Google has agreed to pay a $22.5 million penalty to settle its dispute with the FTC, over the company's role in bypassing browser settings in Apple's Safari web browser. Although it stated that it wouldn't use tracking cookies or targeted ads in the web browser, a loophole was discovered, violating a previous privacy settlement between the FTC and Google. According to the commission, the company exploited an exception in the browser's default settings, adding a temporary cookie that could temporarily open up access to all cookies from the DoubleClick domain. While the exploit was patched by Google, for a limited time, it was able to track Safari users that had explicitly opted out.
The FTC's full statement follows.
Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple's Safari Internet Browser
Privacy Settlement is the Largest FTC Penalty Ever for Violation of a Commission Order
Google Inc. has agreed to pay a record $22.5 million civil penalty to settle Federal Trade Commission charges that it misrepresented to users of Apple Inc.'s Safari Internet browser that it would not place tracking "cookies" or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC.
The settlement is part of the FTC's ongoing efforts make sure companies live up to the privacy promises they make to consumers, and is the largest penalty the agency has ever obtained for a violation of a Commission order. In addition to the civil penalty, the order also requires Google to disable all the tracking cookies it had said it would not place on consumers' computers.
"The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order," said Jon Leibowitz, Chairman of the FTC. "No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place."
Google, the developer of the world's most popular Internet search engine, generates billions of dollars in revenues annually from selling online advertising services, including the delivery of targeted ads online. Cookies are small pieces of computer text that are used to collect information from computers and can be used to serve targeted ads to consumers. By placing a tracking cookie on a user's computer, an advertising network can collect information about the user's web-browsing activities and use that information to serve online ads targeted to the user's interests or for other purposes.
In its complaint, the FTC charged that for several months in 2011 and 2012, Google placed a certain advertising tracking cookie on the computers of Safari users who visited sites within Google's DoubleClick advertising network, although Google had previously told these users they would automatically be opted out of such tracking, as a result of the default settings of the Safari browser used in Macs, iPhones and iPads.
According to the FTC's complaint, Google specifically told Safari users that because the Safari browser is set by default to block third-party cookies, as long as users do not change their browser settings, this setting "effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie]." In addition, Google represented that it is a member of an industry group called the Network Advertising Initiative, which requires members to adhere to its self-regulatory code of conduct, including disclosure of their data collection and use practices.
Despite these promises, the FTC charged that Google placed advertising tracking cookies on consumers' computers, in many cases by circumventing the Safari browser's default cookie-blocking setting. Google exploited an exception to the browser's default setting to place a temporary cookie from the DoubleClick domain. Because of the particular operation of the Safari browser, that initial temporary cookie opened the door to all cookies from the DoubleClick domain, including the Google advertising tracking cookie that Google had represented would be blocked from Safari browsers.
The FTC charged that Google's misrepresentations violated a settlement it reached with the agency in October 2011, which barred Google from – among other things – misrepresenting the extent to which consumers can exercise control over the collection of their information. The earlier settlement resolved FTC charges that Google used deceptive tactics and violated its privacy promises when it launched its social network, Google Buzz.
More information about the FTC case can be found at the Tech@FTC blog.
The Commission vote to authorize the staff to refer the complaint to the Department of Justice, and to approve the proposed consent decree, was 4-1 with Commissioner J. Thomas Rosch dissenting. The Commission issued a statement authored by Chairman Jon Leibowitz and Commissioners Edith Ramirez, Julie Brill, and Maureen Ohlhausen. In its statement, the Commission affirmed that the settlement is in the public interest because, based on staff's investigative work, there is strong reason to believe that Google violated the prior order, and the $22.5 million fine is an appropriate remedy for the charge that Google misrepresented to Safari browser users how to avoid targeted advertising by Google. In his dissenting statement, Commissioner Rosch stated that it arguably cannot be concluded that the consent decree is in the public interest if it contains a denial of liability.
This case was filed with the invaluable assistance of the DOJ, which filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the District of Northern California in San Jose August 8, 2012. The proposed consent decree is subject to court approval.