Milking Cookies: The FTC’s $22.5 Million Settlement with Google

There’s been a lot of talk about breaking records these past few weeks. But here’s one you won’t see on the sports pages: the FTC’s $22.5 million settlement with Google, the largest civil penalty ever against a single defendant. The penalty stems from FTC charges that Google didn’t give users of Apple’s Safari Internet browser the straight story about the use of tracking cookies. That, says the FTC, violated the terms of Google’s 2011 privacy settlement.

First, some background on the original case. Last year, the FTC sued Google for violations stemming from the roll-out of Google’s Buzz network. Among other things, the FTC said Google assured Gmail users it wouldn’t use their information for any purpose other than to provide email service, but then didn’t honor that promise. The result: an order mandating comprehensive privacy protections for consumers and civil penalties if Google didn’t live up to the terms of the settlement.

For details about the latest action, you’ll want to read the complaint, but here’s the gist. According to the FTC, Google violated the 2011 order by representing to certain users that Google wouldn’t place tracking cookies or serve targeted ads based on those cookies. But despite what Google said, the FTC has charged that some users did, in fact, get tracking cookies and targeted ads.

For Google and companies like it, the sale of online advertising services is a major — as in billions — moneymaker. How big? According to Google’s SEC filings, 96% of Google’s revenue comes from online advertising. How it typically works is that by placing a tracking cookie on a person’s computer, an ad network collects information about their browsing habits and uses that to serve up online ad targeted to their interests. In Google’s case, the company uses the DoubleClick Advertising Cookie to collect info about a person’s browsing activity and send targeted ads.

Of course, some consumers prefer not to have ads targeted that way. In response, companies are introducing ways that give people more control over that process (for example, through browser settings). The Safari browser generally blocks third-party cookies, but allows them only in narrow circumstances — like if the user submits information via a form embedded within the page. So say a person using Safari submits a mailing address when they buy something online. Safari lets that site set a third-party cookie. And here’s an important wrinkle: If the Safari browser accepts a cookie from a domain, Safari allows additional cookies from that same domain. What does that mean for the person sitting in front of the screen? Once Safari allows one cookie from the DoubleClick domain, it allows all cookies from doubleclick.net.

According to the FTC’s complaint, when people went to a Google page to learn how to opt out, Google specifically told Safari users they didn’t have to take any action to be opted out of DoubleClick targeted ads. As long as users didn’t change their browser settings, there was no need to do anything more to block the DoubleClick cookie because Safari’s default “effectively accomplishes the same thing as setting the opt-out cookie.”

But according to the FTC, Google sidestepped Safari’s default cookie-blocking setting by taking advantage of Safari’s narrow exception for forms. How so? When a Safari user visited a Google site or a site within Google’s ad network, Google used code to tell the browser that the person was submitting information through a form. That, in effect, “tricked” the system into allowing Google to place a temporary cookie from the DoubleClick domain. Once that was done, Katie, bar the door. Because of how Safari worked, a user’s computer would now accept all cookies from the DoubleClick domain, including the DoubleClick Advertising Cookie — the cookie Google represented would be blocked from Safari browsers. That, said the FTC, violated the consumer privacy protections imposed by the 2011 settlement. 

Looking for more information? FTC staffers will discuss the settlement on Thursday, August 9th, at 1PM Eastern Time on Twitter (follow @FTC or tweet #FTCpriv) and Facebook. And check out FTC Chief Technologist Ed Felten's take on the case.

Tagged with: cookies, privacy, tracking
Blog Topic: Be Smart Online

Comments

will we receive any $$

Ebay also does this ripoff of data. How do I prevent ebay from taking my shoping history data and sharing or selling it to vendors?

Praise the Lord. I had to change both my Debit & Credit cards several times upon ordering something on line, only to find extra money had been taken out. One order I placed on line, I had been charged not only 2 x's, but the amount I was told I would be charged ended up being triple the amount. Even proving it by printing out the original receipt. That being for the Free Money 2012 by Kevin Trudeau. Calling after noticing that the next day was really wonderful. Inspite the proof, I can't tell you how many tele-marketers I spoke to, I even wrote the Reps name and badge # down the same night I placed my order. They still denied it. Thank goodness for the help from my Credit Union. What a joke. The charge was only to be, per Mr. Trudeau himself, was a one time charge. Which included his other book and some DVDs, was only to be $29.99/ for only his new book. His 1st book, & whatever else he included he said were to be free. I had so many fights with who I called, The Google Fu...., when I was constantly being forced out of everything I would enter while on my phone, and a comment would come up asking why I felt it had happened. Really? Even when I tried one day to call my Doctor back on my cell, it took me over 45 min to get thru, because my phone kept dropping my calls. When I finally did get thru, his Nurse had just picked up and DROP... The Google jerks replied that I grin and bear it. Yet, looking at what their replays were, comments on sites They said I had been on, when I never used my phone for that day. I always, for the most part, tried to be civil with them, but they would comment on my phone calls, who I called/who called me. The hardest thing, I would tell my cell phone carrier, Verizon, who I am sorry, they are far from being able to, "hearing me ever". They were no better 89% of the time. Reading this just confirms my thoughts all along. Excellent read!!!!!!

Sometimes Google is such a pain, like when I use Youtube or something that Google can like my email to I get insane amounts of spam, and it tends to get really annoying...

Always use a pseudo or one-time use credit card # when making on-line purchases so that the card cannot be charged again. Citibank offers it, if your card administrator does not; ask them for this capability. Also, ask for two-factor authentication.

Leave a Comment

Comment Policy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.