<i>FTC v. Google</i>: Lessons Learned

In this second enforcement action, the FTC charged that Google misrepresented to users of Apple Safari's browser that it would not place tracking cookies on their browser, or serve targeted ads. In the prior enforcement action, which resulted in a settlement in October of last year (see, Google 1 at http://bit.ly/Rzm1o3), the FTC charged that Google used deceptive tactics and violated its own privacy promises to consumers when it launched the Buzz social network in 2010.

Message to the Rest of the World

There are many interesting aspects in this FTC v. Google saga. This latest enforcement action and its spectacular, record-breaking $22.5
million civil penalty are more than just a message to Google that it should get its act together.

The FTC action against the world's most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the APEC (Asia-Pacific Economic Cooperation; www.apec.org) member economies, that it cares about privacy and is serious about enforcement. In its press release announcing the proposed Google 2 Consent Order, the FTC stated this settlement was “part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers” (see, http://ftc.gov/opa/2012/08/google.shtm).

The way Google collects, uses, processes or takes commercial advantage of personal information of the users of its products has attracted, and continues to attract, the attention of regulators throughout the world. These activities, or inadvertent errors, as Google names them, have been the focus of numerous investigations abroad, some of which are ongoing. Consider, for example, the current investigation by the CNIL (French Data Protection Authority) and ICO (United Kingdom Data Protection Authority), and the recent actions by the AEPD (Spain Data Protection Authority), the Canada Federal Privacy Commissioner, or by the KCC (Korea's Communication Commission). Consider also the global outcry when Google changed its privacy policy to a streamlined one. Some of these investigations have also resulted in fines, such as the '100,000 fine against Google assessed by France's Data Protection Authority in March 2011 as a result of Google's non-consensual collection of Wi-Fi data through its Street View geolocation service (see, “France Fines Google over Street View Privacy Breach,” Salon.com, http://bit.ly/Ox5Qmo).

The United States needs to be able to provide its trade allies with tangible evidence to demonstrate that its main data protection authority, the FTC, is actively enforcing data protection principles and is monitoring Google and other companies such as Facebook (see, In the Matter of Facebook, Inc., No. C-4365 (July 27, 2012; http://1.usa.gov/PrnOpz). At a time when most of the rest of the world thinks that there is no adequate privacy protection in the United States, it is important for the U.S. government to show that it does monitor the activities of U.S. companies ' especially the most popular ones, such as Google and Facebook. It is also important for the United States to explain and demonstrate that its values with respect to the protection of personal information and the intensity of its enforcement efforts are consistent with, if not stronger than, those of the other leading countries.

FTC Rulings Development

The Google 1 and Google 2 enforcement actions also provide several important messages to U.S. companies. One of these messages is that privacy promises are made in numerous places, not just in a company's online privacy statement. If a company represents in its privacy statement or elsewhere on its site that it is part of a privacy program, or that it abides by industry rules, this representation had better be accurate.

In the Google 1 enforcement action, the FTC looked at the promises and representations made about Google's compliance with safe harbor principles. In the Google 2 enforcement action, the FTC looked at the promises and representations that Google complied with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (www.networkadvertising.org), a private industry group. In both cases, the FTC found that these representations were not true.

In the last 15 years, the FTC has conducted numerous enforcement actions, and as time passes, we can see a refinement of its work. The scope of what it looks at is increasing.

In its initial cases, the FTC focused on the four corners of companies' public privacy statements. Then, recently, in several consent orders, including Google 1 as well as FTC v. Facebook, which became final on Aug. 10, the FTC expanded the scope of its enforcement action to include violations of the safe harbor principles, a government privacy program whose rules were outlined in an agreement between the U.S. Department of Commerce and the European Commission (see, http://1.usa.gov/O6UjeO).

Now, with Google 2, the FTC expands again the scope of its enforcement actions. This time, it evaluated Google's claim that it is meeting the NAI Self-Regulatory Code of Conduct.

This trend is likely to continue. In future cases, we should expect the FTC investigations to go deeper, and to evaluate in more depth the accuracy and completeness of statements that companies make about their data handling practices.

