is an add-on to Google’s popular email service, Gmail, that combines Twitter-style micro-blogging with some of Facebook’s social networking features. Gmail users who sign up for Buzz can follow the updates posted by the people with whom they regularly exchange emails, or, when they’re on the road, check out posts from Buzz users (known or unknown) nearby.

The pros and cons of Buzz were quickly obscured by the outcry over how Google introduced it. Hoping to jump-start the new service, Google automatically set users up to follow the people they frequently emailed or chatted with online, and then included that information in their public profile so that other Buzz users could read and mimic their lists. Suddenly, a Gmail user’s frequent but secret contact with a mistress, a lawyer or a headhunter wasn’t so secret.

Google backpedaled twice within a week of starting Buzz, changing the service’s default settings and giving users more control over how their information was shared. That was the right response, but the FTC’s action against Google went further. In the tentative settlement announced this week, a court order would compel the company to do more than just hew to its privacy policy.

First, the company would have to ask users’ permission before including them in any new or upgraded service that shares their information in unexpected ways — a much more protective standard than the common industry approach of notifying users of changes and inviting them to opt out. Second, Google would have to maintain a “comprehensive privacy program” to prevent unauthorized disclosures of users’ personal information and to vet new services to guard against privacy threats. In other words, it would require Google to make privacy a design principle, not an added feature.

Although the consent order doesn’t bind other companies, it helps define for the industry what the commission expects all companies to do regarding privacy. The message should not be lost on any company that decides to do something new with the information its users previously submitted. They may welcome the innovation, but it should be their choice to be part of it.