United States v. Google Inc.

Last updated
United States v. Google Inc.
US DC NorCal.svg
Court United States District Court for the Northern District of California
Full case nameUnited States v. Google Inc.
DecidedNovember 16, 2012
Docket nos. 3:12-cv-04177
Court membership
Judge(s) sitting Susan Yvonne Illston

United States v. Google Inc., No. 3:12-cv-04177 (N.D. Cal. Nov. 16, 2012), is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. [1] The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". [2] It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc. [3]

Contents

2011 FTC administrative order

In February 2011, the Electronic Privacy Information Center (EPIC) filed a complaint before the FTC requesting an investigation against Google Inc. EPIC alleged that during the launching of its Google Buzz social network, Google's businesses practices violated the privacy interests of its consumers. EPIC specified that its "...complaint concerns an attempt by Google, Inc., the provider of a widely used email service to convert the private, personal information of Gmail subscribers into public information for the company's social network service Google Buzz…" [4]

In October 2011, the FTC initiated an administrative proceeding against Google, charging that it had violated the FTC Act. The FTC asserted that Google, while launching its social networking tool, Google Buzz, had designed business practices which unfairly affected "commerce." [5] In the FTC's view, Google violated its privacy promises to its customers since it "misrepresented to users of its Gmail email service that: (1) Google would not use their information for any purpose other than to provide that email service; (2) users would not be automatically enrolled in the Buzz network; and (3) users could control what information would be public on their Buzz profiles." [6]

In the complaint, the FTC considered that Google launched the social network Google Buzz through its Gmail web-based email product. [7] The FTC alleged that the tools to decline or leave the social network were ineffective. Even more, in those cases where users declined to be part of the social network, they were nonetheless "enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on "Sweet!," the FTC alleged that they were not adequately informed that the identity of the individuals they emailed most frequently would be made public by default. Google also offered a "Turn Off Buzz" option that did not fully remove the user from the social network." [7]

As stated in the complaint, the FTC concluded that "...the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the controls that would allow the user to change the defaults were confusing and difficult to find" and that "certain personal information of Gmail users was shared without consumers' permission through the Google Buzz social network." [5]

In late 2011, the FTC and Google agreed to a settlement order, wherein Google was to implement a privacy program intended to efficiently protect consumer data. Additionally Google was to subject itself to independent privacy audits for the next 20 years. [8] According to the settlement, Google agreed that it will not, among other things, misrepresent in any manner, expressly or by implication, "the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including but not limited to, misrepresentations related to: (1) the purpose for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information," as well as the extent to which Google participated in any U.S.-EU Safe Harbor. [8]

The consent order was served on Google on October 28, 2011. It is known to be the first decision of its kind, requiring a company to implement a comprehensive privacy program. The order prevented the company "from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next twenty years." [7]

Google–Safari case

On August 8, 2012, the United States filed a complaint ("Safari complaint") against Google Inc., alleging that it had violated the consent order which it had entered into with the FTC, (to settle the above-mentioned Google Buzz case). The government's complaint stems from a page on Google's website that tells Safari browser users "that Safari's default operation is to deny what are called third-party cookies, which can be used to track users. At the time they wrote it, this statement was true, but Apple later changed the behavior of Safari to allow third-party cookies from sites that had previously served cookies to the user." [9]

The Safari complaint stated that Google used the "DoubleClick Advertising Cookie" to "collect information and serve targeted advertisement services to users who visit Google websites, Google partner websites, and websites that use Google's advertising services." [10] As part of Google's advertising privacy controls, Google offered to its users the possibility of "opting out" from the delivery of targeted advertising. As was stated in the Safari complaint, "...a user may opt out of targeted advertising either by clicking a button on Google's Ads Preferences webpage ("opt-out button") or by downloading Google's "advertising cookie opt-out plug in," and both of the previous options would place an "opt-out cookie" on the user's browser. [10] The "opt-out cookie" technology (also referred as the "DoubleClick opt-out cookie") was available to users of only three browsers: Internet Explorer, Firefox, and Google Chrome. Since the "opting-out" plug in was not available for the Safari browser, Google assured Safari's users that they need not take any action "to be opted out of DoubleClick targeted advertisements". According to Google's representation, Safari blocked by default (although allowed in certain exceptional circumstances) third-party cookies, and said blocking was enough to prevent Google from placing tracking cookies or serve targeted advertisements; however even when Safari users had activated the default privacy settings, they received tracking cookies and targeted advertisements. [10]

