Are States Taking the Lead to Enforce Digital Privacy Laws?

Recently, 37 states and the District of Columbia reached a $17 million dollar settlement with Google over its intentional circumvention of Internet users' privacy settings. The case stemmed from 'Google's bypassing of privacy settings in Apple's Safari browser to use cookies to track users and show them advertisements in 2011 and 2012.' See, 'Google to Pay $17 Million to Settle Privacy Case,' NY Times.com. This multi-state agreement followed Google's $22.5 million dollar settlement with the Federal Trade Commission (FTC) over the same practice. See, 'Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple's Safari Internet Browser,' FTC.com. In total, Google has paid approximately $40 million dollars to federal and state regulators for intentionally harming the personal privacy rights of Internet users in this matter.'

Google's ability to circumvent Apple's Safari browser setting was uncovered and publicized by The Wall Street Journal on Feb. 17, 2012. See, 'Google's iPhone Tracking.' According to The Wall Street Journal's investigation, Google and several other advertising 'companies used special computer code that trick[ed] Apple's Safari Web-browsing software' into letting them track the Web-browsing habits of users who tried to protect their personal privacy. Id. After the WSJ contacted Google about its alleged illegal activities, the company disabled the code. However, one has to wonder why the WSJ needed to contact Google in order for it to stop violating the personal privacy rights of Internet users?

Google's Privacy Settlements

In 2011, the FTC 'resolved charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social
network, Google Buzz.' See, 'FTC Gives Final Approval to Settlement with Google over Buzz Rollout.' In 2012, Google paid a $7 million dollar fine to 38 states for privacy violations regarding its Street View project which collected 'passwords, e-mail and other personal information from unsuspecting computer users.' See, 'Google Concedes That Drive-By Prying Violated Privacy,' NY Times.com. Earlier this year, a lawsuit was allowed to proceed that 'alleges that Google illegally scanned e-mails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users.' See, 'Google Wiretapping Lawsuits Can Proceed, Judges Say' Information Week.com.

While the focus of the state attorneys general and FTC investigations regarding this privacy matter have been on consumers, why hasn't there been media attention on how Google's actions may have harmed students who utilized school provided Apple products? In 2011, The New York Times discussed how thousands of students across the country were utilizing iPads because of special pilot programs and multi-million dollar government grants. See, 'Math That Moves: Schools Embrace the iPad,' NY Times.com.

Did Google intentionally disable the privacy settings on taxpayer funded and/or government owned student iPads and other Apple products that use Safari browsers to track student interactions with teachers and/or other students for pecuniary gain? How many students had their privacy rights violated by Google while utilizing school provided Apple products? If a student surfing the Web using Safari was logged into a Google account (i.e., Gmail, YouTube, Google +, Blogger, etc.), all of his school-related Web usage may have been tracked and monetized by Google. Did Google's behavior violate the Family Educational Rights and Privacy Act (FERPA)? Why hasn't the Department of Education opened an investigation into this matter?

If Google intentionally disabled the privacy settings of Internet users who chose to utilize a competitor's product (i.e., Web browser Safari instead of Google's Chrome), can Google be trusted to respect and protect the personal privacy of those who utilize Google products? While Google has claimed it does not show ads by default to student users of its Google Apps For Education services, can parents, guardians, teachers and school administrators be sure that Google isn't still collecting, combining and monetizing student data behind the scenes.

Other countries have also lost faith in Google's privacy promises. Sweden is requiring a municipality in Stockholm to rework its Google Apps For Education Agreement to better protect student data or its schools will be required to stop using Google's services. See, 'Rewrite Your Google Contracts or Stop Using Apps, Swedish Schools Told,' ZDNet. And just as this issue was going to press, Spain fined Google $1.2 million for violating the country's laws on collecting and processing personal information. See, http://yhoo.it/1hoaD7s.

In Google's settlement agreement with 37 state attorneys general it lists in Appendix A the state consumer protection and computer abuse statutes that Google allegedly violated. See, http://bit.ly/1kPDUrF. Since some of these statutes may be utilized in conjunction with the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1030, when digital wrongdoing is alleged why hasn't the Department of Justice (DOJ) opened an investigation into this matter? Shouldn't the DOJ at least investigate these issues with the same vigor that resulted in Google forfeiting $500 million dollars due to its actions that enabled its users to unlawfully import controlled and non-controlled prescription drugs into the United States that may have violated the Federal Food, Drug and Cosmetic Act and the Controlled Substances Act? See, 'Google Forfeits $500 Million Generated by Online Ads & Prescription Drug Sales by Canadian Online Pharmacies.”

Conclusion

State attorneys general are utilizing their powers to hold Internet companies accountable for online violations of state law. While the FTC is increasing its Internet enforcement activities, it is imperative for all interested parties to work in conjunction to ensure that those companies that break state and/or federal digital privacy laws are held accountable for their actions.

