It’s official. As earlier reported, Google will pay $22.5 million to settle Federal Trade Commission (FTC) charges that it placed tracking cookies and served targeted ads to Safari browser users, after it said it wouldn’t. The cookie placement violated the privacy settlement Google reached with the FTC in October of last year.
It’s the largest penalty ever posed for violation of an existing order by the FTC, according to the Commission, but it represents a drop in the bucket for Google, which had Q2 revenues of more than $12 billion.
When questioned about the sufficiency of the penalty, James Kohm, the FTC’s associate director for enforcement, said, “The goal is not to cripple the company, a legitimate company… [the aim is to] get Google to take its privacy obligations more seriously.”
In addition to the monetary penalty, Google will also be required to disable all of the tracking cookies it had said it would not place. The FTC says the company is “well on it’s way” to accomplishing that already.
A Google spokesperson says that despite agreeing to pay the penalty to settle the charges, the company doesn’t admit to any wrongdoing:
We set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.
The help center page the spokesperson refers to told users of Apple’s Safari browser that they would automatically be opted out of tracking, because of the default settings of the Safari browser. Instead, the FTC said, Google’s DoubleClick ad server exploited an exception in the settings to set a temporary cookie, which then allowed further cookies from DoubleClick.
Though Google seems to be saying the violation was inadvertent, the FTC says such statements simply raise red flags with the agency — indicating that the company doesn’t have policies and procedures in place to monitor and safeguard users’ privacy. (By editing help center pages when needed, for example.) The hope, according to David Vladeck, a director of the FTC’s bureau of consumer protection, is that the penalty is sufficient to push Google to “have a better sense of what’s going on.”
Vladeck added, “The social contract has to be that if you’re going to hold on to people’s private data, you need to do a better job with honoring your privacy commitments.”
Under the previous settlement, which centered around privacy violations in Google Buzz, Google already agreed to 20 years of privacy audits.
Though the majority of commissioners (4 out of 5) agreed to the settlement with Google, Commissioner J. Thomas Rosch disagreed, saying that fining the company without making it admit liability was problematic. In a statement of dissent, Rosh argues that there’s no reason to allow Google to get away without admitting guilt. Even the prospect of a $22.5 million penalty doesn’t justify that, and it sets a bad precedent:
…$22.5 million represents a de minimis amount of Google’s profit or revenues. Beyond that, the Commission now has allowed liability to be denied not only in this matter but also in the Facebook settlement where Facebook simply promised to “go and sin no more” (unlike Google, Facebook was not previously under order). There is nothing to prevent future respondents with fewer resources than Google and with lower profiles than Google and Facebook from denying liability in the future too.