The FTC v. Google Saga—Episode II: What Lessons for U.S. Businesses?
By Françoise Gilbert, IT Law Group
The Federal Trade Commission has published its long-awaited1 proposed consent order with Google Inc.2 to close its second investigation into Google’s practices (Google II). Under this order (Google II Consent Order), Google would agree to pay a record $22.5 million civil penalty to settle charges that it misrepresented to users of Apple’s Safari browser that it would not place tracking cookies on their browser, or serve targeted ads, and that these individuals did not need to take any action to be opted out of DoubleClick targeted advertisements. The settlement would also require Google to disable all tracking cookies that it said it would not place on consumer’s computers, and to report to the FTC by March 2014 on how it has complied with this remediation requirement. According to the FTC, this settlement is “intended to provide a strong message to Google and other companies under order that their actions will be under close scrutiny, and that the Commission will respond to violations quickly and vigorously.”3
This Google II action is not just another FTC case under Section 5 of the FTC Act.4 It is unique in many respects. The case is the second one against Google in less than 12 months. The FTC does not have the authority to fine a company under Section 5 of the FTC Act, but it can fine a company that violates a consent order with the commission. The FTC took that power into account and built on its prior case against the company (Google I).5 The arguments are in some respects different than in other similar cases addressing consumer privacy, and the complaint (Google II Complaint) and proposed order provide significant insight into the reasoning of the FTC, which is very valuable information for companies that collect or use personal information and prefer to reduce the risk of government action.
Among these unique aspects, consider, for example, the following:
• The proposed Google II Consent Order results from the second action against a single company in less than 12 months—an unusual circumstance.
• The penalty to be assessed is a record amount.
• The Google II Complaint focuses on violations of a prior consent order, rather than a violation of Section 5 the FTC Act.
• Some events that constituted violations are novel; i.e., the role of the violation of the Networking Advertising Initiative (NAI) Code of Conduct.
The documents published by the FTC about this second enforcement action provide numerous indications of the current vision and expectations of the FTC. This article will focus primarily on what the documents surrounding the Google II enforcement action reveal of the views of the FTC, and what the FTC expects from companies. Before delving into this analysis and its implications for U.S. businesses, we will first provide a brief explanation of the Google II case, and the high points of what is becoming the FTC v. Google saga.
Google II Overview
The incidents that lead to the Google II investigation are described at length in the Google II Complaint.6 The complaint alleges that, for several months in 2011 and 2012, Google placed a certain advertising tracking cookie on the computers of Apple Safari users who visited sites within Google’s DoubleClick advertising network, although Google had previously represented to users of Safari that they would be automatically opted out of such tracking as a result of the default settings of the Safari browser used in Macs, iPhones and iPads. In fact, these users did receive tracking cookies and targeted advertisements as a consequence of Google bypassing a feature of the Safari program that, by default, blocked third-party cookies.
According to the Google II Complaint, Google represented to Safari users that it would not place third-party advertising cookies on the browsers of Safari users who had not changed the default browser setting (which by default, blocked third-party cookies) and that it would not collect or use information about users’ web-browsing activities. Google also represented that because the Safari browser is set by default to block third-party cookies, as long as users do not change their default browser settings, this setting “effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie].” According to the Google II Complaint, these representations were found to be false, resulting in a violation of Google’s obligation under Part IA of the consent order in Google I (Google I Consent Order).7
In addition, the Google II Complaint charged that Google represented that it is a member of the NAI, an industry group that requires members to adhere to its self-regulatory code of conduct, including disclosure of their data collection and use practices.8 The FTC charged that this misrepresentation violated Google’s obligation under Google I Consent Order, Part IB.9
The FTC argued in the Google II Complaint that, by doing so, Google had misrepresented its activities to the Safari users, and that these misrepresentations constituted a violation of the earlier privacy settlement between Google and the FTC in Google I, which was finalized Oct. 24, 2011.
