United States v. Google Inc.

United States v. Google Inc.
CourtUnited States District Court for the Northern District of California
Full case name United States v. Google Inc.
DecidedNovember 16, 2012
Docket nos.3:12-cv-04177
Court membership
Judge sittingSusan Yvonne Illston

United States v. Google Inc., No. 3:12-cv-04177 (N.D. Cal. Nov. 16, 2012), is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history.[1] The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser".[2] It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc.[3]

2011 FTC administrative order

[edit]

In February 2011, the Electronic Privacy Information Center (EPIC) filed a complaint before the FTC requesting an investigation against Google Inc. EPIC alleged that during the launching of its Google Buzz social network, Google's business practices violated the privacy interests of its consumers. EPIC specified that its "complaint concerns an attempt by Google, Inc., the provider of a widely used email service, to convert the private, personal information of Gmail subscribers into public information for the company's social network service Google Buzz."[4]

In October 2011, the FTC initiated an administrative proceeding against Google, charging that it had violated the FTC Act. The FTC asserted that Google, while launching its social networking tool, Google Buzz, had designed business practices which unfairly affected "commerce."[5] In the FTC's view, Google violated its privacy promises to its customers since it "misrepresented to users of its Gmail email service that: (1) Google would not use their information for any purpose other than to provide that email service; (2) users would not be automatically enrolled in the Buzz network; and (3) users could control what information would be public on their Buzz profiles."[6]

In the complaint, the FTC considered that Google launched the social network Google Buzz through its Gmail web-based email product.[7] The FTC alleged that the tools to decline or leave the social network were ineffective. Even more, in those cases where users declined to be part of the social network, they were nonetheless "enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on "Sweet!," the FTC alleged that they were not adequately informed that the identity of the individuals they emailed most frequently would be made public by default. Google also offered a "Turn Off Buzz" option that did not fully remove the user from the social network."[7]

As stated in the complaint, the FTC concluded that "...the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the controls that would allow the user to change the defaults were confusing and difficult to find" and that "certain personal information of Gmail users was shared without consumers' permission through the Google Buzz social network."[5]

In late 2011, the FTC and Google agreed to a settlement order, wherein Google was to implement a privacy program intended to efficiently protect consumer data. Additionally Google was to subject itself to independent privacy audits for the next 20 years.[8] According to the settlement, Google agreed that it will not, among other things, misrepresent in any manner, expressly or by implication, "the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including but not limited to, misrepresentations related to: (1) the purpose for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information," as well as the extent to which Google participated in any EU–US Safe Harbor.[8]

The consent order was served on Google on October 28, 2011. It is known to be the first decision of its kind, requiring a company to implement a comprehensive privacy program. The order prevented the company "from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next twenty years."[7]

Google–Safari case

[edit]

On August 8, 2012, the United States filed a complaint ("Safari complaint") against Google Inc., alleging that it had violated the consent order which it had entered into with the FTC, (to settle the above-mentioned Google Buzz case). The government's complaint stems from a page on Google's website that tells Safari browser users "that Safari's default operation is to deny what are called third-party cookies, which can be used to track users. At the time they wrote it, this statement was true, but Apple later changed the behavior of Safari to allow third-party cookies from sites that had previously served cookies to the user."[9]

The Safari complaint stated that Google used "the 'DoubleClick Advertising Cookie' to collect information and serve targeted advertisement services to users who visit Google websites, Google partner websites, and websites that use Google's advertising services."[10] As part of Google's advertising privacy controls, Google offered to its users the possibility of "opting out" from the delivery of targeted advertising. As stated in the Safari complaint, "A user may opt out of targeted advertising either by clicking a button on Google's Ads Preferences webpage ('opt-out button') or by downloading Google's 'advertising cookie opt-out plug in'".[11] This "opt-out cookie" technology (also referred to as the "DoubleClick opt-out cookie") was available to users of only three browsers: Internet Explorer, Firefox, and Google Chrome. Since the opt-out extension was not available for the Safari browser, Google assured Safari's users that they need not take any action "to be opted out of DoubleClick targeted advertisements". According to Google's representation, Safari blocked by default (although allowed in certain exceptional circumstances) third-party cookies, and said blocking was enough to prevent Google from placing tracking cookies or serve targeted advertisements; however even when Safari users had activated the default privacy settings, they received tracking cookies and targeted advertisements.[10]

The government alleged that "despite its representations to Safari users, Google overrode the Safari default browser setting and placed the DoubleClick Advertising Cookie on Safari browsers." Google's conduct overrode Safari software that blocked cookies, by sending code that was invisible to the user to communicate with that user's Safari browser anytime that a Safari user visited a "Google website, Google partner website, or website that used Google's advertising services."[10] This allowed Google to store, collect, and transmit the users information.

In view of Google's conduct, the complaint addressed five relevant causes of action: (i) collecting covered information, (ii) serving targeted advertisements, (iii) misrepresenting Network Advertising Initiative Code compliance, (iv) civil penalties, and (v) prayer for relief.[10] Furthermore, the government alleged that Google's conduct violated the October 2011 (Google Buzz) order.