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law. Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com.'

Recently, 37 states and the District of Columbia reached a $17 million dollar settlement with Google over its intentional circumvention of Internet users' privacy settings. The case stemmed from 'Google's bypassing of privacy settings in Apple's Safari browser to use cookies to track users and show them advertisements in 2011 and 2012.' See, 'Google to Pay $17 Million to Settle Privacy Case,' NY Times.com. This multi-state agreement followed Google's $22.5 million dollar settlement with the Federal Trade Commission (FTC) over the same practice. See, 'Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple's Safari Internet Browser,' FTC.com. In total, Google has paid approximately $40 million dollars to federal and state regulators for intentionally harming the personal privacy rights of Internet users in this matter.'

Google's ability to circumvent Apple's Safari browser setting was uncovered and publicized by The Wall Street Journal on Feb. 17, 2012. See, 'Google's iPhone Tracking.' According to The Wall Street Journal's investigation, Google and several other advertising 'companies used special computer code that trick[ed] Apple's Safari Web-browsing software' into letting them track the Web-browsing habits of users who tried to protect their personal privacy. Id. After the WSJ contacted Google about its alleged illegal activities, the company disabled the code. However, one has to wonder why the WSJ needed to contact Google in order for it to stop violating the personal privacy rights of Internet users?

Google's Privacy Settlements

In 2011, the FTC 'resolved charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social
network, Google Buzz.' See, 'FTC Gives Final Approval to Settlement with Google over Buzz Rollout.' In 2012, Google paid a $7 million dollar fine to 38 states for privacy violations regarding its Street View project which collected 'passwords, e-mail and other personal information from unsuspecting computer users.' See, 'Google Concedes That Drive-By Prying Violated Privacy,' NY Times.com. Earlier this year, a lawsuit was allowed to proceed that 'alleges that Google illegally scanned e-mails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users.' See, 'Google Wiretapping Lawsuits Can Proceed, Judges Say' Information Week.com.

While the focus of the state attorneys general and FTC investigations regarding this privacy matter have been on consumers, why hasn't there been media attention on how Google's actions may have harmed students who utilized school provided Apple products? In 2011, The New York Times discussed how thousands of students across the country were utilizing iPads because of special pilot programs and multi-million dollar government grants. See, 'Math That Moves: Schools Embrace the iPad,' NY Times.com.

Did Google intentionally disable the privacy settings on taxpayer funded and/or government owned student iPads and other Apple products that use Safari browsers to track student interactions with teachers and/or other students for pecuniary gain? How many students had their privacy rights violated by Google while utilizing school provided Apple products? If a student surfing the Web using Safari was logged into a Google account (i.e., Gmail, YouTube, Google +, Blogger, etc.), all of his school-related Web usage may have been tracked and monetized by Google. Did Google's behavior violate the Family Educational Rights and Privacy Act (FERPA)? Why hasn't the Department of Education opened an investigation into this matter?

If Google intentionally disabled the privacy settings of Internet users who chose to utilize a competitor's product (i.e., Web browser Safari instead of Google's Chrome), can Google be trusted to respect and protect the personal privacy of those who utilize Google products? While Google has claimed it does not show ads by default to student users of its Google Apps For Education services, can parents, guardians, teachers and school administrators be sure that Google isn't still collecting, combining and monetizing student data behind the scenes.

Other countries have also lost faith in Google's privacy promises. Sweden is requiring a municipality in Stockholm to rework its Google Apps For Education Agreement to better protect student data or its schools will be required to stop using Google's services. See, 'Rewrite Your Google Contracts or Stop Using Apps, Swedish Schools Told,' ZDNet. And just as this issue was going to press, Spain fined Google $1.2 million for violating the country's laws on collecting and processing personal information. See, http://yhoo.it/1hoaD7s.

In Google's settlement agreement with 37 state attorneys general it lists in Appendix A the state consumer protection and computer abuse statutes that Google allegedly violated. See, http://bit.ly/1kPDUrF. Since some of these statutes may be utilized in conjunction with the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1030, when digital wrongdoing is alleged why hasn't the Department of Justice (DOJ) opened an investigation into this matter? Shouldn't the DOJ at least investigate these issues with the same vigor that resulted in Google forfeiting $500 million dollars due to its actions that enabled its users to unlawfully import controlled and non-controlled prescription drugs into the United States that may have violated the Federal Food, Drug and Cosmetic Act and the Controlled Substances Act? See, 'Google Forfeits $500 Million Generated by Online Ads & Prescription Drug Sales by Canadian Online Pharmacies.”

Conclusion

State attorneys general are utilizing their powers to hold Internet companies accountable for online violations of state law. While the FTC is increasing its Internet enforcement activities, it is imperative for all interested parties to work in conjunction to ensure that those companies that break state and/or federal digital privacy laws are held accountable for their actions.

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law. Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com.'