The government alleged that "despite its representations to Safari users, Google overrode the Safari default browser setting and placed the DoubleClick Advertising Cookie on Safari browsers." Google's conduct overrode Safari software that blocked cookies, by sending code that was invisible to the user to communicate with that user's Safari browser anytime that a Safari user visited a "Google website, Google partner website, or website that used Google's advertising services." [10] This allowed Google to store, collect and transmit the users information.

In view of Google's conduct, the complaint addressed five relevant causes of action: (i) Collecting covered information, (ii) Serving targeted advertisements, (iii) Misrepresenting NAI Code compliance, (iv) Civil penalties and (v) Prayer for relief. [10] Furthermore, the government alleged that Google's conduct violated the October 2011 (Google Buzz) order.

Court's opinion

The government filed a Proposed Stipulated Order for Permanent Injunction and Civil Penalty Judgment ("Proposed Order") which was approved by the District Court for the Northern District of California on November 16, 2012. [11]

In the Proposed Order, the parties agreed that (i) Google denies any guilt regarding its failure to abide by the FTC v. Google Inc settlement order and, (ii) Google agreed to: (a) pay a civil penalty of $22.5 million, (b) maintain until February 15, 2014, a system that had to delete cookies from Safari browser users and (c) file a report with the FTC within 20 days of February 15, 2014 which would document that Google had complied with the remediation component of the order. [11]

In reaction to the Proposed Order, Consumer Watchdog objected to the Proposed Order "...claiming that the injunction was inadequate, the civil penalty was too small, and Google should be forced to admit liability." [12] Consumer Watchdog claimed that the injunction will be in effect for too short of a duration and that the Order gives Google the ability to resume its unauthorized practices after February 15, 2014. The Court held that the Proposed Order was the result of "good faith, arms-length negotiations," that the Proposed Order is presumed to be fair and reasonable, and thus the objecting party has the burden of disproving this presumption. [13] Judge Susan Illston found that Consumer Watchdog's objections were insufficient to satisfy this burden. Specifically, Judge Illston found that a longer injunction was unnecessary as Google was still legally obligated to work under the terms specified in its previous consent order with the FTC (Google Buzz)." [13]

Impact

This case had a great impact on the technology industry as it showed the range of enforceability with regard to FTC consent orders. It was not just the second case against the same company in less than twelve months, but it was also the first case in which the FTC was able to fine a private company. Françoise Gilbert, at Bloomberg, stated that "this Google II action is not just another FTC case under section 5 of the FTC Act. It is unique in many respects. The case is second one against Google in less than 12 months. The FTC does not have the authority to fine a company under Section 5 of the FTC Act, but it can fine a company that violates a consent order with the commission. The FTC took that power into account and built on its prior case against the company (Google I). The arguments are in some respects different than in other similar cases addressing consumer privacy, and the complaint (Google II Complaint) and proposed order provide significant insight into the reasoning of the FTC, which is very valuable information for companies that collect or use personal information and prefer to reduce the risk of government action." [14]

Additionally, the case also highlighted the impact that this case may have caused in the international community: "the FTC action against the world's most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the Asia-Pacific Economic Cooperation member economies, that it cares about privacy and is serious about enforcement. In its press release, the FTC announced that this settlement was "part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers." [14]

Related Research Articles

<span class="mw-page-title-main">Children's Online Privacy Protection Act</span> American federal cyber law

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at 15 U.S.C. §§ 65016506.

