FTC Votes 4-1 for $22.5 Million Google Privacy Settlement

"The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” said FTC Chairman Jon Leibowitz. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place."

The case concerns whether Google violated an earlier consent order with the FTC stemming from privacy gaffes in launching its Buzz social network. The FTC alleged that for “several months in 2011 and 2012,” Google placed an ad-tracking cookie on the Safari browsers of users who visited websites in Google’s DoubleClick network, “although Google had previously told these users they would automatically be opted out of such tracking, as a result of the default settings of the Safari browser,” the FTC said Thursday (http://xrl.us/bnj3pn). Safari by default blocks third-party cookies in most situations. That deceptive Google declaration to Safari users constituted a violation of the Buzz order, which barred Google from “misrepresenting the extent to which consumers can exercise control over the collection of their information,” the FTC said.

FTC Chief Technologist Ed Felten explained in a blog post (http://xrl.us/bnj3p7) that Google’s practice of placing opt-out cookies in browsers to keep track of a user’s preferences doesn’t work on Safari by default. Google got around this by using exceptions in Safari, Felten said: When Safari users visited a DoubleClick site, most likely by clicking on an ad, Safari treated that as a first-party cookie and thus allowed, though such cookies wouldn’t be allowed for opted-out users on other browsers. The better-known maneuver used by Google was to tell Safari that users had submitted a form when they clicked on a “social advertising” button, to share an ad with their friends, even though “the ‘form’ was invisible and had neither content nor a Submit button, so the user could not actually submit it,” Felten said. After this cookie was in place, all DoubleClick cookies were allowed because Safari makes an exception for cookies already in place, he said: “To its credit, Google started destroying those cookies early, without waiting for the settlement to be finalized, so virtually all of the relevant cookies should be gone by now."

Under the new consent order, which awaits approval by the U.S. District Court in San Jose, Calif. (http://xrl.us/bnj3n9), Google denies that it violated the Buzz consent order. Until Feb. 15, 2014, Google will “maintain systems configured to instruct Safari-brand web browsers to expire any DoubleClick.net cookie placed by Defendant through February 15, 2012, if those systems encounter such a cookie, with the exception of the DoubleClick opt-out cookie,” the new consent order says. The company will file a report within 20 days of the period’s expiration “setting forth how it has complied with the Remediation requirement,” the order says.

"Condoning a denial of liability in circumstances such as these is unprecedented” for the FTC, and does not serve the public interest, Rosch said in his dissent (http://xrl.us/bnj3rv). Though there is legal precedent for the FTC being required to explain why it has approved a settlement where there’s denial of liability, the agency “merely asserts in its accompanying Reasons for Settlement” in the Safari case that it believes the settlement is “justified and well within the public interest,” he said. It’s all the more “inexplicable” because the FTC accused Google of violating a previous consent order, and thus “charges Google with contempt,” Rosch said.

Google’s stance might be justified given a hefty penalty, but $22.5 million “represents a de minimis amount of Google’s profit or revenues,” Rosch said: On top of the commission recently allowing Facebook to deny liability in its privacy settlement, “there is nothing to prevent future respondents with fewer resources than Google and with lower profiles than Google and Facebook from denying liability in the future too.” The commission should have pressed Google to accept “the more common ‘neither admits nor denies liability’ language,” which would shield Google from damning itself in similar privacy litigation, he said.

The other four commissioners “strongly disagree” with Rosch’s reasoning, they said (http://xrl.us/bnj3s6): “Here, as in all cases, a defendant’s denial of liability in a settlement agreement has no bearing” on the commission’s findings or proposed settlement. Rosch is wrong on legal precedent, they said, pointing to the FTC’s then-largest civil penalty against data broker ChoicePoint in 2006, for careless screening and information security procedures, which also included denied liability. The most important question is whether Google will follow this order, they said: The “swift imposition of a $22.5 million fine helps to promote such future compliance.” Given Google’s size “almost any penalty can be dismissed as insufficient,” but the figure is “hardly inconsequential” considering Google’s behavior didn’t yield “significant revenue” or continue for “a significant period of time.” The settlement provides “a strong message to Google and other companies under order that their actions will be under close scrutiny and that the Commission will respond to violations quickly and vigorously,” they said.

The co-chairmen of the Congressional Privacy Caucus commended the FTC. “When consumers say ‘No’ to tracking, companies should not try to surreptitiously circumvent this preference,” said Rep. Ed Markey, D-Mass. “Today’s announcement reinforces the need to vigorously monitor the promises technology companies make about protecting consumers’ privacy.” Rep. Joe Barton, R-Texas, agreed. “Google was wrong to circumvent the anti-tracking program in the Safari system,” he said. “Google compounded their culpability by misleading the FTC and the public about their actions."

