Google, FTC near settlement on privacy
Google Inc. is close to a deal to pay $22.5m to settle charges related to its surreptitious bypassing of the privacy settings of millions of Apple Inc. users, according to officials briefed on the settlement terms.
The fine is expected to be the largest penalty ever levied on a single company by the U.S. Federal Trade Commission. It offers the latest sign of the FTC's stepped-up approach to policing online privacy violations, coming just six months after The Wall Street Journal reported on Google's practices.
While the fine likely will represent only a tiny portion of Google's revenues—last year, the Internet giant raked in that much cash roughly every five hours or so—it counts among a series of negative reports about Google's privacy practices that could undermine users' trust in its services.
The current charges involve Google's use of special computer code to trick Apple's Safari Web-browsing software into letting it monitor users that had blocked such tracking. Google disabled the code after being contacted by the Journal, which wrote about Google's practices in February.
Google officials say tracking of Apple users was inadvertent and didn't cause any harm to consumers. But Google's actions appeared to contradict previous statements it had made assuring Apple users that they could rely on Safari's privacy settings to block unwanted tracking.
Google said in a statement, "The FTC is focused on a 2009 help center page.…We have now changed that page and taken steps to remove the ad cookies," referring to the small computer files that can enable tracking of people's online activities.
An FTC spokeswoman declined to comment.
Google's practices triggered an FTC investigation into whether the company had violated a 20-year consent decree it signed with the FTC only last October, according to lawyers involved in the investigation. In that agreement, Google agreed not to misrepresent its privacy practices to consumers.
The penalty for violating the agreement is $16,000 per violation per day.
In recent weeks, the FTC staff and Google have reached a proposed settlement and agreed on a fine, according to several people close to the investigation. The settlement is awaiting approval by FTC commissioners and could still be altered before it becomes public.
The settlement—while much smaller than the $500 million Google agreed to forfeit in a settlement with the Justice Department last year for promoting unlawful sales of prescription drugs—is likely to be the stiffest penalty imposed so far by the FTC, a relatively small federal agency.
Under FTC Chairman Jon Leibowitz, the agency launched a privacy initiative in 2010 by hosting a series of meetings with industry representatives and privacy advocates. At the end of the year, the FTC issued a preliminary set of privacy recommendations that it urged the industry to adopt, including the development of a do-not-track feature in Web browsers. Earlier this year, the FTC won a victory when the online advertising industry dropped its opposition to do-not-track and agreed to support the features in Web browsers by the end of this year. Details of that arrangement are being worked out.
During this time, the FTC has stepped up enforcement of privacy violations, though it lacks the authority to fine companies for most privacy missteps.
In the past three years, the agency separately charged Google, Facebook Inc., Twitter Inc. and Myspace LLC with privacy and data-security violations. None of the charges carried fines, but in each case the companies agreed to 20-year consent decrees governing their future behavior.
In March 2011, the FTC charged Google with using deceptive tactics when it launched an online social network, Google Buzz. In October, Google signed a consent decree to settle the charges. It agreed to put in place a number of privacy-protecting measures, including a "comprehensive privacy program" to conduct privacy-risk assessments of Google's products and services and to be audited by a third party every other year for the next two decades.
Google didn't admit wrongdoing in the settlement. Buzz was eventually closed and replaced with the Google+ social network.
Buzz hasn't been Google's only privacy misstep. In 2010, Google said it had inadvertently collected Internet users' private communications as part of its Wi-Fi data collection using Street View cars. In April, the Federal Communications Commission fined Google $25,000 for allegedly obstructing its Street View investigation and investigations are ongoing in several other countries. Google said in a statement that it didn't break the law and believes it cooperated with the investigation.
In January, Google announced it was changing its privacy policies in ways that threatened to erode users' ability to remain anonymous by linking information that had previously been separate, such as information from search queries and YouTube views. Google rolled out the new policy in March despite a pending investigation in Europe. In a statement, Google said, "We are confident that our privacy notices respect the requirements of European data protection laws."
The current case is likely to allege that Google violated the terms of the Buzz consent decree when it bypassed Apple users' privacy settings, according to four people familiar with the negotiations.
The FTC rarely charges companies with violating consent decrees, though it has in the recent past.
In 2010 the FTC fined a New Jersey telemarketer $18.8 million for violating an FTC order when it misled people into believing they were donating to charities, when in fact little of the money was given to charity.
In that case, the two defendants were ordered to turn over assets including two homes each worth $2 million, paintings by Picasso and Van Gogh, three Mercedes, two Bentleys, and a guitar collection valued at $800,000.
Beyond any FTC settlement, Google could still face other government actions. Google's bypassing of Apple privacy settings is still under investigation in the European Union as part of a wide-ranging examination of whether Google's new privacy policy complies with Europe's strict data-policy regulations.
France's privacy-protection agency, Commission Nationale de l'Informatique et Libertés, or CNIL, is leading the pan-European investigation. The agency had initially expected to finish its analysis and publish a joint report with European counterparts on Google's new policies by mid-July. That is now likely to be pushed back a month or more, according to a person close to the investigation.
Google and the CNIL have traded two rounds of written questions because the agency judged Google's first set of responses to be "often incomplete or vague," according to a May press release from the agency. For European authorities, a major concern is whether people know how and where their data is being used, a requirement of European law.
Separately, a group of U.S. state attorneys general are investigating Google's circumvention of Safari's privacy settings. State attorneys general can have the ability to levy fines of up to $5,000 per violation. "The investigation is ongoing," said a spokesman for New York Attorney General Eric Schneiderman.
(Published by WSJ - July 9, 2012)