Consequences for Businesses

There are few countries in the world where companies have as much freedom to create, build or operate as in the United States. In the case of the handling of personal data, U.S. laws contain very few prohibitions. However, they do require compliance with some general principles. One of them is that we need to be able to trust one another. Consumers must be able to trust that a merchant's representations about its products are accurate. This principle is ingrained in '5 of the FTC Act, which has been in existence for many years. Section 5 of the FTC Act prohibits “unfair or deceptive practices” (see, www.law.cornell.edu/uscode/text/15/45). If a company makes representations that are inaccurate, untrue or incomplete such that customers or consumers are deceived, that company has violated '5.

In practice, what does this mean, and how can companies avoid being caught in the net of '5 in the context of the processing of personal data?

Make sure that your developers understand the rules, and make sure that the lawyers who write these privacy statements and other documents know and understand what the developers are doing. For example:

• Look for representations about the company's data-handling practices. Look everywhere, and not just in the official company privacy statement; for example, look at cookie disclosures, marketing or sales material, or
  advertisements.
• Educate IT, IS, marketing, communications, sales and legal teams about the importance of working together and coordinating efforts so that those who develop statements and disclosures about the company's policies and values fully understand and are aware of all features and capabilities of the products or services others in the company are designing and developing.
• Conduct internal audits to periodically compare all promises that your business makes with what each of your products, services, applications, technologies, devices, cookies, tags, etc., in existence or in development actually does.

Editor's Note: Google recently started building a “Privacy Red Team,” directed to “independently identify, research, and help resolve potential privacy risks.” Google posted a job listing for a Data Privacy Engineer, whose responsibility includes: “Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users.” (http://bit.ly/Nh43oB)

Twice in less than 12 months, the Federal Trade Commission (FTC) has investigated Google Inc.'s personal data-handling practices to compare them with Google's representations made in its website privacy policy and other documents.

And twice in less than 12 months, the FTC has determined that Google's practices constituted misrepresentation.

This second time, however, the price tag associated with the ruling at the completion of this investigation ' as set forth in a proposed consent order with Google published on Aug. 9 ' is a record $22.5 million civil penalty. (See the consent order at http://1.usa.gov/Ro3Lv1. See, Google 2, at http://bit.ly/RzlJxk.)

In this second enforcement action, the FTC charged that Google misrepresented to users of Apple Safari's browser that it would not place tracking cookies on their browser, or serve targeted ads. In the prior enforcement action, which resulted in a settlement in October of last year (see, Google 1 at http://bit.ly/Rzm1o3), the FTC charged that Google used deceptive tactics and violated its own privacy promises to consumers when it launched the Buzz social network in 2010.

Message to the Rest of the World

There are many interesting aspects in this FTC v. Google saga. This latest enforcement action and its spectacular, record-breaking $22.5
million civil penalty are more than just a message to Google that it should get its act together.

The FTC action against the world's most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the APEC (Asia-Pacific Economic Cooperation; www.apec.org) member economies, that it cares about privacy and is serious about enforcement. In its press release announcing the proposed Google 2 Consent Order, the FTC stated this settlement was “part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers” (see, http://ftc.gov/opa/2012/08/google.shtm).

The way Google collects, uses, processes or takes commercial advantage of personal information of the users of its products has attracted, and continues to attract, the attention of regulators throughout the world. These activities, or inadvertent errors, as Google names them, have been the focus of numerous investigations abroad, some of which are ongoing. Consider, for example, the current investigation by the CNIL (French Data Protection Authority) and ICO (United Kingdom Data Protection Authority), and the recent actions by the AEPD (Spain Data Protection Authority), the Canada Federal Privacy Commissioner, or by the KCC (Korea's Communication Commission). Consider also the global outcry when Google changed its privacy policy to a streamlined one. Some of these investigations have also resulted in fines, such as the '100,000 fine against Google assessed by France's Data Protection Authority in March 2011 as a result of Google's non-consensual collection of Wi-Fi data through its Street View geolocation service (see, “France Fines Google over Street View Privacy Breach,” Salon.com, http://bit.ly/Ox5Qmo).

