Updated 1pm PST
Google’s mandatory privacy compliance report to the Federal Trade Commission has been released under a Freedom on Information Act request and in it the search giant defends its forthcoming privacy policy changes.
Google says revisions to its privacy policy, due for release March 1, don’t include any new sharing of data beyond what was permitted under the policy now in place. Google has been repeating that message since January 24th when its new policy was announced.
The company was required to file the report with the FTC as part of a consent order handed down in October as part of a settlement with the agency over privacy violations related to the rollout of Google Buzz in 2010.
On Friday, Google took the step of publicly releasing the report itself - providing a copy to the Politico web site - even though the Electronic Privacy Information Center (EPIC) had filed a Freedom of Information Act request to get the document. The FTC confirmed that it has not processed the FOIA request. In addition, sources also confirmed that Google did not request the report be sealed when it was submitted to the FTC.
The compliance report was made public under a FOIA request submitted by the Electronic Privacy Information Center (EPIC). EPIC filed the FOIA request on Feb. 1 and asked for an expedited delivery given the impending March 1 rollout of Google’s privacy policy changes.
In a statement on its website, EPIC charges that Google failed to answer many of the questions as required by the consent order, and “most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1.”
EPIC recently has been raising privacy concerns about Google (and Facebook) and last week filed a lawsuit against the FTC to compel it to enforce the Google consent order. The next day, a federal court granted EPIC’s request to expedite the FTC’s response to EPIC’s concerns. The response is due Feb. 17.
The case has the potential to impact Google’s rollout of its new privacy policy.
The consent order gave Google 90-days to file “a true and accurate report, in writing, setting forth in detail the manner and form in which respondent has complied with this order.” In the report, Google addresses its newest policy plan revision and details the consolidation of its privacy policies down to one.
“No new or additional third-party sharing is permitted under this revised policy beyond that which would have been permitted under the prior policy.” The report went on to say that the resulting effort to inform users of the change is the “largest user-facing notification effort Google has ever undertaken, for any reason.”
The company outlines its self-proclaimed “aggressive notification process” for getting the word out to Google’s users.
It also details privacy programs the company has undertaken, from high-level awareness classes to more targeted programs, including “Innovation in Privacy” training to help technical employees design products with privacy in mind.
The report is the first the company has filed with the FTC. Another is due in May that must be conducted by an independent third-party assessor. Google has selected PriceWaterhouse Coopers to perform that assessment pending approval by the FTC.
After the May report, Google must file an assessment and report every two years until 2031.
