Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Thursday, August 09, 2012

FTC Fines Google $22.5 Million, Leads in Cookie Enforcement

By Mehmet Munur

As widely expected, the FTC issued a civil penalty against Google for violating Safari web browser users’ cookie settings. The default setting for the Safari web browser would have blocked Google’s advertising cookies. However, Google allegedly used a work around to place a cookie that then resulted in other Google tracking cookies to be placed on the users’ devices. Google also represented that the opposite would be true for Safari users. The FTC issued a monetary penalty of $22.5 million dollars mostly due to the fact that Google was already subject to the FTC order for the Google Buzz launch issues. The large civil penalty drives home the message that privacy settings on users' devices matter. Their violation—no matter how technical—may result in enforcement actions and fines.

The fine is the largest civil penalty in FTC’s history. It is also the FTC’s third settlement relating to cookies, after the Chitika enforcement action and the ScanScout enforcement action. The settlement also represents another enforcement action and first fine relating to the U.S. Department of Commerce EU Safe Harbor—due to the underlying consent order. The Department of Justice complaint lists three causes of action: (1) collecting covered data under the initial Google Consent Order, (2) serving targeted advertising in violation of the initial Google Consent Order, and (3) misrepresenting the National Advertising Initiative compliance under the initial Google Consent Order. In the proposed order, Google agrees to (1) pay the civil penalty, (2) delete the tracking cookies, and (3) report its compliance.

Interestingly, Commissioner Roach dissented from the consent decree because he did not believe that Google should be able to deny liability in this setting.  He thought this was the case because it was Google’s second time violating the FTC Act and this was a violation of an already existing consent order. He also argued that the civil penalty was small compared to Google’s revenue and profits, and, therefore, would not prevent others from engaging in similar conduct. The Commission responded in a statement to Commissioner Roach’s dissent and stated that the fine was in the public interest and that it was historic. However, the remaining commissioners appeared to confirm the notion that this was a technical violation and that it did not last for long and that it Google did not profit much from it. As a result, the differentiating factor between the Google and Chitika enforcement actions relating to cookies appear to be that Google was already under a consent order.

The civil penalty establishes the FTC as the leading privacy enforcement agency in the world, at least in my mind. While the Chitika enforcement action may have been technical in nature and likely did not get the attention of many technology companies, this civil fine will grab headlines and drive the message home unlike any enforcement action before it. Users’ privacy settings on their devices matter. If you violate them, you may be subject to an enforcement action or even a fine. I doubt, however, that the FTC will start getting the respect it deserves from the European regulators.

You may read about more about how Google placed cookies on users’ devices in violation of their browser settings on the FTC’s Chief Technologist’s blog here.

Labels: , , , ,