The Google II Complaint was filed pursuant to Sections 5(l) and 16(a) of the FTC Act.10 Section 5(l) provides for a civil penalty—currently $16,000—for each violation of a final order of the FTC (in this case, violation of the Google I Consent Order of October 2011). Section 16(a) defines, among other things, the procedure to be used to enforce Section 5(l).
The proposed Google II Consent Order would require Google to:11
• pay a $22.5 million civil penalty pursuant to Section 5(l) of the FTC Act;12
• maintain, until Feb. 15, 2014, a system to instruct Safari web browsers to expire any DoubleClick.net cookie placed by Google before the beginning of the Google enforcement action; and
• report to the FTC, by March 8, 2014, how it has complied with the above obligation.
Second FTC Action Against Google in 12 Months
The Google saga started as a result of an incident that occurred in early 2009, when Google launched its social networking service called “Google Buzz” within its Gmail product. Google used the information of Gmail users to populate the new social network. “Without prior notice or the opportunity to consent, Gmail users were, in many instances, automatically set up with ‘followers’ … .”13 When the Buzz service was launched, many Gmail users found out that the service had automatically generated lists of followers and people to follow, using the individuals’ email contact lists. Unfortunately, in some cases, these lists included very sensitive or confidential information, such as the contact information of individuals against whom the Gmail user had obtained a restraining order, or of an abusive ex-spouse or partner, or those of clients of a mental health professional.14 As a result of the public outcry, Google made some changes, but the incident attracted the regulators’ attention, including that of the FTC, which started an enforcement action on the charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched the Buzz social network in 2010.15
This action resulted in the Google I Consent Order, which became final in October 2011.16This order included several obligations, such as requiring Google to:
• cease any misrepresentation with respect to the extent to which the company maintains and protects the privacy and confidentiality of information or complies with compliance programs (Part I);17
• obtain express affirmative consent of individuals before changing its data-sharing practices (Part II);
• establish a comprehensive privacy program (Part III);
• obtain biennial assessments of its privacy practices for 20 years (Part IV); and
• maintain certain records (Part V).
In addition, as for all final consent orders issued by the FTC, the Google I Consent Order carried the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000, under Section 5(l) of the FTC Act.18
Rare Case of Successive Enforcement Actions
Google has the unusual privilege of having been under FTC scrutiny twice in less than 12 months. This is not unique, but it seldom happens. Only very few companies have been the subject of multiple or successive FTC enforcement actions. These include, for example, Sony BMG Music Entertainment,19 First American Real Estate Solutions,20 DIRECTV,21 and to some extent ChoicePoint.22 In each of these cases, however, the second action was based on different types of violations. The FTC started de novo, and did not link the first case to the second.
Google II is different. There, the FTC pursues Google as a recidivist. The Google II Complaint does not look at Google’s behavior as a violation of the law. Rather, the FTC claims that Google’s statements about its practices and policies is wrong and inaccurate, and constitutes a misrepresentation of its actual practices, and this misrepresentation violates a prior settlement with the FTC, dated October 2011 (Google I). Thus, unlike the other cases of successive enforcement actions against a single company, the Google II case has its foundation on the violation of a prior settlement rather than a violation of the FTC Act.
Violation of Existing Consent Order
In most cases, an FTC enforcement action will be based on some activities that the FTC deems to constitute misrepresentation or deceptive practices and that violate Section 5(a) of the FTC Act—the section that gives the FTC the power to prevent companies from using unfair or deceptive acts or practices or unfair methods of competition, “in or affecting commerce.”23 Other enforcement actions may be based on other laws or regulations, such as the Children Online Privacy Protection Act (COPPA) or the Do Not Call provisions of the Telemarketing Sales Rule.
Even though it was prompted by actions that might be deemed “deceptive acts” under Section 5(a) of the FTC Act, the FTC action in Google II24 does not deal directly with these actions as deceptive acts that violate Section 5(a) of the FTC Act.
