Publications

Google has entered into a $17 million settlement with thirty-seven states and the District of Columbia in order to resolve allegations that the company had circumvented privacy settings pertaining to Safari, Apple Inc.’s Web browser. The states and the District of Columbia alleged that Google had broken state consumer protection and computer privacy laws. “By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust,” New York Attorney General Eric Schneiderman said in a statement. His state will receive $899,580 of the settlement money.

The settlement concludes a nearly two-year probe by the states and the District of Columbia into allegations that Google bypassed the privacy settings of customers by placing “cookies,” which are small files set in users’ Web browsers that allow advertisers to identify individual Web users and track their browsing habits, into the browser.

Through its DoubleClick advertising platform, Google facilitates the transmission of third-party advertising cookies. The default privacy setting for the Safari Web browser is to block third-party cookies, including cookies used by DoubleClick. The states and the District of Columbia alleged that from June 1, 2011 until February 15, 2012, Google secretly stored web tracking cookies in Safari, thereby overriding Apple’s default settings that forbid third-party cookies from being installed. This alleged course of conduct contradicted Google’s assurances to consumers that Safari’s default privacy settings would block such third-party cookies.

Last August, the company agreed to pay $22.5 million — the largest civil penalty in Federal Trade Commission (“FTC”) history — to settle an investigation by the FTC relating to the same matter. For its part, Google has always maintained that the cookie incident was a mistake. “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers,” the company said in its statement. Google’s FTC settlement terms allow the company to avoid admitting any wrongdoing.

Google generated $50 billion in revenue in 2012, mostly through advertising.

Under the terms of Monday’s settlement, Google agreed not to employ any HTTP Form POST functionality that uses JavaScript to override a browser’s cookie-blocking settings without the consumer’s consent, unless for security, fraud or technical issues. Furthermore, for the next five years Google must provide consumers with consolidated information about cookies and how they are used. Significantly, the settlement also prohibits Google from misrepresenting or omitting material facts about how consumers can use Google’s Ad Settings tool or any other Google product, service or tool to directly manage how Google serves advertisements to their browsers. Google must also maintain systems configured to instruct Safari Web browsers to expire offending cookies.

Marc Rotenberg, President of the privacy research nonprofit Electronic Privacy Information Center, stated that the settlement is “a good development for online privacy when the state attorneys general are able to enforce their laws and get Google to change their practices.”

This case is one of a growing number of government investigations, lawsuits and punishments pertaining to alleged privacy violations arising from software and systems that undermine the security of consumer data. These include cases involving illegal collection of Wi-Fi data by Google Street View vehicles, alleged wiretapping to show personalized ads in Gmail and FTC actions against other companies involving allegedly insecure webcam services and smartphones. The FTC, in particular, has increased its investigations of companies whose products or services utilize software, including mobile apps, that undermines consumer privacy protections.