Milking Cookies: The FTC’s $22.5 Million Settlement with Google
There’s been a lot of talk about breaking records these past few weeks. But here’s one you won’t see on the sports pages: the FTC’s $22.5 million settlement with Google, the largest civil penalty ever against a single defendant. The penalty stems from FTC charges that Google didn’t give users of Apple’s Safari Internet browser the straight story about the use of tracking cookies. That, says the FTC, violated the terms of Google’s 2011 privacy settlement.
First, some background on the original case. Last year, the FTC sued Google for violations stemming from the roll-out of Google’s Buzz network. Among other things, the FTC said Google assured Gmail users it wouldn’t use their information for any purpose other than to provide email service, but then didn’t honor that promise. The result: an order mandating comprehensive privacy protections for consumers and civil penalties if Google didn’t live up to the terms of the settlement.
For details about the latest action, you’ll want to read the complaint, but here’s the gist. According to the FTC, Google violated the 2011 order by representing to certain users that Google wouldn’t place tracking cookies or serve targeted ads based on those cookies. But despite what Google said, the FTC has charged that some users did, in fact, get tracking cookies and targeted ads.
For Google and companies like it, the sale of online advertising services is a major — as in billions — moneymaker. How big? According to Google’s SEC filings, 96% of Google’s revenue comes from online advertising. How it typically works is that by placing a tracking cookie on a person’s computer, an ad network collects information about their browsing habits and uses that to serve up online ad targeted to their interests. In Google’s case, the company uses the DoubleClick Advertising Cookie to collect info about a person’s browsing activity and send targeted ads.
Of course, some consumers prefer not to have ads targeted that way. In response, companies are introducing ways that give people more control over that process (for example, through browser settings). The Safari browser generally blocks third-party cookies, but allows them only in narrow circumstances — like if the user submits information via a form embedded within the page. So say a person using Safari submits a mailing address when they buy something online. Safari lets that site set a third-party cookie. And here’s an important wrinkle: If the Safari browser accepts a cookie from a domain, Safari allows additional cookies from that same domain. What does that mean for the person sitting in front of the screen? Once Safari allows one cookie from the DoubleClick domain, it allows all cookies from doubleclick.net.
According to the FTC’s complaint, when people went to a Google page to learn how to opt out, Google specifically told Safari users they didn’t have to take any action to be opted out of DoubleClick targeted ads. As long as users didn’t change their browser settings, there was no need to do anything more to block the DoubleClick cookie because Safari’s default “effectively accomplishes the same thing as setting the opt-out cookie.”
But according to the FTC, Google sidestepped Safari’s default cookie-blocking setting by taking advantage of Safari’s narrow exception for forms. How so? When a Safari user visited a Google site or a site within Google’s ad network, Google used code to tell the browser that the person was submitting information through a form. That, in effect, “tricked” the system into allowing Google to place a temporary cookie from the DoubleClick domain. Once that was done, Katie, bar the door. Because of how Safari worked, a user’s computer would now accept all cookies from the DoubleClick domain, including the DoubleClick Advertising Cookie — the cookie Google represented would be blocked from Safari browsers. That, said the FTC, violated the consumer privacy protections imposed by the 2011 settlement.
Looking for more information? FTC staffers will discuss the settlement on Thursday, August 9th, at 1PM Eastern Time on Twitter (follow @FTC or tweet #FTCpriv) and Facebook. And check out FTC Chief Technologist Ed Felten's take on the case.