Google on Thursday was slapped with a record $22.5 million fine by the U.S. Federal Trade Commission for installing tracking cookies — small identifying files — on millions of users of Apple’s Safari web browser, the default browser found on all of Apple’s products, including the iPad and the iPhone.
The cookies, which were dropped for several months in 2011 and 2012, allowed Google to serve up targeted online ads to Web surfers as well as “+1” buttons for the company’s Google Plus social network.
The fine, which had been anticipated per an earlier report in The Wall Street Journal, is the largest ever issued by the FTC against a single company, as the agency was keen to point out in its formal announcement on Thursday.
“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” said Jon Leibowitz, Chairman of the FTC in a statement. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
Yet in the immediate aftermath of the announcement, both the FTC and Google were put on the defensive about their roles in the case.
Google had previously settled with the FTC over privacy violations related to its defunct Google Buzz social network in October 2011 and agreed to obey an FTC order for the next 20 years not to misrepresent its privacy practices to consumers. The FTC’s new fine was based on its findings that Google did not obey this order.
But when asked by TPM about the new fine, Google responded with the following statement blaming the FTC for referencing a single Google policy webpage from 2009, as well as Apple, for updating its Safari browser settings. As a Google spokesperson said in a statement:
We set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.
Meanwhile, the FTC spent the afternoon fending off questions from reporters and privacy advocates about the actual impact of the fine on Google, which made over 100 times that amount ($3.2 billion) in revenue its last quarter, and the FTC’s overall effectiveness in investigating privacy breaches and enforcing privacy agreements with companies.
“We were on top of this soon after it arose,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection, answering a question about the length of time it took the FTC to issue its fine against Google in a teleconference with reporters.
Vladeck also dismissed an earlier report published by both Wired and investigative journalist nonprofit ProPublica detailing what it said was a serious lack of resources and technical acumen within the FTC concerning Web companies and digital privacy matters.
“There is nothing in the Wired article that is correct,” Vladeck said.
That article, like many others published on the Web, noted that the issue of Google evading the Apple Safari browser’s default privacy settings was first brought to public attention by a Stanford computer science and law graduate student, Jonathan Mayer, who published findings of his own research on a Stanford website and his blog on February.
But Vladeck told reporters that the FTC had already identified the issue and was investigating it prior to Mayer’s own publication of his findings.
“It takes time to build up a case in court,” Vladeck said, noting that Mayer didn’t have to abide by the same standards and rules as the FTC when publishing his findings.
Mayer could not be reached for comment in time for this article’s publication, but the researcher previously told TPM he thought the FTC had a “slam-dunk” case when it came to proving that Google violated its previous settlement by installing the tracking cookies on Safari user devices.
The FTC also fielded questions from the public on its official Twitter account, many of which were less questions than scathing indictments of the agency’s handling of the matter.
“Is there any ambiguity that FTC acted vigorously 2 enforce its order? What’s impt is actions not words; $22.5M is loud,” responded the FTC on Twitter.
Meanwhile, other advocacy groups were more welcoming of the FTC’s action.
“We support it,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a nonprofit user advocacy group, in a statement to TPM. “EPIC brought the original complaint to the FTC that resulted in the consent order against Google. We believe it is critical for the FTC to enforce its consent orders. Otherwise, these will become hollow judgements.”
Still, whether the order leads to any profound change at Google or any other large Web companies that rely on targeting advertising, let alone all those Web and tech companies that seek to cultivate relationships with users and their devices, remains to be seen. For now, Google has five days to pay up and until 2014 to remove all of the cookies it placed on user devices.