FTC Fines Google $22.5 Million, Leads in Cookie Enforcement
The fine is the largest civil penalty in FTC’s history. It is also the FTC’s third settlement relating to cookies, after the Chitika enforcement action and the ScanScout enforcement action. The settlement also represents another enforcement action and first fine relating to the U.S. Department of Commerce EU Safe Harbor—due to the underlying consent order. The Department of Justice complaint lists three causes of action: (1) collecting covered data under the initial Google Consent Order, (2) serving targeted advertising in violation of the initial Google Consent Order, and (3) misrepresenting the National Advertising Initiative compliance under the initial Google Consent Order. In the proposed order, Google agrees to (1) pay the civil penalty, (2) delete the tracking cookies, and (3) report its compliance.
Interestingly, Commissioner Roach dissented from the consent decree because he did not believe that Google should be able to deny liability in this setting. He thought this was the case because it was Google’s second time violating the FTC Act and this was a violation of an already existing consent order. He also argued that the civil penalty was small compared to Google’s revenue and profits, and, therefore, would not prevent others from engaging in similar conduct. The Commission responded in a statement to Commissioner Roach’s dissent and stated that the fine was in the public interest and that it was historic. However, the remaining commissioners appeared to confirm the notion that this was a technical violation and that it did not last for long and that it Google did not profit much from it. As a result, the differentiating factor between the Google and Chitika enforcement actions relating to cookies appear to be that Google was already under a consent order.
The civil penalty establishes the FTC as the leading privacy enforcement agency in the world, at least in my mind. While the Chitika enforcement action may have been technical in nature and likely did not get the attention of many technology companies, this civil fine will grab headlines and drive the message home unlike any enforcement action before it. Users’ privacy settings on their devices matter. If you violate them, you may be subject to an enforcement action or even a fine. I doubt, however, that the FTC will start getting the respect it deserves from the European regulators.
You may read about more about how Google placed cookies on users’ devices in violation of their browser settings on the FTC’s Chief Technologist’s blog here.