Google Buzz FTC Settlement: 3 SaaS Privacy Takeaways

LinkedIn
X
WhatsApp
Facebook
Email
Print

Google Buzz FTC settlement and default privacy settings, Aber Law Firm

Short answer: the Google Buzz FTC settlement taught SaaS vendors three lessons: set new “connect people” features to off by default, never use data for a purpose beyond what your policy disclosed, and put one person in charge of privacy. A single default setting can trigger FTC action.

Google settled with the Federal Trade Commission over its rollout of Google Buzz and the privacy problems that came with it. The order required a comprehensive privacy program and 20 years of independent audits, a first for the FTC at the time. Here are a few SaaS privacy tips for software vendors that came straight out of that mess.

1. It Is All About Default Privacy Settings.

If you add a feature that connects customers, people, or partners who gave you information under your privacy policy, stop and think about whether it should be on or off by default. I generally think these features should be off initially. Turn it off, then educate customers on why they might want to switch it on, and let it be their choice. Google did the opposite: Buzz opened up Gmail contacts by default, and that single decision caused the whole problem.

2. What Google Learned About Its Own Privacy Policy.

Most privacy policies promise that information will not be used for a purpose other than the one for which it was collected. In plain terms: if a customer hands you registration data, you use it for registration, not to power some new social feature, without getting further consent. Read your own policy carefully and make sure you understand what it commits you to, before the FTC reads it for you. This is the purpose-limitation principle that now runs through the modern state privacy laws too, and it is also why a plain-English privacy policy you actually follow beats a long one you do not.

3. Appoint Someone to Own Privacy.

The Buzz blunder happened partly because Google’s left hand did not know what its right hand was doing; the in-house privacy lawyers were not looped in on the rollout details. You do not get that excuse as a smaller company. Even without an in-house attorney, name someone to own privacy compliance, maybe someone in product or marketing, so a launch never goes out without a privacy gut-check.

The throughline is simple: a quiet change to a default setting can become an FTC enforcement action under the agency’s Section 5 authority over unfair or deceptive practices. The way you avoid it is to design for privacy up front rather than react after launch.

Frequently Asked Questions.

Why does a default setting matter so much? Because the FTC treats a privacy choice that is on by default, hard to find, or hard to reverse as deceptive. Buzz turned sharing on automatically, and that was the core of the complaint.

Can the FTC act even if I never sold or leaked data? Yes. The claim was about misleading users and violating Google’s own stated privacy promises, not a data breach. Saying one thing and doing another is enough.

Do small SaaS vendors really need a privacy owner? Yes. It does not need to be a lawyer, just one accountable person who reviews any feature that touches personal data before launch.

For the proactive framework regulators want SaaS vendors to bake into product design from day one, see Privacy by Design: A Framework for SaaS and Software Vendors. It pairs naturally with the app-developer privacy guidance in A Brief Outline of Privacy Issues for App Developers.

Resources:

Disclaimer:

This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.


Discover more from Aber Law Firm

Subscribe to get the latest posts sent to your email.

Free initial Consultaion

Get started with a free initial consultation—fill out the form below to connect with our experts today!