This is what the Google-FTC consent decree says about changing it sharing practices:
II.
IT IS FURTHER ORDERED that respondent, prior to any new or additional sharing by
respondent of the Google user’s identified information with any third party, that: 1) is a change
from stated sharing practices in effect at the time respondent collected such information, and 2)
results from any change, addition, or enhancement to a product or service by respondent, in or
affecting commerce, shall:
A. Separate and apart from any final “end user license agreement,” “privacy policy,”
“terms of use” page, or similar document, clearly and prominently disclose: (1)
that the Google user’s information will be disclosed to one or more third parties,
(2) the identity or specific categories of such third parties, and (3) the purpose(s)
for respondent’s sharing; and
B. Obtain express affirmative consent from the Google user to such sharing.
Here is the relevant definition:
“Third party” shall mean any individual or entity other than: (1) respondent; (2) a service
provider of respondent that: (i) uses or receives covered information collected by or on
behalf of respondent for and at the direction of the respondent and no other individual or
entity, (ii) does not disclose the data, or any individually identifiable information derived
from such data, to any individual or entity other than respondent, and (iii) does not use
the data for any other purpose; or (3) any entity that uses covered information only as
reasonably necessary: (i) to comply with applicable law, regulation, or legal process, (ii)
to enforce respondent’s terms of use, or (iii) to detect, prevent, or mitigate fraud or
security vulnerabilities.
Interestingly, the Facebook consent decree has similar, but less restrictive, language:
II.
IT IS FURTHER ORDERED that Respondent and its representatives, in connection
with any product or service, in or affecting commerce, prior to any sharing of a user’s
nonpublic user information by Respondent with any third party, which materially exceeds the
restrictions imposed by a user’s privacy setting(s), shall:
A. clearly and prominently disclose to the user, separate and apart from any “privacy
policy,” “data use policy,” “statement of rights and responsibilities” page, or other
similar document: (1) the categories of nonpublic user information that will be
disclosed to such third parties, (2) the identity or specific categories of such third
parties, and (3) that such sharing exceeds the restrictions imposed by the privacy
setting(s) in effect for the user; and
B. obtain the user’s affirmative express consent.
Nothing in Part II will (1) limit the applicability of Part I of this order; or (2) require Respondent
to obtain affirmative express consent for sharing of a user’s nonpublic user information initiated
by another user authorized to access such information, provided that such sharing does not
materially exceed the restrictions imposed by a user’s privacy setting(s). Respondent may seek
modification of this Part pursuant to 15 U.S.C. §45(b) and 16 C.F.R. 2.51(b) to address relevant
developments that affect compliance with this Part, including, but not limited to, technological
changes and changes in methods of obtaining affirmative express consent.