<span class="mw-page-title-main">Federal Trade Commission</span> United States government agency

The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction over federal civil antitrust enforcement with the Department of Justice Antitrust Division. The agency is headquartered in the Federal Trade Commission Building in Washington, DC.

<span class="mw-page-title-main">Gmail</span> Email service provided by Google

Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide making it the largest email service in the world. A user typically accesses Gmail in a web browser or through the official mobile application. Google also supports the use of email clients via the POP and IMAP protocols.

Internet privacy involves the right or mandate of personal privacy concerning the storing, re-purposing, provision to third parties, and displaying of information pertaining to oneself via Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance enabled by the emergence of computer technologies.

The term opt-out refers to several methods by which individuals can avoid receiving unsolicited product or service information. This option is usually associated with direct marketing campaigns such as e-mail marketing or direct mail. A list of those who have opted out is called a Robinson list.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

<span class="mw-page-title-main">Movieland</span> Former subscription-based movie download service

Movieland, also known as Movieland.com, Moviepass.tv and Popcorn.net, was a subscription-based movie download service that has been the subject of thousands of complaints to the Federal Trade Commission, the Washington State Attorney General's Office, the Better Business Bureau, and other agencies by consumers who said they were held hostage by its repeated pop-up windows and demands for payment, triggered after a free 3-day trial period. Many said they had never even heard of Movieland until they saw their first pop-up. Movieland advertised that the service had "no spyware", and that no personal information would need to be filled out to begin the free trial.

Google Buzz was a social networking, microblogging and messaging tool that was developed by Google which replaced Google Wave and integrated into their web-based email program, Gmail. Users could share links, photos, videos, status messages and comments organized in "conversations" and visible in the user's inbox.

<span class="mw-page-title-main">Network Advertising Initiative</span>

The Network Advertising Initiative is an industry trade group founded in 2000 that develops self-regulatory standards for online advertising. Advertising networks created the organization in response to concerns from the Federal Trade Commission and consumer groups that online advertising — particularly targeted or behavioral advertising — harmed user privacy. The NAI seeks to provide self-regulatory guidelines for participating networks and opt-out technologies for consumers in order to maintain the value of online advertising while protecting consumer privacy. Membership in the NAI has fluctuated greatly over time, and both the organization and its self-regulatory system have been criticized for being ineffective in promoting privacy.[Missing Citation]

<span class="mw-page-title-main">FTC regulation of behavioral advertising</span> US Regulations on Advertising Targeted by Online Activity

The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self-regulation and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.

In the middle of 2009 the Federal Trade Commission filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users' computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.

<i>Lane v. Facebook, Inc.</i>

Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.

A zombie cookie is a piece of data that could be stored in multiple locations -- since failure of removing all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.

<span class="mw-page-title-main">Do Not Track</span> HTTP header field proposed in 2009

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">Google Safe Browsing</span> Service that warns about malicious URLs

Google Safe Browsing is a service from Google that warns users when they attempt to navigate to a dangerous website or download dangerous files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem. This protection works across Google products and is claimed to “power safer browsing experiences across the Internet”. It lists URLs for web resources that contain malware or phishing content. Browsers like Google Chrome, Safari, Firefox, Vivaldi, Brave and GNOME Web use these lists from Google Safe Browsing to check pages against potential threats. Google also provides a public API for the service.

In the Matter of TRENDnet, Inc., F.T.C. File No. 122-3090, is the first legal action taken by the Federal Trade Commission (FTC) against "the marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the Internet of things." The FTC found that TRENDnet had violated Section 5(a) of the Federal Trade Commission Act by falsely advertising that IP cameras it sold could transmit video on the internet securely. On January 16, 2014 the FTC issued a Decision and Order obliging TRENDnet, among other things, to cease misrepresenting the extent to which its products protect the security of live feeds captured and the personal information that is accessible through those devices.

