Penalty Resulted from Deceptive Cookie Practices

Search engine giant Google Inc. will pay $22.5 million to settle Federal Trade Commission charges that it misrepresented its privacy promises to users of the Apple Safari web browser. The fine is the largest civil penalty the FTC has ever obtained for violation of one of its orders.

The FTC charged that Google’s misrepresentations violated a settlement reached in October 2011 that barred the company from “misrepresenting the extent to which consumers can exercise control over the collection of their information.”

In its latest complaint, the FTC charged that for several months in 2011 and 2012, Google placed advertising cookies on the computers of Safari users who visited sites within Google’s DoubleClick advertising network, “although Google had previously told these users they would automatically be opted out of such tracking, as a result of the default settings of the Safari browser used in Macs, iPhones and iPads.”

In addition to imposing the fine, the FTC ordered Google to disable all the tracking cookies it had said it would not place on consumers’ computer.

Google generates billions of dollars from selling online advertising services, including the delivery of targeted ads online, according to the FTC. “By placing a tracking cookie on a user’s computer, an advertising network can collect information about the user’s web-browsing activities and use that information to serve online ads targeted to the user’s interests or for other purposes,” the FTC noted.

Circumventing Settings

The FTC charged that Google told Safari users that because the browser is set by default to block third-party cookies, as long as the settings remain unchanged then they would be opted-out of having these cookies placed on their browsers.

But in many cases, according to the FTC, Google placed cookies on Safari users’ computers by circumventing the default cookie-blocking settings.

“The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” said John Leibowitz, chairman of the FTC. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

David Navetta, an IT security and privacy lawyer at Information Law Group, says the hefty penalty is further proof that the FTC, indeed, is taking a strict stance on how it enforces orders.

“Google had violated the previous order, and the FTC is taking that seriously,” Navetta says. “But what really struck me is that they referenced industry standards. The FTC has been trying to encourage industry standards to develop, and here it looks like if a company says they are going to conform to standards and don’t, then they can expect charges to be brought against them.”

Navetta says Google may not have faced such a steep penalty had it not publicly promised to adhere to certain standards and practices that it later failed to meet. “That’s what got them in trouble, and could be viewed as a deceptive practice,” he says.