[authors: K.C. Halm, Bob Scott]
On August 9, 2012, the Federal Trade Commission (FTC) announced a settlement with Google over the search engine’s alleged misrepresentations in its online privacy disclosures concerning the use of “cookies” and targeted ads directed to users of Apple, Inc.’s Safari Internet browser. Under the terms of the settlement, although Google denied liability, it agreed to pay a $22.5 million civil penalty, and to disable all DoubleClick advertising cookies placed through Safari browsers, except opt-out cookies. The enforcement action is also significant as the FTC’s first effort to punish a company for allegedly violating an industry self-regulatory code, further setting the stage for FTC enforcement of industry-specific codes that the Administration seeks to develop through multi-stakeholder workshops.
Although based on Google’s online disclosures and practices, this settlement stems from alleged violations of the terms of an October 2011 privacy settlement between Google and the FTC. That settlement resolved FTC charges that Google used deceptive tactics and violated its online privacy commitments to users when it launched its social network, Google Buzz. In settling, Google agreed not to misrepresent the extent to which users can exercise control over the collection of personal information.
In its latest complaint, the FTC alleged that Google violated the Google Buzz settlement in 2011 and 2012 by placing advertising tracking cookies on the computers of Safari users who visited sites within Google’s DoubleClick advertising network. In many cases, Google allegedly placed these cookies on consumers’ computers by circumventing Safari’s default cookie-blocking setting, and by exploiting an exception to the browser’s default settings which allowed temporary cookies from the DoubleClick domain. Once the temporary cookies were in place, the FTC alleged that all cookies from DoubleClick were placed on these computers. The FTC specified that Google placed both first-party and third-party cookies in this manner. These practices, the FTC claimed, violated Google’s representations to users that their online activity would not be tracked as a result of default settings on the Safari browsers on Apple devices, and thus violated the Google Buzz settlement.
The FTC also alleged that these practices violated terms of the Network Advertising Initiative’s (NAI) self-regulatory code of conduct. This allegation rested on Google’s commitment in the Google Buzz settlement agreement “not to misrepresent in any manner” the extent to which it complies with any private “compliance program” for data privacy or security. Because the NAI code requires participants to “clearly and conspicuously post notice on its website that describes its data collection,” the Commission alleged that Google’s alleged failure to describe its practices did not comply with the code, and thus violated the Google Buzz settlement. Facebook likewise agreed to enforceable compliance with private codes like NAI in its November 2011 preliminary settlement with the FTC, which became final on August 10, 2012.
In addition to the $22.5 million civil penalty, Google also agreed to maintain systems configured to instruct Safari web browsers to “expire” any DoubleClick.net cookie previously placed on a computer by Google, except for opt-out cookies. Google will be required to file a report in February 2014 demonstrating how it has complied with this mandate.
Four of the five FTC Commissioners voted to authorize the staff to pursue the original complaint, and to approve the settlement agreement, which is still subject to final approval by the U.S. District Court in California. Commissioner Rosch dissented on grounds that it arguably cannot be concluded that the consent decree is in the public interest, given Google’s denial of liability.