The record fine is the FTC’s first for a violation of Internet privacy as the agency steps up enforcement of consumers’ online rights.
The FTC alleged that Mountain View, California-based Google deceived consumers and violated terms of a consent decree signed with the commission last year when it planted cookies on Safari, bypassing Apple software’s privacy settings, to track users’ Internet browsing behavior.
“The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” said FTC Chairman Jon Leibowitz. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
Google, operator of the world’s largest Internet search engine, has drawn regulatory scrutiny and pressure from consumer advocates for the way it handles personal information. The company’s consent decree with the FTC settled allegations that it used deceptive tactics and violated its own privacy policies in introducing the Buzz social-networking service in 2010.
“We set the highest standards of privacy and security for our users,” Google said in an e-mail statement. “The FTC is focused on a 2009 help-center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Consumer Watchdog, an advocacy group based in Santa Monica, California, said the fine wasn’t big enough to teach a lesson to Google, which reported net income of $9.7 billion last year and is expected to generate profit of $13.7 billion this year, according to the average estimate of 34 analysts surveyed by Bloomberg News.
“While the $22.5 million penalty levied against Google is a record for the FTC, it is woefully insufficient considering that Google refused to admit any liability or wrongdoing,” said John Simpson, privacy project director for the public interest group.
“The commission has allowed Google to buy its way out of trouble for an amount that probably is less than the company spends on lunches for its employees and with no admission it did anything wrong,” Simpson said.
In addition to the penalty, the FTC ordered Google to disable all the tracking cookies. Most of the tracking cookies have been removed and all must be gone by February of 2014, James Kohn, the FTC’s associate director for enforcement, said on a conference call today with reporters after the announcement.
Google shares rose less than 1 percent to $643.04 at 2:34 p.m. in New York trading. The stock has declined 0.43 percent this year.
Cookies are small pieces of computer text that collect information from computers about a user’s browsing behavior and can be used to serve advertisements to consumers based on their interests as shown by the websites they visit.
Google specifically told users of Apple’s Safari that because the browser is set by default to block third-party cookies, as long as users don’t change their browser settings, this setting effectively accomplishes the same thing as opting out of online tracking, according to the FTC complaint.
Google exploited an exception to the browser’s default setting to place a temporary cookie, the FTC said.
The Safari breach was first identified by Stanford researcher Jonathan Mayer, who published a blog entry on his discoveries Feb. 16. Google said at the time that it “didn’t anticipate this would happen” and that it was removing the files since discovering the slip.
The agency was investigating Google’s privacy violations before Mayer’s report was published, David Vladeck, director of the FTC’s bureau of competition, said on the conference call today. He also called Google’s response that it was unaware of the breach “troubling.”
“Google’s defense waves a red flag to regulators,” Vladeck said. “The social contract is if you are going to hold on to people’s private data, you’ve got to do a better job of honoring your commitments.”
The cookies allowed Google to avoid Safari’s built-in privacy protections to aim targeted advertising at users of Safari on computers, laptops, iPhones and iPads.
Marc Rotenberg, president of the Electronic Privacy Information Center, which filed the initial complaint in February 2010 that led to the consent decree, said “although we had previously expressed concerns about the failure of the FTC to enforce its own orders, we are pleased that the commission has now taken action to protect the privacy of Internet users.”
The FTC is charged with protecting consumers against “unfair and deceptive” practices under the law that created the agency. Last year’s 20-year settlement with Google bars the company from misrepresenting how it handles user information, and requires it to follow policies that protect consumer data in new products and to submit to regular privacy audits.
The FTC has the authority to levy fines for violations of its consent decrees of as much as $16,000 a day for each violation.
“Google is paying what we think is a heavy price for violating our prior order,” Vladeck said. “We hope this sends a clear message to Google that violations of the order and failure to keep commitments on privacy is going to be punished severely. This sends the message that the FTC isn’t kidding around.”
Vladeck said that although the order didn’t involve a statement of liability, Google didn’t contest the facts laid out in the FTC complaint.
FTC Commissioner Thomas Rosch said in his dissenting statement the agency should have gotten Google to admit wrongdoing.
“There is no question in my mind that there is ‘reason to believe’ that Google is in contempt of a prior commission order,” Rosch wrote. “This scenario — violation of a consent order — makes the commission’s acceptance of Google’s denial of liability all the more inexplicable.”
Rosch, one of two Republican commissioners at the FTC, said accepting the order without such an admission wasn’t in the public interest and would make it easier for other, smaller companies to do the same in the future.
Other public interest groups criticized the FTC action. Berin Szoka, president of TechFreedom and Geoffrey Manne, executive director of the International Center for Law & Economics, said in a joint e-mail statement that the FTC order amounted to “arbitrary regulation-by-settlement” that “undermines the rule of law and harms consumers by deterring privacy disclosures.”
The agency’s previous largest fine in a privacy-related case was against data broker ChoicePoint Inc. in 2006 for compromises of personal financial records of more than 163,000 consumers. ChoicePoint agreed to pay $10 million in civil penalties and $5 million in consumer redress in a settlement with the FTC.
The FTC has also entered into settlements on privacy allegations with Facebook Inc. (FB), Twitter Inc. and MySpace Inc.
To contact the reporter on this story: Sara Forden in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Michael Hytha at email@example.com