The Federal Trade Commission's action this week against Google and its Google Buzz social-networking initiative is largely a reminder that the FTC will crack down on companies that violate their own privacy policies. But the commission went an important step further: the consent order it tentatively adopted says that if Google changes its products or services, it must obtain its customers' permission first before disclosing personal information to third parties in ways not previously contemplated.
Such an "opt in" requirement is much tougher than ordering Google to notify users of changes and give them the chance to opt out. Many privacy advocates prefer the opt-in approach because it's more likely to cause people to consider the implications of a service before signing up for it. In other words, personal information is kept private unless the user chooses to allow its disclosure. With opt out, information is disclosable by default, and users have to take steps to stop that from happening.
But there's a flip side to opt in, as communications lawyer and Technology Liberation Front blogger Berin Szoka points out. The requirement makes it harder for established Web companies to alter their services in order to enter new markets. In this instance, Google tried to shift Gmail users automatically into a new social networking service that aimed to compete with Facebook. But with an opt-in requirement, Google can't take that kind of shortcut -- it has to ask people explicitly for permission to share their information with others in a new way. That's a potentially insurmountable hurdle for a service such as Buzz, where the utility isn't immediately apparent.
Of course, Buzz had problems long before the FTC weighed in. Blowback from the public and privacy advocates led Google to quickly give Gmail users far more control over how much of their personal information Buzz released. But the FTC's action is likely to affect companies far beyond Google. That's because settlements and consent decrees it strikes are often viewed as setting the ground rules for everyone in the field.
As Szoka notes, upstarts don't have to worry about the opt-in rule because they're starting from scratch with their privacy policies. And maybe the next great competitor to such Web giants as Facebook and Google will be a disruptive newcomer, not a member of the tech establishment. Still, it's easier for a company that already has a huge following (and economies of scale) to challenge a company that operates at the scale of a Facebook.
That's not to say the opt-in standard is the wrong one. People should be able to choose how sensitive personal information is shared before it's shared. I just think Szoka is right that it's worth considering the trade-off.
-- Jon Healey