Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

<i>FTC v. Google</i>: Lessons Learned

By Francoise Gilbert
August 30, 2012

Twice in less than 12 months, the Federal Trade Commission (FTC)
has investigated Google Inc.'s personal data-handling practices to compare them with Google's representations made on its website privacy policy and other documents. And twice in less than 12 months, the FTC has determined that Google's practices constituted misrepresentation. This second time, however, the price tag associated with the ruling at the completion of this investigation ' as set forth in the Proposed Consent Order with Google published on Aug. 9 (Google 2; http://bit.ly/RzlJxk) ' is a record $22.5 million civil penalty.

In this second enforcement action, the FTC charged that Google misrepresented to users of Apple Safari's browser that it would not place tracking cookies on their browser, or serve targeted ads. In the prior enforcement action, which resulted in a settlement dated October 2011 (Google 1; http://bit.ly/Rzm1o3), the FTC charged that Google used deceptive tactics and violated its own privacy promises to consumers when it launched the Buzz social network in 2010.

Message to the Rest of the World

There are many interesting aspects in this FTC v. Google saga. This latest enforcement action and its spectacular, record-breaking $22.5 million civil penalty are more than just a message to Google that it should get its act together.

The FTC action against the world's most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the APEC (Asia-Pacific Economic Cooperation; www.apec.org) member economies, that it cares about privacy and is serious about enforcement. In its press release announcing the proposed Google 2 Consent Order, the FTC stated this settlement was “part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers.” http://ftc.gov/opa/2012/08/google.shtm.

The way in which Google collects, uses, processes or takes commercial advantage of personal information of the users of its products has attracted, and continues to attract, the attention of regulators throughout the world. These activities, or inadvertent errors as Google names them, have been the focus of numerous investigations abroad, some of which are still ongoing. Consider, for example, the current investigation by the CNIL (French Data Protection Authority) and ICO (United Kingdom Data Protection Authority), and the recent actions by the AEPD (Spain Data Protection Authority), the Canada Federal Privacy Commissioner or KCC (Korea's Communication Commission). Consider also the global outcry when Google changed its privacy policy to a streamlined policy. Some of these investigations have also resulted in fines, for example, the '100,000 fine against Google assessed by France's Data Protection Authority in March 2011 as a result of Google's nonconsensual collection of Wi-Fi data through its Street View geolocation service. See, “France Fines Google over Street View Privacy Breach,”
Salon.com, http://bit.ly/Ox5Qmo.

The U.S. needs to be able to provide its trade allies throughout the world with tangible evidence to demonstrate that its main data protection authority, the FTC, is actively enforcing data protection principles and is monitoring Google and other companies such as Facebook. See, In the Matter of Facebook, Inc., No. C-4365 (July 27, 2012; http://1.usa.gov/PrnOpz). At a time when most of the rest of the world thinks that there is no adequate privacy protection in the United States, it is important for the U.S. government to show that it does monitor the activities of U.S. companies ' especially the most popular ones, such as Google and Facebook. It is also important for the U.S. to explain and demonstrate that its values with respect to the protection of personal information and the intensity of its enforcement efforts are consistent with, if not stronger than, those of the other world leaders.

A Message to U.S. Companies

The Google 1 and Google 2 enforcement actions also provide several important messages to U.S. companies. One of these messages is that privacy promises are made in numerous places, not just in a company's online privacy statement. If a company represents in its privacy statement or elsewhere on its site that it is part of a privacy program, or that it abides by industry rules, this
representation better be accurate.

In the Google 1 enforcement action, the FTC looked at the promises and representations made about Google's compliance with the Safe Harbor principles. In the Google 2 enforcement action, the FTC looked at the promises and representations that Google complied with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI; www.networkadvertising.org), a private, well-respected industry group. In both cases, the FTC found that these representations were not true.

In the past 15 years, the FTC has conducted numerous enforcement actions, and as time passes, we can see a refinement of its work. The scope of what it looks at is increasing.

In its initial cases, the FTC focused on the four corners of companies' public privacy statements. Then, recently, in several consent orders, including Google 1 as well as FTC v. Facebook, which became final on Aug. 10, the FTC expanded the scope of its enforcement action to include violations of the Safe Harbor Principles, a government privacy program whose rules were outlined in an agreement between the U.S. Department of Commerce and the European Commission. See, http://1.usa.gov/O6UjeO.

Now, with Google 2, the FTC expands again the scope of its enforcement actions. This time it evaluated Google's claim that it is meeting the NAI Self-Regulatory Code of Conduct.

