The FTC v. Google Saga—Episode II: What Lessons for U.S. Businesses?

The Federal Trade Commission has published its long-awaited ¹The news of the proposed consent order, and of the proposed $22.5 million settlement amount, had been leaked in early July. See, e.g., Google, FTC at Work on Settlement Over Apple Privacy Bypass, Company Says, 11 Privacy & Sec. Law Rep. (Bloomberg BNA) 1129 (July 16, 2012) (11 PVLR 1129, 7/16/12). proposed consent order with Google Inc. ²Proposed Stipulated Order for Permanent Injunction and Civil Penalty Judgment, United States v. Google Inc., No. 5:12-cv-04177-HRL (N.D. Cal. Aug. 8, 2012), available at http://ftc.gov/os/caselist/c4336/120809googlestip.pdf [hereinafter Google II Consent Order] (11 PVLR 1255, 8/13/12). to close its second investigation into Google’s practices (Google II). Under this order (Google II Consent Order), Google would agree to pay a record $22.5 million civil penalty to settle charges that it misrepresented to users of Apple’s Safari browser that it would not place tracking cookies on their browser, or serve targeted ads, and that these individuals did not need to take any action to be opted out of DoubleClick targeted advertisements. The settlement would also require Google to disable all tracking cookies that it said it would not place on consumer’s computers, and to report to the FTC by March 2014 on how it has complied with this remediation requirement. According to the FTC, this settlement is “intended to provide a strong message to Google and other companies under order that their actions will be under close scrutiny, and that the Commission will respond to violations quickly and vigorously.” ³Statement of the Commission, Federal Trade Commission, United States of America v. Google Inc. (Aug. 9, 2012), available at http://www.ftc.gov/os/caselist/c4336/120809googlestatement.pdf.

Unique Case

This Google II action is not just another FTC case under Section 5 of the FTC Act. ⁴15 U.S.C. § 45. It is unique in many respects. The case is the second one against Google in less than 12 months. The FTC does not have the authority to fine a company under Section 5 of the FTC Act, but it can fine a company that violates a consent order with the commission. The FTC took that power into account and built on its prior case against the company (Google I). ⁵Decision and Order, In re Google Inc., No. C-4336 (FTC Oct. 13, 2011), available at http://ftc.gov/os/caselist/1023136/111024googlebuzzdo.pdf [hereinafter Google I Consent Order] (10 PVLR 1565, 10/31/11). The arguments are in some respects different than in other similar cases addressing consumer privacy, and the complaint (Google II Complaint) and proposed order provide significant insight into the reasoning of the FTC, which is very valuable information for companies that collect or use personal information and prefer to reduce the risk of government action.

Among these unique aspects, consider, for example, the following:

• The proposed Google II Consent Order results from the second action against a single company in less than 12 months—an unusual circumstance.

• The penalty to be assessed is a record amount.

• The Google II Complaint focuses on violations of a prior consent order, rather than a violation of Section 5 the FTC Act.

• Some events that constituted violations are novel; i.e., the role of the violation of the Networking Advertising Initiative (NAI) Code of Conduct.

The documents published by the FTC about this second enforcement action provide numerous indications of the current vision and expectations of the FTC. This article will focus primarily on what the documents surrounding the Google II enforcement action reveal of the views of the FTC, and what the FTC expects from companies. Before delving into this analysis and its implications for U.S. businesses, we will first provide a brief explanation of the Google II case, and the high points of what is becoming the FTC v. Google saga.

Google II Overview

The incidents that lead to the Google II investigation are described at length in the Google II Complaint. ⁶Complaint, United States v. Google Inc., No. 5:12-cv-04177-HRL (N.D. Cal. Aug. 8, 2012), available at http://ftc.gov/os/caselist/c4336/120809googlecmptexhibits.pdf [hereinafter Google II Complaint]. The complaint alleges that, for several months in 2011 and 2012, Google placed a certain advertising tracking cookie on the computers of Apple Safari users who visited sites within Google’s DoubleClick advertising network, although Google had previously represented to users of Safari that they would be automatically opted out of such tracking as a result of the default settings of the Safari browser used in Macs, iPhones and iPads. In fact, these users did receive tracking cookies and targeted advertisements as a consequence of Google bypassing a feature of the Safari program that, by default, blocked third-party cookies.