The United States needs to be able to provide its trade allies with tangible evidence to demonstrate that its main data protection authority, the FTC, is actively enforcing data protection principles and is monitoring Google and other companies such as Facebook ( see , In the Matter of Facebook, Inc. , No. C-4365 (July 27, 2012; http://1.usa.gov/PrnOpz). At a time when most of the rest of the world thinks that there is no adequate privacy protection in the United States, it is important for the U.S. government to show that it does monitor the activities of U.S. companies ' especially the most popular ones, such as Google and Facebook. It is also important for the United States to explain and demonstrate that its values with respect to the protection of personal information and the intensity of its enforcement efforts are consistent with, if not stronger than, those of the other leading countries.

FTC Rulings Development

The Google 1 and Google 2 enforcement actions also provide several important messages to U.S. companies. One of these messages is that privacy promises are made in numerous places, not just in a company's online privacy statement. If a company represents in its privacy statement or elsewhere on its site that it is part of a privacy program, or that it abides by industry rules, this representation had better be accurate.

In the Google 1 enforcement action, the FTC looked at the promises and representations made about Google's compliance with safe harbor principles. In the Google 2 enforcement action, the FTC looked at the promises and representations that Google complied with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (www.networkadvertising.org), a private industry group. In both cases, the FTC found that these representations were not true.

In the last 15 years, the FTC has conducted numerous enforcement actions, and as time passes, we can see a refinement of its work. The scope of what it looks at is increasing.

In its initial cases, the FTC focused on the four corners of companies' public privacy statements. Then, recently, in several consent orders, including Google 1 as well as FTC v. Facebook, which became final on Aug. 10, the FTC expanded the scope of its enforcement action to include violations of the safe harbor principles, a government privacy program whose rules were outlined in an agreement between the U.S. Department of Commerce and the European Commission (see, http://1.usa.gov/O6UjeO).

Now, with Google 2, the FTC expands again the scope of its enforcement actions. This time, it evaluated Google's claim that it is meeting the NAI Self-Regulatory Code of Conduct.

This trend is likely to continue. In future cases, we should expect the FTC investigations to go deeper, and to evaluate in more depth the accuracy and completeness of statements that companies make about their data handling practices.

Consequences for Businesses

There are few countries in the world where companies have as much freedom to create, build or operate as in the United States. In the case of the handling of personal data, U.S. laws contain very few prohibitions. However, they do require compliance with some general principles. One of them is that we need to be able to trust one another. Consumers must be able to trust that a merchant's representations about its products are accurate. This principle is ingrained in '5 of the FTC Act, which has been in existence for many years. Section 5 of the FTC Act prohibits “unfair or deceptive practices” (see, www.law.cornell.edu/uscode/text/15/45). If a company makes representations that are inaccurate, untrue or incomplete such that customers or consumers are deceived, that company has violated '5.

In practice, what does this mean, and how can companies avoid being caught in the net of '5 in the context of the processing of personal data?

Make sure that your developers understand the rules, and make sure that the lawyers who write these privacy statements and other documents know and understand what the developers are doing. For example:

• Look for representations about the company's data-handling practices. Look everywhere, and not just in the official company privacy statement; for example, look at cookie disclosures, marketing or sales material, or
  advertisements.
• Educate IT, IS, marketing, communications, sales and legal teams about the importance of working together and coordinating efforts so that those who develop statements and disclosures about the company's policies and values fully understand and are aware of all features and capabilities of the products or services others in the company are designing and developing.
• Conduct internal audits to periodically compare all promises that your business makes with what each of your products, services, applications, technologies, devices, cookies, tags, etc., in existence or in development actually does.

Editor's Note: Google recently started building a “Privacy Red Team,” directed to “independently identify, research, and help resolve potential privacy risks.” Google posted a job listing for a Data Privacy Engineer, whose responsibility includes: “Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users.” (http://bit.ly/Nh43oB)