Two consumer groups have filed a complaint with the Federal Trade Commission alleging that Google broke the law by deceptively forcing a privacy-policy change onto users that allows the firm to build much more comprehensive files on individuals.
Consumer Watchdog, a prominent Google adversary on self-driving cars, joined Privacy Rights Clearinghouse in filing the FTC complaint on Monday.
The groups claim that Google’s privacy-policy change in June capped “a nearly decade-long deception that Google has perpetrated against its users, the FTC, and the public.”
A Google spokeswoman said the firm in June updated its ads system and user controls “to match the way people use Google today: across many different devices.”
“Before we launched this update, we tested it around the world with the goal of understanding how to provide users with clear choice and transparency,” the spokeswoman said. “As a result, it is 100 percent optional — if users do not opt in to these changes, their Google experience will remain unchanged.
“We provided prominent user notifications about this change in easy-to-understand language as well as simple tools that let users control or delete their data. Users can access all of their account controls by visiting My Account.”
The complaint to the FTC opens with reference to Google’s 2007 purchase of advertising-service firm DoubleClick, during which it “overcame significant privacy concerns by pledging to Congress, the Federal Trade Commission (FTC), and the public at large not to combine its users’ personally-identifiable information with DoubleClick’s vast browsing data.”
Google’s promises led trade regulators to approve the DoubleClick acquisition, the complaint said. “Nearly a decade later, on June 28, 2016, Google quietly changed its privacy policy to permit the combination of this data, and forced the change on users in a highly deceptive manner, without meaningful notice and consent,” according to the complaint.
Specifically, the complaint attacked the blending of information that Google obtains via cookies that track users’ behavior online, and personal information Google gathers via user accounts. The groups contend that Google “induced” users to accept the change to the privacy policy by “cloaking it in an offer to enable ‘new features’ that purport to provide ‘more control’ over users’ personal data.
“Unsuspecting users accepted Google’s offer in droves,” the complaint said. “Google has now created the ‘super-profiles’ that privacy advocates warned against when Google acquired DoubleClick.”
The complaint argued that with the privacy policy change, Google can now track users’ activity on Android phones, which have an 88 percent market share worldwide, along with activity on any site using Google Analytics, hosting YouTube videos, or displaying ads served by DoubleClick or its other ad-service firm AdSense.
“Google has given itself the power to track users across the overwhelming majority of websites in use in the world today, many of which appear to users to be entirely unconnected from Google,” the complaint said.
The two groups claim Google broke the FTC Act through “unfair or deceptive acts or practices” such as saying it wouldn’t combine personally identifiable information with DoubleClick’s browsing data and then doing so; repeatedly telling users it would be transparent about how it handled their data when it has instead been deceptive; reaping “massive troves” of user data under “false pretenses” and hiding the nature and extent of the policy changes in order to get users to consent to them.
“Each of these representations was intended to induce Google’s users to grant Google more and more access to their lives and their data,” the complaint said.
The groups also alleged that Google’s changes to the privacy policy violated the terms of a consent order between Google and the FTC over the firm’s use of customer information during its 2010 rollout of the now-defunct “Buzz” social network.
To be sure, the complaint acknowledged that Google has told users it might combine information from one service with personal information from other Google services and that users’ activity on other sites and apps may be associated with their personal information “in order to improve Google’s services and the ads delivered by Google.”
But, the groups argued, users “were not clearly informed of the significance of the changes — or ‘features’ as Google would have it — nor were they clearly and unambiguously given a chance to reject them.”
Existing users who didn’t want to accept the changes couldn’t reject them right away, but were instead given a “more options” button to click, which led to a another page where users could select “no changes,” the complaint alleged.
However, for new users, “the combination of personal and browsing data was done by default,” the complaint said, though it noted that Google does tell new users that it combines data among its services and across users’ devices.
“Anecdotally, many users who have activated the new features have no recollection of having done so, a testament to how deceptive the notice was,” the complaint said.
Google’s privacy policy advises users that they can block the cookies that collect browsing data. But the firm warns that doing so means many Google services won’t work properly. “For example, we may not remember your language preferences,” the company’s policy said.
Users can also delete personal information, for what that’s worth. Google says it has to protect against accidental or malicious data removal, so “after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.”
The consumer groups set Google’s privacy policy change into a context of wrongdoing. The two organizations note that the FTC fined Google $22.5 million in 2012, because, as the FTC put it at the time, “it misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking ‘cookies’ or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC.”
Also, the groups noted, that in 2010 Google was caught using Street View cars to gather private data from private wi-fi networks, and was fined $25 million for that by the FTC in 2012.
“Fines Google has faced so far are but pocket change for Google. The company’s executives consider it merely the cost of doing business as they willfully violate our privacy,” said John Simpson, privacy project director at Consumer Watchdog. “The FTC must take meaningful action to stop this serial abuser and force it to give up its ill-gotten gains.”