According to the Google II Complaint, Google represented to Safari users that it would not place third-party advertising cookies on the browsers of Safari users who had not changed the default browser setting (which by default, blocked third-party cookies) and that it would not collect or use information about users’ web-browsing activities. Google also represented that because the Safari browser is set by default to block third-party cookies, as long as users do not change their default browser settings, this setting “effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie].” According to the Google II Complaint, these representations were found to be false, resulting in a violation of Google’s obligation under Part IA of the consent order in Google I (Google I Consent Order). ⁷Specifically Part I of the Google I Consent Order prohibited Google from:

misrepresenting in any manner, expressly or by implication:

A.  The extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.

Google I Consent Order, supra note 5, at 3.

In addition, the Google II Complaint charged that Google represented that it is a member of the NAI, an industry group that requires members to adhere to its self-regulatory code of conduct, including disclosure of their data collection and use practices. ⁸Press Release, Federal Trade Commission, Google Will Pay $22.5 Million to Settle FTC Charges It Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser (Aug. 9, 2012) [hereinafter Google II Press Release]. The FTC charged that this misrepresentation violated Google’s obligation under Google I Consent Order, Part IB. ⁹Specifically Part I of the Google I Consent Order prohibited Google from:

misrepresenting in any manner, expressly or by implication:

[… ]

B.  The extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework.

Google I Consent Order, supra note 5, at 3.

The FTC argued in the Google II Complaint that, by doing so, Google had misrepresented its activities to the Safari users, and that these misrepresentations constituted a violation of the earlier privacy settlement between Google and the FTC in Google I, which was finalized Oct. 24, 2011.

The Google II Complaint was filed pursuant to Sections 5(l) and 16(a) of the FTC Act. ¹⁰15 U.S.C. §§45(l), 56(a). Section 5(l) provides for a civil penalty—currently $16,000—for each violation of a final order of the FTC (in this case, violation of the Google I Consent Order of October 2011). Section 16(a) defines, among other things, the procedure to be used to enforce Section 5(l).

The proposed Google II Consent Order would require Google to: ¹¹Google II Consent Order, supra note 2, at 3-4.

• pay a $22.5 million civil penalty pursuant to Section 5(l) of the FTC Act; ¹²15 U.S.C. § 45(l).

• maintain, until Feb. 15, 2014, a system to instruct Safari web browsers to expire any DoubleClick.net cookie placed by Google before the beginning of the Google enforcement action; and

• report to the FTC, by March 8, 2014, how it has complied with the above obligation.

Second FTC Action Against Google in 12 Months

The Google saga started as a result of an incident that occurred in early 2009, when Google launched its social networking service called “Google Buzz” within its Gmail product. Google used the information of Gmail users to populate the new social network. “Without prior notice or the opportunity to consent, Gmail users were, in many instances, automatically set up with ‘followers’ … .” ¹³Complaint, In re Google Inc., No. C-4336 (FTC Oct. 13, 2011), available at http://ftc.gov/os/caselist/1023136/111024googlebuzzcmpt.pdf. When the Buzz service was launched, many Gmail users found out that the service had automatically generated lists of followers and people to follow, using the individuals’ email contact lists. Unfortunately, in some cases, these lists included very sensitive or confidential information, such as the contact information of individuals against whom the Gmail user had obtained a restraining order, or of an abusive ex-spouse or partner, or those of clients of a mental health professional. ¹⁴Id. As a result of the public outcry, Google made some changes, but the incident attracted the regulators’ attention, including that of the FTC, which started an enforcement action on the charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched the Buzz social network in 2010. ¹⁵Id.

This action resulted in the Google I Consent Order, which became final in October 2011. ¹⁶Google I Consent Order, supra note 5. This order included several obligations, such as requiring Google to:

• cease any misrepresentation with respect to the extent to which the company maintains and protects the privacy and confidentiality of information or complies with compliance programs (Part I); ¹⁷The basis for the FTC enforcement action in Google II is found in this first obligation laid out in the Google I Consent Order. Google I Consent Order, supra note 5, at 3.

• obtain express affirmative consent of individuals before changing its data-sharing practices (Part II);

• establish a comprehensive privacy program (Part III);

• obtain biennial assessments of its privacy practices for 20 years (Part IV); and

• maintain certain records (Part V).

