FTC Sues and Settles With Google for Circumventing Apple Safari Browser's Blocking of Third Party Cookies

August 9, 2012. The United States, acting on behalf of the Federal Trade Commission (FTC), filed a complaint [26 pages in PDF] in the U.S. District Court (NDCal) against Google alleging violation of Sections 5(l) and 16 of the FTC Act in connection with Google's circumvention of the Apple Safari browser's default setting for blocking of third party cookies.

Section 5(a), which is codified at 15 U.S.C.§ 45, provides that "unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful". The FTC previously brought and settled an action against Google, based upon an alleged violation of Section 5(a), involving Google Buzz. That action concluded with a consent order. The present action does not allege that Google's circumvention itself is actionable. Nor does it allege that Google's circumvention violated its privacy policy in violation of Section 5(a). Rather, the complaint alleges that Google's circumvention, and resulting serving of ads, violated the terms of the consent order, which barred Google from misrepresenting its privacy related practices, and that this constitutes a violation of Section 5(l), which authorizes the FTC to enforce its consent orders. Section 16, which is codified at 15 U.S.C. § 56, authorizes the Attorney General to bring actions on behalf of the FTC.

The parties simultaneously filed a short proposed order [PDF] the settles this action with minimal inconvenience to Google. The proposed order contains no finding of wrongdoing, liability, violation of law, or violation of the previous FTC order. Indeed, the proposed order contains no findings or stipulation of facts regarding the events that gave rise to this action. There is a fine of $22.5 Million, which for a company with Google's market capitalization, is negligible.

This structuring of the complaint, and settlement with no finding of wrongdoing, or even findings of fact, works to the advantage of Google in related pending class action litigation.

The proposed order provides that "Until February 15, 2014, Defendant will maintain systems configured to instruct Safari-brand web browsers to expire any DoubleClick.net cookie placed by Defendant through February 15, 2012 if those systems encounter such a cookie, with the exception of the DoubleClick opt-out cookie."

February 15, 2014 is nearly two years to the day after the Wall Street Journal and Jonathan Mayer, a graduate student at Stanford University, published reports of Google's circumvention.

This settlement is particularly lenient in light of Google being a repeat violator of federal law in its advertising practices. See, story titled "Google to Pay $500 Million for Allowing Its AdWords Program to be Used to Promote Illegal Online Drug Sales" in TLJ Daily E-Mail Alert No. 2,292, August 24, 2011. See also, story titled "FTC Issues and Settles Complaint Against Google" in TLJ Daily E-Mail Alert No. 2,213, March 31, 2011.

Prior FTC Order Regarding Google Buzz. In 2011, the FTC brought and settled an enforcement action against Google in connection with its privacy related practices associated with the initial launch of its Buzz social networking service. See, Decision and Order [7 pages in PDF] dated October 13, 2011.

The just filed complaint alleges that Google violated that October 13 order. It states that the FTC "charged Google with violating the FTC Act in connection with Google's launch of its social networking tool, Google Buzz. ... The FTC alleged, among other things, that Google misrepresented to users of its Gmail email service that: (1) Google would not use their information for any purpose other than to provide that email service; (2) users would not be automatically enrolled in the Buzz network; and (3) users could control what information would be public on their Buzz profiles."

The October 13 order provided that Google "shall not misrepresent in any manner, expressly or by implication ... the extent to which respondent maintains and protects the privacy and confidentiality of any covered information" or "the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity".

Moreover, the just filed complaint states that the October 13 order provides that "covered information" includes "persistent identifier contained in a tracking cookie, a user's IP address, a user's account ID, a user's interests, or a user’s web-browsing activity".

Google's Safari Circumvention. Google and three other companies used surreptitious code to circumvent the block third party cookies feature of Apple's web browser, Safari, thereby enabling these companies to track the web browsing of users of Apple iPhones and iPads, without their permission or knowledge, and contrary to Apple's and users' efforts to protect their privacy. Google owns DoubleClick, whose cookies are placed on users' browsers when visiting Google AdSense partner web sites.

The complaint alleges in detail, at paragraphs 17 through 48, the nature of cookies, third party cookies, DoubleClick advertising cookies, online tracking, Apple Safari browser's privacy controls, Google's representations, and Google's overriding of Safari's controls.

For more on Google's circumvention, see stories titled "Google Tracked Users Online by Circumventing Apple Safari Browser's Blocking of Third Party Cookies" and "What Are Third Party Cookies?" in TLJ Daily E-Mail Alert No. 2,341, February 19, 2012.

Counts Pled in FTC Complaint. Consistent with most of the actions taken by or on behalf of the FTC under Section 5 of the FTC Act to protect consumer privacy, this complaint against Google builds on Google's having misrepresented its privacy related practices.

This action does not assert that the underlying action -- circumventing the Safari browser's default setting of blocking of third party cookies -- is actionable.

Count I alleges that the Google's circumvention violated the 2011 consent order by violating representations that it made in its web site regarding collection of information from Safari users. That is, the complaint alleges that "Google assured Safari users that the Safari default setting ``effectively accomplishes the same thing as setting the opt-out cookie,´´", but in fact, Google "placed DoubleClick Advertising Cookies on the browsers of Safari users with the default setting".

Count II alleges that Google's serving of targeted ads violated violated the 2011 consent order by violating representations that it made in its web site.

Count III alleges that Google is a member of the Network Advertising Initiative (NAI), a self-regulatory organization for companies in the online advertising marketplace, which has written a code, and that Google represented that it complies with the code, but in fact, Google failed to comply with the NAI Code. The complaint alleges that this too violated the 2011 consent order.

This case is USA v. Google, Inc., U.S. District Court for the Northern District of California, San Jose Division.