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., in an email, also lauded the FTC’s action against Google and urged Congress to pass “common sense” privacy legislation. “It is imperative that the FTC continues to make sure that individual companies abide by the promises they make about consumers’ privacy,” he said. “Without strong enforcement actions, companies have shown a preference for profits over consumer protection.”

Google said the basis of the FTC allegations was “a 2009 help center page published more than two years before our consent decree” concerning Buzz “and a year before Apple changed its cookie-handling policy.” The company has “now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers,” it said by email.

The size of the fine “is a distraction from the real story: The FTC holds Google liable for a statement in a help page that was true when made and became untrue only because Apple quietly changed how its Safari browser handles cookies,” said TechFreedom President Berin Szoka and International Center for Law & Economics Executive Director Geoffrey Manne in a joint statement (http://xrl.us/bnj33p). Holding companies responsible “for monitoring everything their rivals do that might affect their own past privacy statements will only discourage them from explaining their privacy practices in the first place,” they said: “This is sadly ironic, as policymakers have spent years bemoaning the inadequacy of privacy policies and demanding companies do more to educate consumers.” With Google, Facebook, Twitter and MySpace all under 20-year consent decrees for privacy kerfuffles, each “now risks incurring unpredictable fines and enormous reputational costs for conduct the FTC likely couldn’t punish under its general Section 5 powers,” prove liability or justify the fine’s size, Szoka and Manne said. “Such arbitrary regulation-by-settlement undermines the rule of law and harms consumers by deterring privacy disclosures."

"It’s high time that Congress reins in the FTC’s authority to pursue outrageous penalties for inconsequential misrepresentations,” said Ben Sperry, Competitive Enterprise Institute legal fellow. The agency should be required to show that an alleged violation “caused concrete harm to the public” and that the company “did not take reasonable steps” to comply with an order, he said. “This escapade also belies the FTC’s claims that it lacks the resources to police misconduct on the Web,” said CEI’s Ryan Radia, associate director of its Center for Technology & Innovation. “All the time and money the agency devoted to this six-month investigation could've gone toward apprehending the real bad guys,” instead of implying to Web companies that “they shouldn’t give users any tips or advice that isn’t ‘lawyer-approved.'"

The FTC finally took the Center for Democracy & Technology’s advice to “use the full weight of its enforcement authority to protect privacy and the agency has absolutely stepped up to that challenge,” said CDT Director of Consumer Privacy Justin Brookman. President Leslie Harris said it was “telling” the agency alleged Google violated an industry code of conduct, by telling Safari users it was a member of the Network Advertising Initiative and followed its code. “This settlement sends an unambiguous message to companies that the FTC is ready and willing to aggressively monitor and enforce such codes,” she said.

An FTC-convened Twitter chat following the announcement quickly turned into a barrage of pointed questions by Szoka and Manne against the commission. “How can message sent my [sic] today’s ruling be ‘clear’ when there’s no admission of liability or explanation of violation or fine?” Szoka asked. “And would you care to explain where the $22.5M fine came from? Not explained. Seems like just a desire to set a new Olympic record!” he said in another tweet. “Rosch is right: No explanation of public interest. How does this help guide future conduct in any way?” Manne said. Asked whether the order showed “ambiguity,” FTC Enforcement Division staffers Megan Gray and Megan Bartley responded: “What’s impt is actions not words; $22.5M is loud.” Szoka tweeted about that: “I can scarcely remember a more brazen defense of failing to explain such an important action’s lack of legal basis.” Szoka and Brookman sparred with each other sporadically in the chat on technical matters such as whether the FTC’s “deception doctrine” requires “materiality” and whether help pages fit under that rubric.

Responding to questions about the fine’s size, the FTC staffers said: “Google needs to know what privacy promises it makes, and make sure they are always accurate.” It told another questioner: “We want web industry to abide by the promises it makes to consumers.” Asked by Christopher Soghoian, a former part-time technical consultant in the commission’s Division of Privacy and Identity Protection, whether the fine was a signal to “all companies that lie to their users” or just those under a consent decree, Gray and Bartley said: “Both ... the FTC will not condone privacy misreps.” The entire Twitter chat, marked by the hashtag #FTCPriv, is available at http://bit.ly/TkyIAa.