The record fine is the FTC’s first for a violation of Internet privacy as the agency steps up enforcement of consumers’ online rights.
The FTC alleged that Mountain View, California-based Google deceived consumers and violated terms of a consent decree signed with the commission last year when it planted cookies on Safari, bypassing Apple software’s privacy settings, to track users’ Internet browsing behavior.
“The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” said FTC Chairman Jon Leibowitz. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to com ply in the first place.”
Google, operator of the world’s largest Internet search engine, has drawn regulatory scrutiny and pressure from consumer advocates for the way it handles personal information. The company’s consent decree with the FTC settled allegations that it used deceptive tactics and violated its own privacy policies in introducing the Buzz social-networking service in 2010.
“We set the highest standards of privacy and security for our users,” Google said in an e-mail statement. “The FTC is focused on a 2009 help-center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Consumer Watchdog, an advocacy group based in Santa Monica, California, said the fine wasn’t big enough to teach a lesson to Google, which reported net income of $9.7 billion last year and is expected to generate profit of $13.7 billion this year, according to the average estimate of 34 analysts surveyed by Bloomberg News.
“While the $22.5 million penalty levied against Google is a record for the FTC, it is woefully insufficient considering that Google refused to admit any liability or wrongdoing,” said John Simpson, privacy project director for the public interest group.
“The commission has allowed Google to buy its way out of trouble for an amount that probably is less than the company spends on lunches for its employees and with no admission it did anything wrong,” Simpson said.
In addition to the penalty, the FTC ordered Google to disable all the tracking cookies. Most of the tracking cookies have been removed and all must be gone by February of 2014, James Kohn, the FTC’s associate director for enforcement, said on a conference call today with reporters after the announcement.
Google shares rose less than 1 percent to $643.04 at 2:34 p.m. in New York trading. The stock has declined 0.43 percent this year.
Cookies are small pieces of computer text that collect information from computers about a user’s browsing behavior and can be used to serve advertisements to consumers based on their interests as shown by the websites they visit.
Google specifically told users of Apple’s Safari that because the browser is set by default to block third-party cookies, as long as users don’t change their browser settings, this setting effectively accomplishes the same thing as opting out of online tracking, according to the FTC complaint.
Google exploited an exception to the browser’s default setting to place a temporary cookie, the FTC said.
The Safari breach was first identified by Stanford researcher Jonathan Mayer, who published a blog entry on his discoveries Feb. 16. Google said at the time that it “didn’t anticipate this would happen” and that it was removing the files since discovering the slip.
The agency was investigating Google’s privacy violations before Mayer’s report was published, David Vladeck, director of the FTC’s bureau of competition, said on the conference call today. He also called Google’s response that it was unaware of the breach “troubling.”
“Google’s defense waves a red flag to regulators,” Vladeck said. “The social contract is if you are going to hold on to people’s private data, you’ve got to do a better job of honoring your commitments.”
The cookies allowed Google to avoid Safari’s built-in privacy protections to aim targeted advertising at users of Safari on computers, laptops, iPhones and iPads.
Marc Rotenberg, president of the Electronic Privacy Information Center, which filed the initial complaint in February 2010 that led to the consent decree, said “although we had previously expressed concerns about the failure of the FTC to enforce its own orders, we are pleased that the commission has now taken action to protect the privacy of Internet users.”