High Stakes: Will Google’s Alleged Circumvention of Safari Privacy Settings Expose It to a $100,000,000,000+ Fine?

by Poyner Spruill LLP

Google’s strong interest (some might say desperation) in conquering the social media territory already so thoroughly dominated by Facebook may have caused it to go a little too far.  Or a lot too far, assuming you think liability numbering potentially into the hundreds of billions range is substantial. For anyone just coming out of winter hibernation, the latest Google controversy relates to its alleged, intentional circumvention of privacy settings that come with Apple’s Safari web browser, an issue first brought to light by a Stanford researcher and widely publicized following reports in the Wall Street Journal.

At the heart of the debate is the question of whether Google circumvented Safari’s privacy settings in order to place cookies on Safari users’ devices, in apparent contravention of those users’ privacy preferences (expressed through their Safari settings).  Google’s statement about the incident suggests the Safari circumvention, which was disabled after the Wall Street Journal story broke, was undertaken to facilitate Google’s provision of features to Google+ users.  Google+ provides users with the ability to receive personalized ads and other features that would require tracking individual users (with consent).  Safari’s settings prevented Google from “seeing” its users, so it apparently devised a workaround.  Google explains that it did not realize its workaround would trigger Safari functionality to essentially open the door to other Google advertising cookies that Safari would otherwise have blocked.  There is some dispute and disagreement about Google’s version of events, but even accepting Google’s explanation, it is clear that cookies were placed in spite of Safari users’ privacy preferences to the contrary. 

Meanwhile, Google is operating under a consent order with the FTC stemming from prior privacy gaffes committed during its roll out of the Google+ predecessor, Google Buzz.  That order prohibits Google from misrepresenting the “extent to which consumers may exercise control over the collection…of covered information,” among other things.  The order also obligates Google to develop a comprehensive privacy program that will identify reasonably foreseeable risks “that could result in [Google’s] unauthorized collection…of covered information.”  It’s not clear that analysis was done (or at least done effectively) with regard to this Safari workaround.

While the FTC does not have the authority to levy fines against organizations that violate section 5 (assuming no FTC rule also was violated), they do have the ability to fine any organization that runs afoul of a consent order.  Google’s explanation of this incident admits that it intentionally took advantage of Safari functionality, which accidentally resulted in unauthorized cookie planting.  No matter which version of the story you believe, Google’s version makes clear that they engaged in a business practice that effectively circumvented user choices regarding privacy, and whether intentional or unintentional, it calls into doubt their claim that “Your privacy matters to Google,” which features prominently in their brand new privacy notice.  In other parts of the notice, users are promised that “You may also set your browser to block all cookies, including cookies associated with our services.”  In some cases, Google may have made more blatant misrepresentations by claiming that Safari settings could be used to avoid Google cookies.  That statement has been pulled since this story broke but continues to be available from other sources.  Since Google, whether purposefully or inadvertently, subverted the browser settings it claims will help users block cookies, these statements could be construed by the FTC as misrepresentations that violate Google’s consent order.  The maximum fine is $16,000 per violation.

And that brings us to the math.  The affected consumers in this case are Safari users.  While the size of that population is not clear, it is known that Safari is installed as the default browser for many Apple devices and is available for download by users of non-Apple devices.  If we use 2011 iPhone and iPad sales as a proxy for total Safari users (likely a gross underestimate), that comes to well over 100 million people.  Since Safari blocks cookies by default, Safari users would have to purposefully re-set their browser preferences in order to permit (or consent to) Google’s cookies.  It’s probably safe to assume that the vast majority of Safari users left their settings as-is, meaning that Google’s cookies should have been blocked if user choices were respected.  But let’s be generous to Google and assume that only half of the Safari users left their default privacy settings turned on, such that a mere 50 million people might have been treated unfairly by Google’s circumvention of their browser privacy preferences or, worse, were actively deceived by Google’s privacy notice claiming that cookies could be blocked by browser settings.  Making such misrepresentations is prohibited by the FTC’s consent order with Google, and each violation of that prohibition is subject to a maximum fine of $16,000.  Thus we find that if 50 million people were deceived or treated unfairly, and each misrepresentation or unfair act is charged at $16,000, we reach a nice round total of $800 billion as the maximum fine.  And that’s may be a low ball estimate, considering that we used only 2011 sales as a proxy for Safari users, assumed that half of users took action to allow Google cookies (it was probably far fewer), and did not attempt to account for Mac, iPod Touch, or other Safari users in the estimate.

There’s another way to do the math that may be valid, again depending on versions of events.  It seems possible that Google’s circumvention was only aimed at Google account holders, which we approximate at 400-500 million people counting Gmail, Google+ and YouTube account holders.  If Google did limit its targeting to those account holders, and its actions affected only those account holders who use Safari (presently sporting a 12% share of the browser market), then sticking to the lower estimate of 400 million account holders causes about 48 million people to be affected rather than the 50 million calculated above.  So under either approximation we have a fine of around $800 billion.

Admittedly, the FTC may have some difficulty proving to the requisite degree of certainty exactly how many consumers were deceived or treated unfairly by Google’s practices toward Safari users.  On the other hand, one wonders if the agency would really need to go to the trouble.  When you start settlement negotiations with a fairly conservative estimate of $800 billion as the ballpark potential fine, walking away with even a fraction of that amount as a settlement will prove your point.  A resolution amount of just 10% of our estimate (a healthy $8 billion) would dwarf any privacy enforcement actions taken to date.

Time will tell whether Google is guilty as charged (or, rather, pays a settlement amount and admits no guilt) or if instead the FTC will investigate and be satisfied that Google lived up to its promises to the agency and its obligations to consumers.  Either way, the mere prospect of this enforcement has added an unflattering additional charge to Google’s growing resume of privacy blunders and exposed the company yet again to a tirade of complaints (some of them filed in court).  This Safari misstep closely follows controversial changes to Google’s privacy policy, which have brought a hailstorm of complaints, lawsuits, regulatory inquiries and Congressional angst.  Before that came the FTC enforcement action and general controversy over the now-dead Google Buzz, lawsuits over Android-related privacy problems, and the worldwide uproar that was unleashed when Google admitted its Street View cars had accidentally captured payload data from personal wifi networks. As the FTC, Congress, and global privacy regulators turn their attention to this latest misstep, one has to wonder whether Google could possibly have any goodwill left to burn, or any real hope of avoiding a stiff penalty for its Safari circumvention. One wonders too, if this latest misstep will deliver a knockout punch to Google’s aspirations to be a social media heavyweight. In its zeal to achieve that objective, all Google has managed to do so far is deliver itself two black eyes with the one-two punch of privacy blunders in both Buzz (20-year FTC consent order) and Google+ (monster fines?).




DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP

Poyner Spruill LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.