Instead, the Google II enforcement action is based on the fact that Google’s activities are found to violate the prior settlement with the FTC dated October 2011 (Google I). For this, the FTC takes advantage of its powers under Section 5(l) of the FTC Act,25 so that it can assess a significant civil penalty against Google for recidivism. Section 5(l) of the FTC Act26 grants the FTC the power to assess a penalty of $16,000 per violation against any person or entity that violates an order of the commission after it has become final.
The application of Section 5(l) allowed the FTC to assess a significant penalty against Google, in the amount of $22.5 million, which takes into account the nature of the alleged violations, and the significant revenue that Google may have derived from its alleged deceptive acts, and the bypassing of the Safari feature that blocked third-party cookies by default. While the $22.5 million does not reflect the actual number of violations that occurred during the 2011-2012 period covered by the enforcement action, the scale of the revenue generated by Google from its advertisement program may have been a significant factor in determining the amount of the civil penalty.
A Record Penalty
The proposed Google II Consent Order sets a clear message that the FTC is serious about compliance and enforcement. The $22.5 million civil penalty imposed on Google is the “highest fine ever levied for violation of a Commission consent order.”27 The “record setting penalty in this matter sends a clear message to all companies under an FTC privacy order.”28 “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”29
Even when compared with the $15 million price tag in the 2006 ChoicePoint case,30 where security lapses had led to unauthorized access to more than 163,000 consumer records, the size of the penalty that Google has agreed to pay under the proposed Google II settlement is significant. In its 2006 FTC enforcement action against ChoicePoint, one of the early large breach of security cases, the FTC required a $15 million payment from the data broker, comprised of a $10 million civil penalty, and $5 million for consumer redress.31
Google II is different from ChoicePoint, however, in that the Google II case was presented as a violation of the Google I order. Thus, the size of the civil penalty against Google is directly related to the nature of the action itself, as opposed to the nature of the privacy rights violation. In its statement, the FTC explains: “That the violations alleged in the Commission’s federal court complaint have warranted so significant a penalty signals to Google and other companies that the Commission will vigorously enforce its orders.”32
The record-setting penalty in Google II clearly shows that the FTC takes seriously the commitments that it requires from companies that it has previously investigated. When an FTC consent decree requires a 20-year commitment to abide by certain practices, the FTC may, and indeed will, return and ensure that the obligations outlined in the consent decree are met.
Clarification of FTC’s Positions
The documents published as part of the notice of the Proposed Consent Order provide an excellent and useful description of the FTC’s analysis, and allow identification and understanding of the elements of the FTC’s analysis in Google II. The Google II Complaint turns on violations of a specific portion of the Google I Consent Order. Specifically Part I of the Google I Consent Order prohibited Google from “misrepresenting in any manner, expressly or by implication”:
A. The extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.
B. The extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework.33
The term “covered information” was defined broadly in the Google I Consent Order to include a variety of information, among which is “persistent identifier.”34 In the Google II Complaint, the FTC clarifies that the term is intended to include “a persistent identifier contained in a tracking cookie, a user’s IP [internet protocol] address, a user’s account ID, a user’s interests or a user’s web-browsing activity.”35
Misrepresentation of User’s Ability to Control Collection or Use of Personal Data
In its analysis of the Safari cookie issue, the FTC focuses first on the fact that Google represented to Safari users that if they did not change the default settings of their Safari browser, Google would not place DoubleClick advertising cookies on a user’s browser, collect interest category information from or about the user, or serve targeted advertisements to the user. However, despite its representations to the Safari users, Google overrode the Safari default browser settings, and placed the DoubleClick advertising cookie on Safari browsers.36 Further, the Google II Complaint also charges that Google represented to Safari users, directly or by implication, that it would not serve targeted advertisements based on information collected through the DoubleClick advertising cookie to Safari users who had not changed their default browser setting. This too, according to the Google II Complaint, was false.37
The FTC argued that both these actions misrepresented the extent to which users may exercise control over the collection or use of covered information, thereby violating Part I(A) of the Google I Consent Order.38
The second lesson from this aspect of the Google case stems from the provision of the definition of “persistent identifier.” This clarification of the term “covered information” as used in the Google I Complaint may be useful for businesses other than Google which try to understand the FTC’s vision as stated in the FTC orders and complaints, and extrapolate these documents into their own practices. These businesses may wish to evaluate how the definition of “covered information” in the Google cases would translate into their own company privacy statement. They may wish to look into the scope of their company’s privacy statement and how it may extend not only to name, address, purchases, and similar data, but also data that are in the form of a code or a number, that become attached to a specific user, such as a code that indicate a user’s interest, or a code that indicates a user’s browsing activity.40 This information is also very useful.
