FTC Ramping Up Data Privacy Enforcement Actions; Google Fined $22.5 Million


Earlier this month, Google Inc. agreed to pay a $22.5 million civil penalty to settle Federal Trade Commission charges claiming that it misrepresented to users of Apple's Safari Internet browser that it would not place advertising tracking "cookies" or serve targeted ads to them, in violation of an earlier privacy settlement it reached with the FTC. According to a recent FTC press release, this represents the largest FTC penalty ever for a violation of a Commission order.

The FTC's complaint alleged that Google placed advertising tracking cookies onto users' Safari browsers for several months in 2011 and 2012, which enabled Google to collect user information and serve targeted advertisements to them, even though it had previously told them that they would be opted out of such tracking. The FTC also charged that Google's misrepresentations violated the October 2011 Google Buzz settlement (based on alleged deceptive privacy practices relating to the now-defunct Google Buzz social network), which barred it from future privacy misrepresentations, required it to implement a comprehensive privacy program, and required independent privacy audits for 20 years. Google has denied liability, calling the use of tracking cookies an inadvertent technical glitch, but has agreed to pay the $22.5 million penalty.

The Commission voted to approve the proposed consent decree, stating that the settlement is "intended to provide a strong message to Google and other companies under order that their actions will be under close scrutiny and that the Commission will respond to violations quickly and vigorously." Commissioner Rosch dissented, arguing that a consent decree containing a denial of liability should not be accepted and that "$22.5 million represents a de minimis amount" of Google's $38 billion annual revenues (nearly all of which are derived from advertising). However, the majority of the Commission disagreed, explaining that a denial of liability is not "inconsistent with the imposition of a civil penalty" and the "swift imposition of a $22.5 million fine helps promote" future compliance.

The FTC's complaint alleged violations of Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits "unfair or deceptive acts or practices in or affecting commerce." A host of other laws provide the agency with enforcement authority to protect consumers' privacy, including the Gramm-Leach-Bliley Act (applicable to financial institutions), the federal Red Flags Rule (applicable to financial institutions and certain other creditors), and the Children's Online Privacy Protection Act (applicable to commercial websites and online services directed to children).

In recent months, the FTC has ramped up its enforcement of data privacy laws, which is clear from the following:

  • The FTC approved a final settlement with Facebook earlier this month, resolving charges that Facebook deceived consumers by sharing their information with others (including advertisers) and making it public after informing them that it would remain private.The settlement requires Facebook to give consumers clear notice and obtain their express consent before sharing their information, maintain a comprehensive privacy program to protect their information, and obtain biennial privacy audits from an independent third party.
  • The FTC filed a complaint against Wyndham Hotels in June 2012 charging that it misrepresented its information security measures and repeatedly failed to safeguard consumers' personal information, which resulted in the compromise of several hundred thousand consumers' payment card data and a $10.6 million loss due to fraud.
  • In March 2012, RockYou, the operator of a social game site, agreed to settle charges that it failed to protect the privacy of its users (despite its representations to the contrary), allowing hackers to access the personal information of 32 million users, including 179,000 children, in violation of Section 5 of the FTC Act and the Children's Online Privacy Protection Act Rule.The settlement requires the company to pay a $250,000 civil penalty, to maintain a data security program, and to submit to security audits for 20 years.
  • In June 2012, the FTC reached settlements with a debt collection business and an auto dealer charged in separate cases with failing to maintain reasonable security measures to protect consumers' personal information and exposing that information by installing peer-to-peer file-sharing software on their corporate computer systems.The settlements with both businesses bar them from making misrepresentations about the privacy and security of consumers' personal information and require them to maintain comprehensive information security programs.

The FTC has issued numerous press releases reporting these and other FTC privacy enforcement actions and settlements. These developments, which have also been reported in major news outlets-including The Wall Street Journal, The New York Times, and The Washington Post-underscore the importance of maintaining appropriate safeguards to protect personal information.

In March 2012, the FTC issued a report, entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, setting forth best practices for companies to protect consumer privacy, including: (1) privacy by design (building in privacy protections at every stage of product/service development); (2) simplified consumer choice regarding information sharing (including Do-Not-Track mechanisms); and (3) greater transparency (disclosing details about collection and use of consumers' information). Given the trend of active data privacy law enforcement at both the state and federal level, companies would be wise to follow these guidelines.

For more information regarding implementing the FTC's best practices or compliance with state and federal data privacy laws, please contact David Governo ([email protected]) or Corey Dennis ([email protected]).