Our digital ecosystem has generated a host of issues involving personal privacy rights, from the security of email and social media accounts to GPS surveillance and online behavioral tracking.  Online tracking, which gathers data on individuals’ Web-surfing behavior for a range of commercial and other uses (including real-time bidding exchanges and other targeted advertising as well as sale by data brokers), has seen sharp growth in recent years — a recent study of the top 50 Websites estimates that on average there are more than 50 “data collection events” per page (mostly in the form of tracking cookies).

The contours of a legal framework for online tracking are being fleshed out, ever so gradually, through a mix of private litigation,^[1] stakeholder standards-setting efforts,^[2] legislation^[3] and occasional regulatory enforcement.^[4]  As this process continues its slow and uncertain course, the Federal Trade Commission stepped in earlier this month to sanction Google for circumventing the default Do Not Track settings in Apple’s Safari browser and placing advertising tracking cookies in breach of assurances it had provided to users.

On August 9, the FTC announced that Google had agreed to pay a $22.5 million fine – the highest in FTC history for violation of a Commission order – to settle charges that it violated the FTC’s October 13, 2011 consent order when it misrepresented to users of Apple’s Safari browser that it would not install tracking cookies on their devices or serve them targeted ads.

The October 2011 consent order resolved FTC charges that Google used deceptive tactics and breached its privacy promises to consumers following the launch of its social networking tool, Google Buzz.  Under the terms of that earlier settlement, Google was prohibited, among other things, from misrepresenting the extent to which consumers can exercise control over the collection, use or disclosure of their personal information.

The Commission’s announcement of the latest Google settlement included a statement from FTC Chairman Jon Leibowitz emphasizing the agency’s goal of ensuring that “companies live up to the privacy promises they make to consumers” and comply with FTC privacy orders:

The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order.  No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.

Google’s Circumvention of Safari’s Default Do Not Track Settings

According to the FTC’s August 8, 2012 complaint, Google had assured users of Apple’s Safari browser that they would be exempt from tracking and ad targeting as long as they did not change Safari’s default Do Not Track setting.^[5]  This setting blocked most types of third-party cookies, including those used for advertising-related tracking, but allowed certain third-party cookies including cookies placed as a result of “form submissions”, i.e., after a user submits a form on a Website (for example, to make a purchase or complete a survey).

Despite these Do Not Track assurances, the FTC alleged, Google placed tracking cookies on computers of Safari users when they visited sites in Google’s DoubleClick ad network over the course of several months in 2011 and 2012, and did so by circumventing Safari’s cookie-blocking settings with “form submissions” created by Google code that was invisible to these users.

Details of Google’s actions first came to light in mid-February 2012 as a result of a study by Stanford grad student Jonathan Mayer and two Wall Street Journal articles (part of the WSJ’s “What They Know” series on online collection of personal information).  (FTC Chief Technologist Ed Felten, who is returning to Princeton University next month, has also provided a good technical explanation on the Tech@FTC blog.)

Google reportedly claimed that the circumvention was not intentional.  Mr. Mayer, on the other hand, maintained that “Google intentionally bypassed Safari’s cookie blocking feature to place an identifying cookie that it uses for social advertising.”

Google Agrees to Settlement Terms but Denies Liability

Under the terms of the proposed settlement, Google is required to pay a civil penalty of $22.5 million and, until February 15, 2014, to maintain systems configured to instruct Safari browsers to expire any DoubleClick cookie (excluding opt-out cookies) placed by Google on or before February 15, 2012.  Google is also obligated to provide the FTC with a report on its remediation efforts within 20 days of the end of the remediation period (i.e., by March 7, 2014).

In resolving the FTC’s Safari charges, Google expressly denied the FTC’s allegations:

[Google] denies any violation of the FTC Order [involving Google Buzz], any and all liability for the claims set forth in the Complaint, and all material allegations of the Complaint save for those regarding jurisdiction and venue.

Stipulated Order and Judgment at 2, ¶ 2.

The FTC approved the proposed consent decree by a 4-1 vote.  Commissioner J. Thomas Rosch dissented, arguing that it “cannot be concluded that the consent decree is in the public interest when it contains a denial of liability,” though he apparently would be comfortable with a liability-neutral statement:

I see no reason why the more common “neither admits nor denies liability” language would not adequately protect Google from collateral estoppel in those lawsuits.

Commissioner Rosch dissented for similar reasons from the FTC’s Aug. 10, 2012 approval of the final consent order in In the Matter of Facebook, Inc., File No. 092 3184, Docket No. C-4365 (see Agreement Containing Consent Order at 2, ¶ 5: Facebook “expressly denies the allegations set forth in the complaint, except for the jurisdictional facts”), adding that the FTC’s “Rules of Practice do not provide for such a denial.”

In addition, he suggested that language currently allowed under the Commission’s Rule 2.32 (16 C.F.R. § 2.32) – a settlement agreement “may state that the signing thereof is for settlement purposes only and does not constitute an admission by any party that the law has been violated as alleged in the complaint” – may be “tantamount to a denial.”  The Securities and Exchange Commission, he noted,

has concluded that “a refusal to admit the allegations is equivalent to a denial, unless the defendant or respondent states that he neither admits nor denies the allegations,”

and the FTC should consider “similarly embrac[ing] the ‘neither admits nor denies’ model language.”

