Last week the FTC entered into two major settlements – a $22.5 million civil penalty against Google for violating a prior FTC order, and a final settlement with Facebook over charges that the company misrepresented the extent to which consumers can keep their information private.
Civil penalty to Google. On 8/9, Google agreed to pay a $22.5 million civil penalty to settle FTC charges that the company misrepresented to Apple Safari browser users that it would not place tracking cookies on their browsers or serve them with targeted ads. The FTC charged that these misrepresentations violated an October 2011 settlement, entered into with Google in relation to its Google Buzz product, which barred Google from misrepresenting the extent to which consumers can exercise control over the collection of their information. The settlement is the largest penalty the FTC has issued for a violation of an FTC order.
In its complaint, the FTC alleged that at various points in 2011 and 2012, Google placed an advertising tracking cookie on the computers of Safari users who visited sites within Google’s DoubleClick advertising network. The FTC explained that this action was contrary to Google’s previous representations to users that they would automatically be opted out of such tracking due to the default settings of the Safari browser. Despite these promises, the FTC charged that Google placed the cookies on consumers’ computers, often by circumventing the Safari browser’s default cookie-blocking setting.
In addition to the civil penalty, the FTC is requiring Google to disable all tracking cookies that it said it would not place on users’ computers.
In its press release discussing the settlement, the FTC explained that the penalty should be viewed as a “clear message” by all companies operating under an FTC privacy order that the FTC will continue to monitor and ensure that the companies are meeting the obligations contained in the orders.
Final Settlement with Facebook. On 8/10, the FTC accepted a final settlement with Facebook involving charges that the company engaged in deceptive practices by telling users that they could keep their information on Facebook private, when instead Facebook repeatedly allowed it to be shared and made public.
Under the settlement, Facebook must take a number of actions to ensure that it meets the privacy promises it makes to consumers in the future, such as providing clear and prominent notice and obtaining express consent before sharing consumer information outside of their privacy settings, maintaining a comprehensive privacy program, and obtaining biennial privacy audits by a neutral third party.