On August 9, 2012, the Federal Trade Commission announced that Google has agreed to pay a $22.5 million penalty to settle the FTC’s charges that it violated a consent order regarding consumer privacy. This is the largest civil penalty that the FTC has ever exacted for a violation of one of the agency’s orders, and it has understandably garnered a great deal of attention.
Specifically, Google was accused of using “cookies” to track the online activities of people who use Apple’s Safari Web browser. Cookies are small segments of computer text that are used to collect information from computers and that can be used to target advertising to consumers.
Google, according to the FTC, had told Safari users on a Web page that because the Safari browser is set by default to block third-party cookies, the users needed to do nothing to prevent the use of the cookies. In fact, Google did place some cookies on the users’ computers. There was no allegation that any consumers actually received unwanted ads.
The settlement has received mixed reviews. Some commentators argue that the agreement is not tough enough on Google, which after all was already under a consent order barring it from engaging in this type of behavior. FTC Commissioner J. Thomas Rosch, who dissented from the Commission’s decision to accept the settlement, is one of the critics.
Commissioner Rosch wrote in a dissenting statement, “[i]t may be asserted that a denial of liability is justified by the prospect of a $22.5 million civil penalty. But $22.5 million represents a de minimis amount of Google’s profit or revenues.”
Some critics have contended that the settlement may be too tough in the sense that it will discourage pro-competitive behavior in the form of disclosures to consumers. For example, Ed Black, the president and CEO of the Computer & Communications Industry Association, wrote on August 13 that although Google was clearly at fault for not making it clear to the public what its precise privacy rules were, “it is fair to ask if the FTC’s enforcement action is out of proportion to the harm caused, and if it runs a very real risk of disincentivizing voluntary privacy disclosures in the future.”
Our view is that this consent order is indeed strong enough to send the message to Internet companies that the FTC is carefully scrutinizing the privacy protections that they provide and the statements that they make about them, and that they need to continue to be vigilant to adhere to the statements and promises they make in their privacy policies, web pages, and elsewhere.