The Wall Street Journal, citing unnamed sources, reported that Google had basically agreed to pay US$22.5 million to settle the FTC charges.
If that figure holds, the fine would be the biggest ever levied by the US FTC on a single company. The previous record was a US$10 million fine the agency imposed on data aggregator ChoicePoint Inc. in 2006 for a data breach that resulted in the compromise of nearly 160,000 consumer records.
While the fine is likely to be small change for Google, its significance cannot be underestimated, several privacy advocates said.
“The FTC fine’s impact on Google can’t just be measured in dollars,” said Jeffrey Chester, executive director of privacy-watchdog group the Center for Digital Democracy. ” It sends a strong signal to Google users that the company is still failing to do right by their privacy. If they don’t do a better job protecting privacy, it will face larger fines and greater political consequences.”
In a statement, Google said it could not comment on any specifics of a settlement. “However, we do set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help centre page published more than two years before our consent decree and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
The agreement comes six months after a graduate student at Stanford University published a paper showing how Google and three other companies were circumventing the Safari browser’s do-not-track settings, to install tracking cookies on user systems.
The revelation prompted scathing criticism from several quarters and prompted calls by three lawmakers for an FTC probe. Several contended that the cookie placement contradicted Google’s claims that it respected Safari’s do-not-track settings.
Google’s actions also triggered a US FTC investigation over whether the company had violated the terms of a consent agreement it signed with the agency in October 2011 in which it agreed not to misrepresent its privacy claims. That consent decree followed an investigation into alleged privacy violations related to Google’s now defunct Buzz social network.
Google maintained that it had not intentionally meant to bypass Safari’s do-not-track-settings. The company said the problem had to do with a Safari browser function that accidentally enabled Google advertising cookies to be set on the browser even in situations where a Safari user might have turned on the do-not-track feature. Google executives maintained that the cookies were set inadvertently and that the company did not know about the problem until being alerted to it.
Under the latest FTC settlement, Google is expected to admit to no wrongdoing.
“The company increasingly engages in excuses, claiming it was inadvertent,” Chester said. “From Street View to Safari, Google keeps giving consumers a digital mea culpa,” he said, arguing that Google is now in a digital data collection arms race with Facebook.
Justin Brookman, director of consumer privacy at the Center for Democracy and Technology said the real significance of a hefty FTC fine would be the message it sends. “People still think highly of Google, but if this keeps happening, it is going to be bad for them,” he said.
In this case, Google is being held accountable largely because it had language on its website explicitly promising Safari users that it would honour their privacy settings, Brookman said. It’s questionable how much success the FTC would have had if that language had not been present and Google had done the exact same thing. “It’s an open question whether that would have been illegal” under present privacy statutes, he said.
Daniel Castro, a senior analyst with the Information Technology & Innovation Foundation, was one of those who questioned the wisdom of an FTC fine.
“If a company consistently shows a pattern of making false claims about its products, then the FTC can and should vigorously pursue enforcement against them,” he said. ” But if a company makes an honest mistake, the goal should be to work cooperatively and swiftly with the company to get the issue resolved while protecting consumers.”
In this case, Google does not appear to have violated any of its general privacy policies on tracking, Castro noted. Instead, some public statements from the company about how it handled certain Safari browser functionalities turned out to be false, he said. “Given the complexity of browsers, search engines and tracking — and how code on each of these changes so rapidly — a minor mistake here seems reasonable,” he said.