In a separate statement, the commissioners who voted to approve the Google consent order said they “strongly disagree[d]” with Commissioner Rosch’s view on the effect of a denial but shared his underlying goal of protecting the legitimacy of FTC settlements, and that in the future, “express denials will be strongly disfavored” and a change to Rule 2.32 will be considered.  (Interestingly, Commissioner Rosch raised no such objection when he concurred in accepting the March 30, 2011 proposed Google Buzz consent agreement, which included (in Section 5) the Rule 2.32 language discussed in his Facebook dissent.)^[6]

*                    *                    *

According to the Wall Street Journal, Google’s circumvention of Safari’s default Do Not Track settings may still be subject to inquiries by several state attorneys general, including New York Attorney General Eric Schneiderman, as well as authorities in the European Union. Google’s FTC settlement also comes against the backdrop of ongoing private litigation spawned by the Safari matter. One of the first putative class action complaints was filed in the District of Delaware on Feb. 17, 2012 (Soble v. Google, Inc., C.A. No. 1:12-00200), and on June 12, 2012, the U.S. Judicial Panel on Multidistrict Litigation transferred to the District of Delaware a number of putative nationwide class actions pending in other districts for coordinated or consolidated pretrial proceedings with the Soble litigation.  The multidistrict litigation, In re Google Inc. Cookie Placement Consumer Privacy Litig., now comprises more than 20 federal actions.

---

Footnotes
[1] See, e.g., In re Hulu Privacy Litig., No. C 11-03764 LB (N.D. Cal. Aug. 10, 2012) (denying motion to dismiss claims under Video Privacy Protection Act, 18 U.S.C. § 2710 involving alleged use of code containing tracking identifiers that “respawned” or “resurrected” previously-deleted cookies);  Del Vecchio v. Amazon.com, Inc., Case No. C11-366RSL (W.D. Wash. June 1, 2012) (court dismissed with prejudice class action claims alleging use of tracking cookies violated Computer Fraud and Abuse Act and requested further briefing on claim under Washington Consumer Protection Act); In re Facebook, Inc. Internet Tracking Litig., No. 5:12-md-02314-EJD (N.D. Cal.) (May 23, 2012 Corrected First Amended Consolidated Class Action Complaint and July 2, 2012 motion to dismiss) (alleging Facebook used cookies that, without users’ consent, tracked users’ browsing activity after they logged out of Facebook); Bose v. Interclick, Inc., No. 10 Civ. 9183 (DAB) (S.D.N.Y. Aug. 17, 2011) (alleged improper use of Adobe Flash cookies; most claims dismissed with prejudice); In re Quantcast Advertising Cookie Litig., No. CV 10-5484-GW(JCGx) (C.D. Cal.) (July 23, 2010 initial complaint and June 13, 2011 Final Order and Judgment) (involving alleged improper use of HTTP and Adobe Flash cookies); La Court v. Specific Media, Inc., 8:10-cv-01256-GW-JCG (C.D. Cal. Apr. 28, 2011) (dismissing on Art. III standing grounds claims involving alleged improper use of Adobe Flash cookies).

Tracking has also been at issue in litigation involving allegations of illegal tracking of cellphone users.  See, e.g., In re Carrier IQ, Inc. Consumer Privacy Litig., MDL No. 2330 (N.D. Cal.) (Apr. 16, 2012 transfer order).

[2] In its March 2012 privacy report, the Federal Trade Commission called for the creation of an “easy-to-use, persistent and effective Do Not Track system” and voiced its support for ongoing stakeholder efforts, including the Digital Advertising Alliance’s icon-based tool and work by the W3C’s Tracking Protection Working Group (“TPWG”) to develop a voluntary international Do Not Track (“DNT”) standard that expresses a user’s preference about online tracking through use of a DNT field in the HTTP header. The implicit threat: if industry refuses to act, government regulators will take the reins and impose a “Do Not Track” regime.

The TPWG is currently developing two DNT-related specifications: the “Tracking Preference Expression” specification (see latest working and editor’s drafts), which defines the technical mechanisms for DNT, and the “Tracking Compliance and Scope” specification (see latest working and editor’s drafts), which defines the meaning of a DNT preference and the practices for Website compliance with DNT.

One of the more contentious issues before the TPWG is the extent to which advertisers and others will agree to respect a Do Not Track signal turned on (i.e., signaling that the user does not want to be tracked) by default by a browser maker, an issue that has attracted particular attention as a result of Microsoft’s May 31, 2012 announcement that Internet Explorer 10 will employ such a default setting.  (Other key issues include whether tracking will be permitted without express user consent and whether DNT means do-not-collect, with narrow exceptions (the FTC’s position), or do-not-target.)