Misrepresentation of Compliance With NAI Code
The third prong in the Google II Complaint centers on Google’s representation that it adheres to, or complies with, the Self-Regulatory Code of Conduct of the NAI (NAI Code). In the Google II Complaint, the FTC argues that Google misrepresented, directly or by implication, that it adheres to, or complies with, the NAI Code, a privacy, security, and compliance program that requires its members, including Google, to disclose their data collection and use practices. In view of the evidence of Google’s misrepresentation to Apple Safari users, the FTC finds these representations of compliance with the NAI Code to be untrue.
This alleged violation allows the FTC to claim that Google violated its obligation under Part I(B) of the Google I Consent Order, which required that Google not “misrepresent the extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity.”
This interpretation of Part I(B) of the Google I Consent Order is very important because it clarifies what the FTC intends by “compliance program sponsored by the government or any other entity.” This sentence is found in the Google I Consent Order.41 In the complaint in Google I, the FTC claimed that Google had failed to adhere to the U.S. Safe Harbor Privacy Principles of Notice and Choice, such as by failing to inform customers before using the information collected from them for a purpose different than that for which it was originally collected.
As a result, the Google I Consent Order addressed the failure to comply with the Safe Harbor Principles by requiring that Google cease misrepresenting that it complied with a “program sponsored by the government or other entity.” With the proposed Google II Consent Order, we learn that not only does the Safe Harbor program fit within this definition, but so does the NAI Code. It should be expected that other references to other programs might follow, such as compliance with the COPPA safe harbor program, or rules and guidelines of other similar organizations.
FTC Common Law of Privacy—2012 Edition
Google II shows an evolution or a refinement of the FTC “Common Law,” such as in the expansion or clarification of the notion of where privacy promises are deemed to be made. In its early cases addressing consumer privacy and the protection of personal information, the FTC first focused on violations of companies’ privacy promises made in their public website privacy statements.
Then, in several consent orders issued in 2011, including Google I and Facebook,42 the FTC expanded the scope of its enforcement and investigations to violations of the Safe Harbor Principles that were outlined in a 2001 agreement between the U.S. Department of Commerce and the European Commission. These orders showed that the FTC would look into promises or statements made about a company’s alleged compliance with a government-sponsored program—the Safe Harbor Principles—when assessing whether a company has misrepresented its privacy practices.
Now, with Google II, the FTC expands again the scope of its enforcement actions to include a violation the NAI Code. In future cases, it is likely that we may see similar interest into compliance with other industry standards.
An extrapolation from this case, and the trends of these past few years, also leads to the conclusion or prediction that the FTC—and, likely, state regulators, as well—will expand the scope of its investigation into other disclosures describing companies’ practices. Will the next investigation inquire into compliance with other safe harbor programs such as the programs under COPPA? How about investigations into cookie disclosures that many companies are beginning to post on their websites? Or opt-out pages allowing individuals to opt out of a company’s use of behavioral tracking technologies and third-party cookies?
As the FTC and state regulators refine and expand the way in which they conduct their investigations and enforcement actions, companies also must evolve and refine and expand the way they ensure that they comply with U.S. privacy laws, and make good on their promises to operate in accordance with these laws and the promises that they make under these laws. In practice, this means that businesses must ensure that all of the representations that they make about their privacy compliance or privacy commitments are true and accurately and correctly reflect all their practices.