<span class="mw-page-title-main">Jonathan Mayer</span> American computer scientist and lawyer

Jonathan Mayer is an American computer scientist and lawyer. He is an Assistant Professor of Computer Science and Public Affairs at Princeton University affiliated with the Center for Information Technology Policy, and was previously a PhD student in computer science at Stanford University and a fellow at the Center for Internet and Society and the Center for International Security and Cooperation. During his graduate studies he was a consultant at the California Department of Justice.

Google has been involved in multiple lawsuits over issues such as privacy, advertising, intellectual property and various Google services such as Google Books and YouTube. The company's legal department expanded from one to nearly 100 lawyers in the first five years of business, and by 2014 had grown to around 400 lawyers. Google's Chief Legal Officer is Senior Vice President of Corporate Development David Drummond.

Google's changes to its privacy policy on March 16, 2012 enabled the company to share data across a wide variety of services. These embedded services include millions of third-party websites that use AdSense and Analytics. The policy was widely criticized for creating an environment that discourages Internet-innovation by making Internet users more fearful and wary of what they do online.

References

  1. Forden, Sara (17 November 2012). "Google Judge Accepts $22.5 Million FTC Privacy Settlement". Bloomberg. Retrieved 18 March 2014.
  2. Federal Trade Commission-FTC (August 9, 2012). "Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple's Safari Internet Browser" . Retrieved March 2, 2014.
  3. Federal Trade Commission-FTC (November 20, 2012). "Statement by FTC Bureau of Consumer Protection Director David Vladeck Regarding Judges Approval of Google Safari Settlement" . Retrieved March 2, 2014.
  4. Electronic Privacy Information Center-EPIC. "In re Google Buzz, complaint" (PDF). Retrieved March 2, 2014.{{cite web}}: |last= has generic name (help)
  5. 1 2 Google, Inc., In the Matter of (30 March 2011). "Complaint Google Buzz". Federal Trade Commission-FTC. Retrieved March 2, 2014.{{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  6. Complaint (9 August 2012). "United States v. Google, Inc., Case No. 5:12-cv-04177-HRL, FTC Docket No. C-4336 (N.D. Cal. Aug. 8, 2012)". Federal Trade Commission. Retrieved March 2, 2014.
  7. 1 2 3 Federal Trade Commission-FTC (March 30, 2011). "FTC Charges Deceptive Privacy Practices in Googles Rollout of Its Buzz Social Network" . Retrieved March 2, 2014.
  8. 1 2 Federal Trade Commission-FTC. "In the matter of Google, Inc. Decision and Order" (PDF). Retrieved March 2, 2014.
  9. Black, Ed. "Will FTC Online Privacy Settlements Do More Harm Than Good?". Forbes. Retrieved 6 April 2014.
  10. 1 2 3 4 5 Federal Trade Commission-FTC (9 August 2012). "United States v. Google Inc. - complaint" . Retrieved March 2, 2014.
  11. 1 2 "United States v. Google Inc.-Order Approving Stipulated Order for Permanent Injunction and Civil Penalty Judgment (November 16, 2012)" (PDF). Retrieved March 2, 2014.
  12. David Meyer; originally from ZDNET.COM (November 19, 2012). "Judge Approves $22.5M Google-FTC Settlement, Rebuffs Consumer Group" . Retrieved March 2, 2014.
  13. 1 2 Holzapfel, Casey (December 4, 2012). "Judges Approve Google's $22.5 Million Settlement with FTC for Safari Privacy Violation". Jolt Digest, Harvard Journal of Law & Technology. Retrieved March 2, 2014.
  14. 1 2 Gilbert, Françoise (2012). "THE FTC V. GOOGLE SAGA—EPISODE II: WHAT LESSONS FOR U.S. BUSINESSES?" . Retrieved March 2, 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.