Google has reportedly agreed to pay a record $22.5 million fine to the Federal Trade Commission to settle charges that it violated a privacy consent decree it signed with the agency, the Wall Street Journal reported Monday.
Google, which signed a 20-year privacy agreement with the FTC following the ill-fated Google Buzz, was investigated for using a sneaky, but well-known, tactic to bypass the strong default cookie settings on Apple’s Safari browser. Google defended the practice, saying it was simply trying to put a +1 button on Google Ads that could be used by signed-in Google users.
The proposed fine – one of the largest ever levied by the FTC – won’t hurt Google’s bottom line – at least not in the short term – but it’s a major PR loss for the search giant, which is battling with regulators in the States and in Europe over its privacy practices and accusations that it abuses its near-monopoly on search.
As privacy violations go, the Safari cookie workaround was rather minor, but little missteps by Google give authorities a way to publicly punish the company and try to force the company to be much more deliberate about privacy. Facebook is under a similar 20-year decree after the FTC accused the company of a litany of more major privacy violations, including bait-and-switch promises about what information was private, making misleading promises about app security and not deleting user photos when a user closed a Facebook account.
That said, the consent decree Google signed did not prevent the company from making a radical change to its privacy practices and policies in March that laid the groundwork for Google to create the web’s most comprehensive – and potentially scary – online profiles of users. Google followed all the best practices – notifying users prominently – even annoyingly – for months about the change.
Despite those notices, it’s doubtful that users had any idea how momentous the changes actually were, though Google claims it was just simplifying things for users by letting Google combine the data it harvests from your use of its search engine, YouTube, Gmail and visits to websites that have Google-powered ads or +1 buttons. (So far, Google Analytics data remains outside the profile, but you won’t find that in the privacy policy, just in a little-noticed blog post by the Analytics team.)
But we live in a country with an absence of any real privacy legislation that requires large companies, both online and offline, to abide by Fair Information Practices. Those require companies to tell you when and why they collect data, use the data only for the original purpose, allow you to opt-out, and let you see and correct the data collected about you. That’s how an Irish Facebook user was able to force the social networking giant to divulge all the info the company had stored about him.
In absence of such rules, there’s nothing the FTC can do to stop the real privacy invasions like Google’s new privacy policy. Instead, the FTC can only watch warily and hope that the giants of the web make some misstep somewhere, however minor, and use that to publicly shame and tarnish the company.
So good on the FTC for smacking Google’s hands for reaching into the Safari cookie jar.
But until there’s a real privacy framework that governs not just Google and Facebook but also your credit card company and creepy data brokers, privacy actions by U.S. regulators amount to not much more than Occupy protestors wielding eye-catching over-sized puppets outside a greedy investment firm as a way to reform a rapacious financial system.
Which isn’t to say such tactics are useless — even Bloomberg’s news stories now routinely refer to the 1%, but it’s a circuitous tactic used by the largely powerless to try to reform the powerful.
Your privacy deserves better.