This trend is likely to continue. In future cases, we should expect the FTC investigations to go deeper, and to evaluate in more depth the accuracy and completeness of statements that companies make about their data handling practices.

Consequences for Businesses

There are few countries in the world where companies have as much freedom to create, build or operate as in the United States. In the case of the handling of personal data, the U.S. laws contain very few prohibitions. However, they do require compliance with some general principles. One of them is that we need to be able to trust each other.

Consumers must be able to trust that a merchant's representations about its products are accurate. This principle is ingrained in '5 of the FTC Act, which has been in existence for years. Section 5 of the FTC Act prohibits “unfair or deceptive practices” (www.law.cornell.edu/uscode/text/15/45). If a company makes representations that are inaccurate, untrue or incomplete such that customers or consumers are deceived, it has violated '5 of the FTC Act.

In practice, what does this mean, and how can companies avoid being caught in the net of '5 in the context of the processing of personal data?

Make sure that your developers understand the rules, and make sure that the lawyers who write these privacy statements and other documents know and understand what the developers are doing. For example:

  • Look for representations about the company's data-handling practices. Look everywhere, and not just in the official company privacy statement; for example, look at cookie disclosures, marketing or sales material, or advertisements.
  • Educate your IT, IS, marketing, communications, sales and legal teams about the importance of working together and coordinating efforts so that those who develop statements and disclosures about the company's policies and values fully understand and are aware of all features and capabilities of the products or services others in the company are designing and developing.
  • Conduct internal audits to periodically compare all promises that your business makes with what each of your products, services, applications, technologies, devices, cookies, tags, etc., in existence or in development actually does.

[Editor's Note: As this issue was going to press, Google started building a "Privacy Red Team," directed to "independently identify, research, and help resolve potential privacy risks." Google posted a job listing for a Data Privacy Engineer, whose responsibility includes: "Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users." http://bit.ly/Nh43oB.]


Francoise Gilbert, J.D., CIPP/US, focuses her legal practice on information privacy and security, cloud computing and data governance. She is the managing attorney of the IT Law Group (www.itlawgroup.com) and serves as the general counsel of the Cloud Security Alliance (https://cloudsecurityalliance.org). She also maintains a blog on domestic and international data privacy and security issues (www.francoisegilbert.com).

Twice in less than 12 months, the Federal Trade Commission (FTC)
has investigated Google Inc.'s personal data-handling practices to compare them with Google's representations made on its website privacy policy and other documents. And twice in less than 12 months, the FTC has determined that Google's practices constituted misrepresentation. This second time, however, the price tag associated with the ruling at the completion of this investigation ' as set forth in the Proposed Consent Order with Google published on Aug. 9 (Google 2; http://bit.ly/RzlJxk) ' is a record $22.5 million civil penalty.

In this second enforcement action, the FTC charged that Google misrepresented to users of Apple Safari's browser that it would not place tracking cookies on their browser, or serve targeted ads. In the prior enforcement action, which resulted in a settlement dated October 2011 (Google 1; http://bit.ly/Rzm1o3), the FTC charged that Google used deceptive tactics and violated its own privacy promises to consumers when it launched the Buzz social network in 2010.

Message to the Rest of the World

There are many interesting aspects in this FTC v. Google saga. This latest enforcement action and its spectacular, record-breaking $22.5 million civil penalty are more than just a message to Google that it should get its act together.

The FTC action against the world's most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the APEC (Asia-Pacific Economic Cooperation; www.apec.org) member economies, that it cares about privacy and is serious about enforcement. In its press release announcing the proposed Google 2 Consent Order, the FTC stated this settlement was “part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers.” http://ftc.gov/opa/2012/08/google.shtm.

The way in which Google collects, uses, processes or takes commercial advantage of personal information of the users of its products has attracted, and continues to attract, the attention of regulators throughout the world. These activities, or inadvertent errors as Google names them, have been the focus of numerous investigations abroad, some of which are still ongoing. Consider, for example, the current investigation by the CNIL (French Data Protection Authority) and ICO (United Kingdom Data Protection Authority), and the recent actions by the AEPD (Spain Data Protection Authority), the Canada Federal Privacy Commissioner or KCC (Korea's Communication Commission). Consider also the global outcry when Google changed its privacy policy to a streamlined policy. Some of these investigations have also resulted in fines, for example, the '100,000 fine against Google assessed by France's Data Protection Authority in March 2011 as a result of Google's nonconsensual collection of Wi-Fi data through its Street View geolocation service. See, “France Fines Google over Street View Privacy Breach,”
Salon.com, http://bit.ly/Ox5Qmo.