In addition, as for all final consent orders issued by the FTC, the Google I Consent Order carried the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000, under Section 5(l) of the FTC Act. ¹⁸15 U.S.C. § 45(l).

Rare Case of Successive Enforcement Actions

Google has the unusual privilege of having been under FTC scrutiny twice in less than 12 months. This is not unique, but it seldom happens. Only very few companies have been the subject of multiple or successive FTC enforcement actions. These include, for example, Sony BMG Music Entertainment, ¹⁹Decision and Order, In re Sony BMG Music Entm’t, No. C-4195 (FTC June 28, 2007), available at http://www.ftc.gov/os/caselist/0623019/0623019do070629.pdf (regarding toolkit issue); United States v. Sony BMG Music Entm’t, No. 1:08-cv-10730-LAK (S.D.N.Y. Dec. 15, 2008) available at http://www.ftc.gov/os/caselist/0823071/081211consentp0823071.pdf (regarding Children’s Online Privacy Protection Act violation) (7 PVLR 1751, 12/15/08). First American Real Estate Solutions, ²⁰Agreement Containing Consent Order, In re First Am. Real Estate Solutions, LLC, No. 952 3267 (FTC 1998), available at http://www.ftc.gov/os/1998/10/9523267agr.htm (regarding Fair Credit Reporting Act violations); Decision and Order, In re First. Am. Real Estate Solutions, LLC, No. C-3849 (FTC Jan. 27, 1999), available at http://www.ftc.gov/os/1999/08/faresorder.htm (regarding FCRA and FTC Act violations). DIRECTV, ²¹Stipulated Judgment and Order for Permanent Injunction Against DIRECTV, Inc., United States v. DIRECTV, Inc., No. 2:09-cv-02605-PA-FMO (C.D. Cal. Apr. 23, 2009), available at http://www.ftc.gov/os/caselist/0923098/090416directvstipjdmt.pdf (regarding violation of Do Not Call and Telemarketing Sales Rules) (8 PVLR 590, 4/20/09); Stipulated Judgment and Order for Permanent Injunction Against DIRECTV, Inc., United States v. DIRECTV, Inc., No. 8:05-cv-01211-DOC-AN (C.D. Cal. Dec. 13, 2005), available at http://www.ftc.gov/os/caselist/0423039/051213stipdirectv0423039.pdf (regarding violations of Do Not Call and Telemarketing Sales Rules) (4 PVLR 1531, 12/19/05). and to some extent ChoicePoint. ²²Stipulated Final Judgment and Order for Civil Penalties, Permanent Injunction, and Other Equitable Relief, United States v. ChoicePoint Inc., No. 1:06-cv-00198 (N.D. Ga. Feb. 10, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf [hereinafter 2006 ChoicePoint Order](5 PVLR 110, 1/30/06); Supplemental Stipulated Judgment and Order for Permanent Injunction and Monetary Relief, United States v. ChoicePoint Inc., No. 1:06-cv-00198 (N.D. Ga. Oct. 14, 2009), available at http://www.ftc.gov/os/caselist/choicepoint/091019choicepointstiporder.pdf (8 PVLR 1527, 10/26/09); Second Stipulated Order for Permanent Injunction, United States v. ChoicePoint Inc., No. 1:06-cv-00198 (N.D. Ga. Sept. 3, 2010), available at http://www.ftc.gov/os/caselist/choicepoint/100902choicepointstip.pdf. In each of these cases, however, the second action was based on different types of violations. The FTC started de novo, and did not link the first case to the second.

Google II is different. There, the FTC pursues Google as a recidivist. The Google II Complaint does not look at Google’s behavior as a violation of the law. Rather, the FTC claims that Google’s statements about its practices and policies is wrong and inaccurate, and constitutes a misrepresentation of its actual practices, and this misrepresentation violates a prior settlement with the FTC, dated October 2011 (Google I). Thus, unlike the other cases of successive enforcement actions against a single company, the Google II case has its foundation on the violation of a prior settlement rather than a violation of the FTC Act.

