Google pledged to implement a comprehensive privacy program Wednesday after the Federal Trade Commission alleged that the company misled customers during the rollout of the Buzz social network last year.
“When companies make privacy pledges, they need to honor them,” said Federal Trade Commission Chairman Jon Leibowitz. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
The settlement marks the first time the FTC has required a firm to implement such a program, which must remain in place for 20 years.
According to the FTC, on the day Buzz launched through Google Gmail accounts, users were given the option to join the new social network or continue to their inbox. The FTC alleges users who declined to join were still enrolled in aspects of Buzz and said the privacy controls were confusing and hard to find.
Buzz also attracted controversy for automatically adding the email addresses contacted most frequently by users to their contact list and making it public, prompting thousands of complaints about privacy and inquiries from lawmakers.
"Google was just plain wrong when it opted people into Buzz without their consent," said Senate Commerce chairman Jay Rockefeller (D-W.Va.) in a statement.
"This should be a wake-up call for online businesses — both large and small — of the need to be clear and honest about how the personal information of consumers is collected and used.”
The FTC complaint charges that Google failed to adequately disclose the feature. Going forward, Google will have to obtain users' consent whenever it changes how one of its products uses their data. FTC Consumer Protection Bureau deputy director Jessica Rich said those practices are a good idea for all tech firms.
Google's director of privacy, Alma Whitten, was contrite in a blog post published Wednesday morning.
"The launch of Google Buzz fell short of our usual standards for transparency and user control — letting our users and Google down," Whitten said, adding that the FTC "unsurprisingly wanted more detail about what went wrong and how we could prevent it from happening again."
The settlement bars Google from misrepresenting its privacy practices or how it handles user information. It requires Google to obtain users' consent before changing how they share information with third parties and to hire an outside auditor to conduct an independent review of its privacy procedures every two years.
"We’d like to apologize again for the mistakes we made with Buzz," Whitten said. "While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward."
Rich said the terms of the agreement would cover the type of conduct involved in Google's "WiSpy" privacy breach, where Street View cars downloaded consumers' private data from wireless networks without their consent.
"This could have made a big difference in the WiFi situation," Rich said, explaining that the agreement will require Google to document how it is protecting consumers' privacy across all of its products for the next 20 years.
The settlement does not include any admission of wrongdoing by the search giant. The agreement is open to comment for 30 days, after which it will go before the FTC for a final vote. If accepted, every violation of the agreement's terms by Google would result in a fine of up to $16,000.
—This story was updated at 9:41 p.m.