The U.S. needs to be able to provide its trade allies throughout the world with tangible evidence to demonstrate that its main data protection authority, the FTC, is actively enforcing data protection principles and is monitoring Google and other companies such as Facebook. See , In the Matter of Facebook, Inc. , No. C-4365 (July 27, 2012; http://1.usa.gov/PrnOpz). At a time when most of the rest of the world thinks that there is no adequate privacy protection in the United States, it is important for the U.S. government to show that it does monitor the activities of U.S. companies ' especially the most popular ones, such as Google and Facebook. It is also important for the U.S. to explain and demonstrate that its values with respect to the protection of personal information and the intensity of its enforcement efforts are consistent with, if not stronger than, those of the other world leaders.

A Message to U.S. Companies

The Google 1 and Google 2 enforcement actions also provide several important messages to U.S. companies. One of these messages is that privacy promises are made in numerous places, not just in a company's online privacy statement. If a company represents in its privacy statement or elsewhere on its site that it is part of a privacy program, or that it abides by industry rules, this
representation better be accurate.

In the Google 1 enforcement action, the FTC looked at the promises and representations made about Google's compliance with the Safe Harbor principles. In the Google 2 enforcement action, the FTC looked at the promises and representations that Google complied with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI; www.networkadvertising.org), a private, well-respected industry group. In both cases, the FTC found that these representations were not true.

In the past 15 years, the FTC has conducted numerous enforcement actions, and as time passes, we can see a refinement of its work. The scope of what it looks at is increasing.

In its initial cases, the FTC focused on the four corners of companies' public privacy statements. Then, recently, in several consent orders, including Google 1 as well as FTC v. Facebook, which became final on Aug. 10, the FTC expanded the scope of its enforcement action to include violations of the Safe Harbor Principles, a government privacy program whose rules were outlined in an agreement between the U.S. Department of Commerce and the European Commission. See, http://1.usa.gov/O6UjeO.

Now, with Google 2, the FTC expands again the scope of its enforcement actions. This time it evaluated Google's claim that it is meeting the NAI Self-Regulatory Code of Conduct.

This trend is likely to continue. In future cases, we should expect the FTC investigations to go deeper, and to evaluate in more depth the accuracy and completeness of statements that companies make about their data handling practices.

Consequences for Businesses

There are few countries in the world where companies have as much freedom to create, build or operate as in the United States. In the case of the handling of personal data, the U.S. laws contain very few prohibitions. However, they do require compliance with some general principles. One of them is that we need to be able to trust each other.

Consumers must be able to trust that a merchant's representations about its products are accurate. This principle is ingrained in '5 of the FTC Act, which has been in existence for years. Section 5 of the FTC Act prohibits “unfair or deceptive practices” (www.law.cornell.edu/uscode/text/15/45). If a company makes representations that are inaccurate, untrue or incomplete such that customers or consumers are deceived, it has violated '5 of the FTC Act.

In practice, what does this mean, and how can companies avoid being caught in the net of '5 in the context of the processing of personal data?

Make sure that your developers understand the rules, and make sure that the lawyers who write these privacy statements and other documents know and understand what the developers are doing. For example:

  • Look for representations about the company's data-handling practices. Look everywhere, and not just in the official company privacy statement; for example, look at cookie disclosures, marketing or sales material, or advertisements.
  • Educate your IT, IS, marketing, communications, sales and legal teams about the importance of working together and coordinating efforts so that those who develop statements and disclosures about the company's policies and values fully understand and are aware of all features and capabilities of the products or services others in the company are designing and developing.
  • Conduct internal audits to periodically compare all promises that your business makes with what each of your products, services, applications, technologies, devices, cookies, tags, etc., in existence or in development actually does.

[Editor's Note: As this issue was going to press, Google started building a "Privacy Red Team," directed to "independently identify, research, and help resolve potential privacy risks." Google posted a job listing for a Data Privacy Engineer, whose responsibility includes: "Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users." http://bit.ly/Nh43oB.]


Francoise Gilbert, J.D., CIPP/US, focuses her legal practice on information privacy and security, cloud computing and data governance. She is the managing attorney of the IT Law Group (www.itlawgroup.com) and serves as the general counsel of the Cloud Security Alliance (https://cloudsecurityalliance.org). She also maintains a blog on domestic and international data privacy and security issues (www.francoisegilbert.com).

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.