Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

The FTC Fines Google $22.5 Million – Why Should Companies Care?

Posted in Data Privacy, FTC

Today, the Federal Trade Commission levied a $22.5 million penalty against Google, the largest civil penalty by the FTC against a single defendant.  Here is a copy of the Stipulated Order entered into between the FTC and Google.  The penalty stems from an FTC Complaint alleging that Google violated “privacy promises” it agrees to as part of a 2011 consent order it entered into with the FTC.

In 2011, the FTC sued Google after Google initially assured Gmail users it would not use their information for any purpose other than to provide email service.  The FTC claimed that Google did not honor that promise, so an order was entered requiring Google to adopt comprehensive privacy protections for consumers and civil penalties if Google did not abide by the agreement.

Today’s settlement stems from an FTC allegation that Google subsequently misled consumers about the use of tracking cookies in Apple’s Safari Internet browser.  “Cookies” are small files stored on a computer that hold data specific to a particular user and website, so that when the user visits a certain website, that site delivers a page tailored to the user.  By placing a cookie on a person’s computer, an ad network can collect information about the person’s browsing habits and then use that information to display advertisements targeted to the person’s interests.  In this case, Google used the “DoubleClick Advertising Cookie” to collect information about users’ browsing activity.

Some people prefer to disable cookies from monitoring websites they visit.  Increasingly, companies are giving consumers ways to control such monitoring.  Apple’s Safari program generally blocks cookies in almost all situations.  One situation in which cookies are not blocked is when the user submits information in an online form on a website.  (For example, a Safari user who submitted a mailing address via a form embedded in a page when buying something online).  In such a situation, Safari accepts the cookie and allows additional cookies from that same site.

What Happened Here?

In this case, the FTC alleged that Google violated the 2011 consent order by representing to consumers that it would not place tracking cookies or serve targeted ads based on those cookies, but then it delivered tracking cookies and targeted ads to some users.  Specifically, users would allow one cookie from Google’s advertising cookie service, which opened the door for all cookies from that advertising cookie service to be accepted.

Google informed users that if they wanted to opt out of its system where Google’s advertising cookies were automatically accepted, the users need not take any action due to Safari’s default cookie-blocking settings.  According to the FTC, however, Google sidestepped Safari’s default cookie-blocking settings by taking advantage of Safari’s narrow exception for forms.  Google “tricked” the user’s browser into believing that the user was submitting information through a form, allowing Google to place a temporary cookie in the user’s computer.  Once the temporary cookie was installed, the user’s computer would then accept all cookies that Google had originally said would be blocked, which the FTC alleged was a violation of the consumer privacy protections imposed by the 2011 consent order.

What Are The Takeaways For The Business Community?

There are a few takeaways from today’s settlement announcement.  First, if your company enters into an agreement with the FTC regarding future conduct, you should be careful to ensure you remain in compliance.  The FTC takes the violation of a consent order very seriously.  Second, be up front, open, and honest with consumers who use your product about the measures you are taking to protect their privacy and the procedures they should follow to change their privacy settings.  Finally, if you make promises to consumers about how their information will be accessed, maintained, or used, be sure to keep those promises.

As FTC Chairman, Jon Leibowitz, stated today, “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”  I would add that the negative publicity that could follow from FTC action such as this can be as harmful to a company as the monetary penalty itself.

 

DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.