Google has agreed to a record $22.5 million fine to settle charges that it circumvented the privacy settings of Safari users, the Federal Trade Commission announced on Thursday.
“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” FTC Chairman Jon Leibowitz said. "No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers."
The settlement resolves contempt charges stemming from allegations that Google developed a workaround to Safari's no-tracking settings. Google — which also faces a potential class-action lawsuit over the alleged hack — didn't admit to wrongdoing in the case.
News of Google's workaround was first made public by graduate student Jonathan Mayer, who published a report in February outlining how the company bypassed users' settings. Google said at the time that it originally circumvented Safari's settings in order to enable Safari users to like ads with the +1 button, and not track them throughout the Web.
But once the workaround was in place, Google's DoubleClick also was able to track people in order to target ads to them, based on their Web-surfing history.
The workaround might not in itself have resulted in an FTC action, but Google also specifically instructed users that the Safari browser would block tracking cookies. That statement gave the FTC grounds to file contempt charges against Google, for allegedly violating a 2011 consent decree that bans the company from misrepresenting its privacy practices.
The FTC's complaint, unveiled on Thursday, also alleges that Google deceived consumers by stating that it complied the Network Advertising Initiative's self-regulatory code. The NAI requires members to disclose how they collect and use data.
Google has already deleted much of the data it collected. The company promised to shed all of it by next year as part of the settlement.
The eight-figure fine signals that the FTC is making privacy a priority, says advertising lawyer Jeffrey Greenbaum, a partner in Frankfurt Kurnit Klein & Selz. "They are trying to send a loud and clear message to industry that privacy is really, really, really important to us," he says.
Greenbaum adds that the enforcement action shows that the FTC will aggressively enforce consent decrees. "People think when they enter into a consent order with the FTC that it's over. What the FTC wants industry to hear is, 'When you sign an order with the FTC, that's just the beginning,'" he says.
New York Law School professor James Grimmelmann adds that Google's tracking glitch shows the dangers of tinkering with privacy tools — even if for an innocent purpose, such as allowing users to "like" ads. "Privacy circumvention is a sketchy practice, and companies that engage in it run significant risks."
For Google, the Safari hack marks at least the third major privacy glitch in the last few years. In 2010, when Google launched the now-defunct social networking service Buzz — which aimed to create networks out of people's email contacts — the feature revealed names of users' email contacts by default. The company also came under fire last year, after reports surfaced that Street View cars collected passwords, browsing history and other data from people accessing the Web via unsecured WiFi networks.
On Thursday, the FTC's consumer protection head David Vladeck expressed frustration with Google's explanations for the privacy glitches — which often boil down to a statement that it didn't realize what was happening. "It is troubling to us that Google says, 'We didn't know,'" Vladeck said on a conference call with reporters. "Their answer in WiFi Street View was, 'We didn't realize what was going on.' Their answer here is, 'We really didn't know.' A company like Google … has to do better."
FTC Commissioner J. Thomas Rosch dissented from the vote to accept the settlement because Google didn't admit that it had violated the previous consent decree. "It arguably cannot be concluded that the consent decree is in the public interest when it contains a denial of liability," he wrote.
The group Consumer Watchdog also was unhappy with the agreement, calling the fine "woefully insufficient considering that Google refused to admit any liability or wrongdoing.” The group says it hopes to block the settlement.