Skip to main content

#MLWashingtonCyberWatch: 2017 FTC and Google Complaint

Google’s recent changes to its privacy policy are coming under fire from a complaint filed late last year with the Federal Trade Commission (“FTC”) that accuses the company of downplaying “transformational change” in its handling of user data.  #MLWashingtonCyberWatch will be keeping track of how the 2017 FTC addresses this complaint.

On June 28, 2016, Google notified its users of changes to its privacy policy that would “give you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.” However, a complaint submitted by advocacy groups Consumer Watchdog and Privacy Rights Clearinghouse on December 5th (the “Complaint”) alleges that not only are the changes themselves in violation of previous agreements between Google and the FTC as well as Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, but also that the announcement of these changes intentionally misled users who, in the words of the Complaint, “had no way to discern from the wording that Google was breaking from a nearly decade-old practice.”

The crux of the issue.

Google’s decision to combine two distinct categories of data – its users’ personally identifiable information connected to their Google accounts with its advertisers’ vast browsing data – is the driving force behind the Complaint’s assertion that “Google has engaged in a dangerously invasive and far-reaching appropriation of user data.” Privacy advocates also contend that Google fell short of its duty to accurately explain the changes to its users, causing many to accept changes that undermine their personal privacy and anonymity without fully understanding the consequences. Google counters that it is merely offering users a more personalized advertising experience while creating a more profitable environment for advertisers.

What is certain is that removing this data barrier strips away an important bulwark of anonymity on the Internet and also provides companies like Google with a more detailed picture than ever before of the lives and habits of individual users. This new reality is troubling since individuals have far less control over the security of their data and may not be aware that making one piece of information available to a website could suddenly allow online service providers to identify them personally and make predictions and adjustments to their user experience. This type of activity will certainly intensify should data practices akin to what Google is doing under its new privacy policy be tolerated.

Some historical perspective.

According to the Complaint, the worrisome evolution of Google’s policy changes does not come as a surprise considering the company’s history of circumventing data privacy regulations.

When Google acquired ad provider DoubleClick in 2007, it was forced to pledge to Congress, the FTC and the public at large that the browsing data collected by DoubleClick’s cookies would remain separate from the company’s massive collection of user information. A few years later in 2010, Google was once again in the privacy spotlight for issues surrounding the newly released Google Buzz social network. This resulted in a Consent Order between Google and the FTC (the “Buzz Consent Order”) mandating that Google not misrepresent the degree to which it protects user data and that it adhere to the now-invalidated US-EU Safe Harbor Framework.

Only a few months after the Buzz Consent Order went into effect, Google’s policies changed again when it moved to consolidate user data across all of its services, creating user profiles that linked information from Maps, YouTube, Chrome, and other Google platforms without an option to opt-out. In 2012, Google paid a $22.5 million settlement, one of the largest in FTC history, after being accused of violating the Buzz Consent Order by covertly circumventing Apple Safari’s privacy settings to install cookies and track consumer’s online activity.

Is competition a viable solution? 

Google’s oft-repeated response to criticisms of its data use and collection practices is that “competition is only one click away.” Whether this argument continues to hold water as Google rapidly expands its range of consumer services and devices is uncertain and is already prompting increased scrutiny. The FTC’s response to the most recent allegations could have a significant impact on consumer privacy and make clear to the entire tech industry what is permissible when it comes to storing and leveraging information provided by sophisticated and unwitting users alike.

Subscribe To Viewpoints

Authors

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.
Michael B. Katz is a Mintz corporate attorney who focuses on mergers & acquisitions, private equity transactions, and venture capital financings. He regularly assists clients with commercial contract negotiations, licensing agreements, and data privacy & security matters and advises startup and emerging companies.

Joanne Dynak