Court's opinion

[edit]

The government filed a Proposed Stipulated Order for Permanent Injunction and Civil Penalty Judgment ("Proposed Order") which was approved by the District Court for the Northern District of California on November 16, 2012.[12]

In the Proposed Order, the parties agreed that Google denies any guilt regarding its failure to abide by the FTC v. Google Inc settlement order. However, Google agreed to: (i) pay a civil penalty of $22.5 million; (ii) maintain until February 15, 2014, a system that had to delete cookies from Safari browser users; and (iii) file a report with the FTC within 20 days of February 15, 2014 which would document that Google had complied with the remediation component of the order.[12]

Consumer Watchdog objected to the Proposed Order, calling for a greater civil penalty and an admission of liability from Google.[13] Consumer Watchdog further argued that the injunction will be in effect for too short of a duration, and that the Order gives Google the ability to resume its unauthorized practices after February 15, 2014. The Court held that the Proposed Order was the result of "good faith, arms-length negotiations," that the Proposed Order is presumed to be fair and reasonable, and thus the objecting party has the burden of disproving this presumption.[14] Judge Susan Illston found that Consumer Watchdog's objections were insufficient to satisfy this burden. Specifically, Judge Illston found that a longer injunction was unnecessary as Google was still legally obligated to work under the terms specified in its previous consent order with the FTC (Google Buzz)."[14]

Impact

[edit]

This case had a great impact on the technology industry as it showed the range of enforceability with regard to FTC consent orders. It was not just the second case against the same company in less than twelve months, but it was also the first case in which the FTC was able to fine a private company. Françoise Gilbert, at Bloomberg, stated that "this Google II action is not just another FTC case under section 5 of the FTC Act. It is unique in many respects. The case is second one against Google in less than 12 months. The FTC does not have the authority to fine a company under Section 5 of the FTC Act, but it can fine a company that violates a consent order with the commission. The FTC took that power into account and built on its prior case against the company (Google I). The arguments are in some respects different than in other similar cases addressing consumer privacy, and the complaint (Google II Complaint) and proposed order provide significant insight into the reasoning of the FTC, which is very valuable information for companies that collect or use personal information and prefer to reduce the risk of government action."[15]

Additionally, the case also highlighted the impact that this case may have caused in the international community: "the FTC action against the world's most popular search engine provides the US government with an opportunity to show the rest of the world, and especially the European Union and the Asia–Pacific Economic Cooperation member economies, that it cares about privacy and is serious about enforcement. In its press release, the FTC announced that this settlement was "part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers."[15]

[edit]

References

[edit]
  1. ^ Forden, Sara (November 17, 2012). "Google Judge Accepts $22.5 Million FTC Privacy Settlement". Bloomberg. Retrieved March 18, 2014.
  2. ^ Federal Trade Commission-FTC (August 9, 2012). "Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple's Safari Internet Browser". Retrieved March 2, 2014.
  3. ^ Federal Trade Commission-FTC (November 20, 2012). "Statement by FTC Bureau of Consumer Protection Director David Vladeck Regarding Judges Approval of Google Safari Settlement". Retrieved March 2, 2014.
  4. ^ Electronic Privacy Information Center-EPIC. "In re Google Buzz, complaint" (PDF). Retrieved March 2, 2014. {{cite web}}: |last= has generic name (help)
  5. ^ a b Google, Inc., In the Matter of (March 30, 2011). "Complaint Google Buzz". Federal Trade Commission-FTC. Retrieved March 2, 2014. {{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  6. ^ Complaint (August 9, 2012). "United States v. Google, Inc., Case No. 5:12-cv-04177-HRL, FTC Docket No. C-4336 (N.D. Cal. Aug. 8, 2012)". Federal Trade Commission. Retrieved March 2, 2014.
  7. ^ a b c Federal Trade Commission-FTC (March 30, 2011). "FTC Charges Deceptive Privacy Practices in Googles Rollout of Its Buzz Social Network". Retrieved March 2, 2014.
  8. ^ a b Federal Trade Commission-FTC. "In the matter of Google, Inc. Decision and Order" (PDF). Retrieved March 2, 2014.
  9. ^ Black, Ed. "Will FTC Online Privacy Settlements Do More Harm Than Good?". Forbes. Retrieved April 6, 2014.
  10. ^ a b c d Federal Trade Commission-FTC (August 9, 2012). "United States v. Google Inc. - complaint". Retrieved March 2, 2014.
  11. ^ United States Federal Trade Commission. Complaint For Civil Penalties and Other Relief, and Exhibits A and B. August 8, 2012. Retrieved November 22, 2012
  12. ^ a b "United States v. Google Inc.-Order Approving Stipulated Order for Permanent Injunction and Civil Penalty Judgment (November 16, 2012)" (PDF). Retrieved March 2, 2014.
  13. ^ David Meyer; originally from ZDNET.COM (November 19, 2012). "Judge Approves $22.5M Google-FTC Settlement, Rebuffs Consumer Group". Retrieved March 2, 2014.
  14. ^ a b Holzapfel, Casey (December 4, 2012). "Judges Approve Google's $22.5 Million Settlement with FTC for Safari Privacy Violation". Jolt Digest, Harvard Journal of Law & Technology. Retrieved March 2, 2014.
  15. ^ a b Gilbert, Françoise (2012). "THE FTC V. GOOGLE SAGA—EPISODE II: WHAT LESSONS FOR U.S. BUSINESSES?". Retrieved March 2, 2014.