Businesses Must Look Beyond Their Website Privacy Statement
The proposed Google II Consent Order and related Google II Complaint send a very strong message. This message is that companies have to pay attention to ALL privacy promises that they may make in numerous places other than in a company’s online privacy statement. These promises are found, for example, in other representations made by the company, such as through its regulatory filings, or in its marketing or promotional documents.
In the Google I enforcement action, the FTC looked at the promises and representations made with respect to Google’s compliance with the Safe Harbor Principles issued by agreement between the Department of Commerce and the European Commission. In the Google II enforcement action, the FTC looked at the promises and representations that resulted from Google’s statements in its marketing materials that it complied with the Self-Regulatory Code of Conduct of the NAI and was a member of the NAI.
Companies often use their memberships in industry groups or privacy programs as a way to show their values, and to express their commitment to certain standards of practice. This was the case for Google with the Safe Harbor Principles of the Department of Commerce and the European Commission (Google I), and with the NAI Code of Conduct (Google II).
These statements about compliance with programs or adherence to values or principles are not intended to be used just for marketing purposes or to make customers feel good. These statements are promises or commitments. They must be accurate, and they will be taken seriously; and indeed, the FTC and other regulators will take these promises into account. As shown in the Google II cases, failure to comply with the rules, principles and codes of conduct associated with membership in these programs could be fatal. Such a failure would expose the company to claims of unfair and deceptive practices; or in the case of Google, to substantial fines for failure to comply with a consent decree barring misrepresentation if the deficiency happens to also violate a pre-existing consent decree.
If your company makes promises or statements about its privacy practices:
• Look for and monitor all representations made by, or on behalf of, your company about its privacy and security program; look everywhere, and not just in the official company privacy statement.
• Educate your information technology, information security, marketing, sales, legal, and other staff on the need for proper communications and concerted action so that those who write or develop the company’s disclosures and statements can make clear, complete and accurate descriptions about data collection, data processing and data governance. These representations may have significant consequences, and may create a minefield if not created properly.
• If your company claims that it is a member of a self-regulatory or government program, make sure that it has complied with all applicable rules, codes of conduct, or principles of that self-regulatory or government program.
• Periodically compare ALL promises that your business makes, in its privacy statement, in its filings and self-certifications, in its cookie disclosures, in its marketing documents, and the like, with what each of your products, services, applications, technologies, devices, cookies, tags, etc. actually does.
• Ensure that the company abides by ALL of its promises in ALL of its products and services, and at ALL times.
A U.S. Message to the World
The FTC action against the world’s most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the Asia-Pacific Economic Cooperation member economies,43 that it cares about privacy and is serious about enforcement. In its press release, the FTC announced that this settlement was “part of the FTC’s ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers.”44
While Google has already been the subject of an FTC enforcement action that was concluded in 2011 (Google I)45 and that applies to the entire Google operation, the company has continued to attract the attention of regulators throughout the world. Google’s activities, faux pas or inadvertent errors, have been the focus of numerous investigations abroad, some of which are still ongoing,46 and others have resulted in fines.47 At a time when most of the rest of the world thinks that there is no adequate privacy protection in the United States, it is important for the U.S. government to show that it does monitor the activities of U.S. companies—especially the most popular ones, such as Google or Facebook48—to explain and demonstrate that its values with respect to the protection of personal information and the intensity of its enforcement efforts are consistent with, if not stronger than, those of the other world leaders.
Françoise Gilbert, CIPP/US, is the managing attorney of the IT Law Group (http://www.itlawgroup.com) and serves as the general counsel of the Cloud Security Alliance. Gilbert focuses her legal practice on information privacy and security, cloud computing, and data governance. Gilbert is the author and editor of the two-volume treatise Global Privacy and Security Law (Aspen Publishers, Wolters Kluwer Law and Business). Gilbert also maintains a blog on domestic and international data privacy and security issues (http://www.francoisegilbert.com).
© 2012 IT Law Group
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.