Violation of Existing Consent Order

In most cases, an FTC enforcement action will be based on some activities that the FTC deems to constitute misrepresentation or deceptive practices and that violate Section 5(a) of the FTC Act—the section that gives the FTC the power to prevent companies from using unfair or deceptive acts or practices or unfair methods of competition, “in or affecting commerce.” ²³Section 5(a)(2) of the FTC Act provides: “The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, […] from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2). Other enforcement actions may be based on other laws or regulations, such as the Children Online Privacy Protection Act (COPPA) or the Do Not Call provisions of the Telemarketing Sales Rule.

Even though it was prompted by actions that might be deemed “deceptive acts” under Section 5(a) of the FTC Act, the FTC action in Google II ²⁴Federal Trade Commission, List of FTC Documents Relating to United States v. Google Inc. (No. 5:12-cv-04177-HRL), http://ftc.gov/os/caselist/c4336/index.shtm (last visited Aug. 16, 2012). does not deal directly with these actions as deceptive acts that violate Section 5(a) of the FTC Act.

Instead, the Google II enforcement action is based on the fact that Google’s activities are found to violate the prior settlement with the FTC dated October 2011 (Google I). For this, the FTC takes advantage of its powers under Section 5(l) of the FTC Act, ²⁵15 U.S.C. § 45(l). so that it can assess a significant civil penalty against Google for recidivism. Section 5(l) of the FTC Act ²⁶Id. grants the FTC the power to assess a penalty of $16,000 per violation against any person or entity that violates an order of the commission after it has become final.

The application of Section 5(l) allowed the FTC to assess a significant penalty against Google, in the amount of $22.5 million, which takes into account the nature of the alleged violations, and the significant revenue that Google may have derived from its alleged deceptive acts, and the bypassing of the Safari feature that blocked third-party cookies by default. While the $22.5 million does not reflect the actual number of violations that occurred during the 2011-2012 period covered by the enforcement action, the scale of the revenue generated by Google from its advertisement program may have been a significant factor in determining the amount of the civil penalty.

A Record Penalty

The proposed Google II Consent Order sets a clear message that the FTC is serious about compliance and enforcement. The $22.5 million civil penalty imposed on Google is the “highest fine ever levied for violation of a Commission consent order.” ²⁷Google II Press Release, supra note 8 (citing FTC Chairman Jon Leibowitz). The “record setting penalty in this matter sends a clear message to all companies under an FTC privacy order.” ²⁸Statement, supra note 3, at 1. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.” ²⁹Google II Press Release, supra note 8.

Even when compared with the $15 million price tag in the 2006 ChoicePoint case, ³⁰See 2006 ChoicePoint Order, supra note 22. where security lapses had led to unauthorized access to more than 163,000 consumer records, the size of the penalty that Google has agreed to pay under the proposed Google II settlement is significant. In its 2006 FTC enforcement action against ChoicePoint, one of the early large breach of security cases, the FTC required a $15 million payment from the data broker, comprised of a $10 million civil penalty, and $5 million for consumer redress. ³¹Press Release, Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (Jan. 26, 2006).

Google II is different from ChoicePoint, however, in that the Google II case was presented as a violation of the Google I order. Thus, the size of the civil penalty against Google is directly related to the nature of the action itself, as opposed to the nature of the privacy rights violation. In its statement, the FTC explains: “That the violations alleged in the Commission’s federal court complaint have warranted so significant a penalty signals to Google and other companies that the Commission will vigorously enforce its orders.” ³²Statement, supra note 3, at 1.

The record-setting penalty in Google II clearly shows that the FTC takes seriously the commitments that it requires from companies that it has previously investigated. When an FTC consent decree requires a 20-year commitment to abide by certain practices, the FTC may, and indeed will, return and ensure that the obligations outlined in the consent decree are met.

Clarification of FTC’s Positions

The documents published as part of the notice of the Proposed Consent Order provide an excellent and useful description of the FTC’s analysis, and allow identification and understanding of the elements of the FTC’s analysis in Google II. The Google II Complaint turns on violations of a specific portion of the Google I Consent Order. Specifically Part I of the Google I Consent Order prohibited Google from “misrepresenting in any manner, expressly or by implication”:

• A.  The extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.

• B.  The extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework. ³³Google I Consent Order, supra note 5, at 3.

