Google has agreed to pay $22.5 million to settle allegations that it violated its privacy promises by bypassing the privacy settings of users of Apple’s Safari Internet browser in order to track them, the Federal Trade Commission said on Thursday.
“The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” commission Chairman Jon Leibowitz said in a statement. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
The FTC said that Google’s actions violated a consent decree that the Internet giant reached last year over the rollout of its now-defunct social-networking service, Buzz. Despite this, Google did not have to admit to any wrongdoing as part of Thursday’s settlement.
The penalty, which has reportedly been in the works for weeks, is the biggest fine the FTC has ever levied on a corporation for violating the terms of a previous settlement. While the fine is a drop in the bucket for a company that had nearly $45 billion cash in the bank at the end of 2011, FTC officials said Google could be subject to greater fines if the company commits additional violations.
“We have Google under order for another 19 years, and I think this civil penalty order sends [a message] to Google that the FTC isn’t kidding around,” FTC Consumer Protection Bureau Director David Vladeck said during a conference call with reporters. “If there are further violations, the FTC will insist on increasingly higher penalties.”
Last year, Google agreed to undergo an independent audit every two years for two decades as part of a settlement over allegations that it violated its privacy policies by automatically signing up Gmail users for Google Buzz.
The FTC alleged in its latest complaint that despite its promises to the contrary, Google between 2011 and 2012 placed electronic cookies on the devices of Apple’s Safari browser users to track those users for advertising purposes. In many cases, Google bypassed the default setting on Safari’s browser that blocked such cookies, the agency said.
Google has apparently removed the cookies from most of the affected consumer devices and will have until 2014 to finish the job, according to James Kohm, the FTC’s assistant director of enforcement.
The Internet giant has said it did not intentionally seek to violate Safari users privacy. “We set the highest standards of privacy and security for our users,” a Google spokesman said. “The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Kohm said it doesn’t matter whether Google knew it was violating the terms of its 2011 settlement or not. Vladeck added that he finds it troubling that Google says it didn’t know, saying a company that handles sensitive information about millions of people needs to do a better job of protecting that data.
“I don’t know what’s worse, ‘I didn’t know’’ or ‘I didn’t do it deliberately,’ ” Vladeck said, adding that when a company says it wasn’t aware something was going on, “that sends a red flag to regulators.”
Vladeck noted that Google has raised this defense in the past — most notably over allegations in 2010 that Google’s Street View cars, which collect images for its mapping service, were collecting e-mail addresses and other payload data from unprotected home and business Wi-Fi networks. In that case, the FTC chose not to pursue any action against Google after the company agreed to delete the data collected and improve its privacy training for employees.
In addition to these privacy troubles, Google also is facing an antitrust investigation by the FTC over claims that the company favors its own products and services in its search results.
Rep. Edward Markey, D-Mass., cochairman of the Bipartisan Congressional Privacy Caucus, who joined other lawmakers in calling on the FTC in February to investigate Google over the Safari-privacy issue, praised the FTC for holding Google accountable.
“When consumers say ‘No’ to tracking, companies should not try to surreptitiously circumvent this preference,” Markey said in a statement. “Today’s announcement reinforces the need to vigorously monitor the promises technology companies make about protecting consumers’ privacy.”
But Consumer Watchdog, a frequent Google critic, said the fine was far too small and that the nonprofit group might seek to block the latest settlement unless Google admits to violating its 2011 consent decree with the FTC.
“While the $22.5 million penalty levied against Google is a record for the FTC, it is woefully insufficient, considering that Google refused to admit any liability or wrongdoing,” the group said.
Such a move by Google is unlikely, however, since companies rarely admit to wrongdoing when reaching such settlements. “Big institutions will never admit to liability because it does expose them” to other legal actions, University of Richmond law professor Carl Tobias said in an interview on Thursday.