It appears that although Safari, Firefox and Opera also support the DNT header, IE 10 will be the first default DNT:1 setting — meaning the user does not want to be tracked. Some TPWG participants are urging respect for a default “DNT:1″ setting; others argue that a browser default setting of DNT:1 does not represent a choice by a user, would not be compliant with the standard, and should not be respected.  Potential alternative default settings include DNT:0 (tracking is OK) and a null (no signal) setting. The TPWG’s June 6, 2012 unofficial draft compromise proposal (§ 1.1) provides: “An ordinary user agent [e.g., Apple's Safari browser] MUST NOT send a Tracking Preference signal without a user’s explicit consent.” 

The FTC’s March 2012 privacy report called for “best practices includ[ing] making privacy the ‘default setting’ for commercial data practices . . . .” Representatives Edward J. Markey (D-MA) and Joe Barton (R-TX), senior members of the House Energy and Commerce Committee and co-Chairmen of the House Privacy Caucus, sent the TPWG a June 19, 2012 letter urging the group to endorse a default Do Not Track setting and support Internet Explorer 10′s anticipated default DNT:1 setting. In a June 20, 2012 letter to the TPWG, FTC Commissioner J. Thomas Rosch asserted that “Microsoft’s default DNT setting means that Microsoft, not consumers, will be exercising choice as to what signal the browser will send.” Robert Madelin, Director General for Information Society and Media in the European Commission, sent a June 21, 2012 letter to the TPWG suggesting that the DNT standard should not address the default standard; instead, on installation or first use of a browser, users “should be informed of the importance of their DNT choice, told of the default setting and prompted or allowed to change that setting.”

[3] When it come to privacy law in general, as well as online tracking in particular, the U.S. has (thus far, at least) taken a patchwork-quilt approach.  Compare, e.g., Children’s Online Privacy Protection Act of 1998 (governs the online collection, use, and disclosure of personal information of children under the age of 13) with the European Union’s broader approach (Art. 5.3 of the ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) (a.k.a the “cookie law”; requires (with limited exceptions) user’s informed consent before installation of HTTP cookies and other technologies (presumably including HTML5 local storage) that store and access data on a user’s device); see also the Article 29 Data Protection Working Party’s Opinion 04/2012 on Cookie Consent Exemption (explaining circumstances under which cookies and equivalent technologies are exempted from prior-consent requirement)).

Recent federal and state legislative proposals have included H.R. 654: Do Not Track Me Online Act (Rep. Jackie Speier (D-CA); introduced Feb. 11, 2011); S. 913: Do-Not-Track Online Act of 2011 (Sen. John D. Rockefeller (D-WV); introduced May 9, 2011); and California SB 761 (California State Sen. Alan Lowenthal (D-Long Beach); introduced Apr. 4, 2011; proposed a “do not track” requirement to be implemented by the California Attorney General). 

Online tracking was also addressed in two recent Congressional hearings. On June 19, 2012, the House Judiciary Committee’s Subcommittee on Intellectual Property, Competition and the Internet held a hearing on “New Technologies and Innovations in the Mobile and Online space, and the Implications for Public Policy” (discussing among other things the respective benefits of self-regulatory regimes and comprehensive federal privacy legislation). The Senate Commerce, Science, and Transportation Committee followed with a June 28, 2012 hearing on “The Need for Privacy Protections: Is Industry Self-Regulation Adequate?” (with Committee Chairman Sen. John D. Rockefeller (D-WV) urging adoption of “Do Not Track” legislation.)

[4] See, e.g., In the Matter of Chitika, Inc., FTC File No. 1023087 (approving final order settling charges that online advertising company deceptively tracked consumers’ online activities in violation of Section 5(a) of the Federal Trade Commission Act (15 USC § 45(a)) protecting consumers from “unfair” or “deceptive” acts or practices).

[5] In its February 17, 2012 letter to the FTC calling for “immediate action” against Google, Consumer Watchdog asserted:

Clearly Google knows that it was in the wrong. After the company was confronted about the Stanford research, it changed its advice page, removing the specific references to Safari.

In support of its assertion, Consumer Watchdog provided links to a February 14, 2012 screenshot of Google’s Advertising Cookie Opt-out Plugin advice page and a February 15, 2012 screenshot of what it characterized as “the sanitized” advice page.

[6] Commissioner Rosch’s view is reminiscent of the position taken by U.S. District Court Judge Jed S. Rakoff in a proposed regulatory settlement last November – except that Judge Rakoff objected to a proposed SEC consent judgment pairing “without admitting or denying” language with an evidentiary record the court found was inadequate. See SEC v. Citigroup Global Markets, 11 Civ. 7387 (JSR) (S.D.N.Y. Nov. 28, 2011) (rejecting proposed $285 million settlement “because the Court has not been provided with any proven or admitted facts upon which to exercise even a modest degree of independent judgment”) (district court proceedings have been stayed while appeals by both Citigroup and the SEC are pending before the Second Circuit; Judge Rakoff’s 2d. Cir. brief is available here); cf. SEC v. Vitesse Semiconductor Corp., 771 F.Supp.2d 304 (S.D.N.Y. 2011) (Judge Rakoff approved proposed consent judgments but expressed concern about “without admitting or denying” language).