The term “covered information” was defined broadly in the Google I Consent Order to include a variety of information, among which is “persistent identifier.” ³⁴The Google I Consent Order defines “covered information” as:

information respondent collects from or about an individual, including, but not limited to, an individual’s: (a) first and last name; (b) home or other physical address, including street name and city or town; (c) email address or other online contact information, such as a user identifier or screen name; (d) persistent identifier, such as IP address; (e) telephone number, including home telephone number and mobile telephone number; (f) list of contacts; (g) physical location; or any other information from or about an individual consumer that is combined with (a) through (g) above.

Id. In the Google II Complaint, the FTC clarifies that the term is intended to include “a persistent identifier contained in a tracking cookie, a user’s IP [internet protocol] address, a user’s account ID, a user’s interests or a user’s web-browsing activity.” ³⁵Google II Complaint, supra note 6, at 3.

Misrepresentation of User’s Ability to Control Collection or Use of Personal Data

In its analysis of the Safari cookie issue, the FTC focuses first on the fact that Google represented to Safari users that if they did not change the default settings of their Safari browser, Google would not place DoubleClick advertising cookies on a user’s browser, collect interest category information from or about the user, or serve targeted advertisements to the user. However, despite its representations to the Safari users, Google overrode the Safari default browser settings, and placed the DoubleClick advertising cookie on Safari browsers. ³⁶Id. at 9. Further, the Google II Complaint also charges that Google represented to Safari users, directly or by implication, that it would not serve targeted advertisements based on information collected through the DoubleClick advertising cookie to Safari users who had not changed their default browser setting. This too, according to the Google II Complaint, was false. ³⁷Id. at 10.

The FTC argued that both these actions misrepresented the extent to which users may exercise control over the collection or use of covered information, thereby violating Part I(A) of the Google I Consent Order. ³⁸Id. at 11.

This argument is important because it shows how the FTC intends to address the misuse of cookie information, and to protect consumers from aggressive use of cookie information for tracking purposes. The mandate is clear: representations with respect to a company’s data handling practices encompass the representation made about the use of cookies. If a company describes inaccurately its practices with respect to first- or third-party cookies, it may be exposed to retaliation by the FTC. However, it is important to note that the argument is not that cookies or cookie information may not be used. It only states that information about the use of cookies must be accurate. ³⁹This position is significantly different from that which is currently found in the new “Cookie Laws” that have been adopted throughout the European Union in application of the EU’s 2009 amendments to the e-Privacy Directive (2009/136/EC), which mandated that EU member state laws require that users of websites be fully informed of the existence of cookies, and that, with some minor exceptions, these users affirmatively consent to the setting of cookies on their devices.

The second lesson from this aspect of the Google case stems from the provision of the definition of “persistent identifier.” This clarification of the term “covered information” as used in the Google I Complaint may be useful for businesses other than Google which try to understand the FTC’s vision as stated in the FTC orders and complaints, and extrapolate these documents into their own practices. These businesses may wish to evaluate how the definition of “covered information” in the Google cases would translate into their own company privacy statement. They may wish to look into the scope of their company’s privacy statement and how it may extend not only to name, address, purchases, and similar data, but also data that are in the form of a code or a number, that become attached to a specific user, such as a code that indicate a user’s interest, or a code that indicates a user’s browsing activity. ⁴⁰Google II Complaint, supra note 6, at 3. This information is also very useful.

Misrepresentation of Compliance With NAI Code

The third prong in the Google II Complaint centers on Google’s representation that it adheres to, or complies with, the Self-Regulatory Code of Conduct of the NAI (NAI Code). In the Google II Complaint, the FTC argues that Google misrepresented, directly or by implication, that it adheres to, or complies with, the NAI Code, a privacy, security, and compliance program that requires its members, including Google, to disclose their data collection and use practices. In view of the evidence of Google’s misrepresentation to Apple Safari users, the FTC finds these representations of compliance with the NAI Code to be untrue.

This alleged violation allows the FTC to claim that Google violated its obligation under Part I(B) of the Google I Consent Order, which required that Google not “misrepresent the extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity.”

This interpretation of Part I(B) of the Google I Consent Order is very important because it clarifies what the FTC intends by “compliance program sponsored by the government or any other entity.” This sentence is found in the Google I Consent Order. ⁴¹It is also found in the Facebook consent order. Decision and Order, In re Facebook, Inc., No. C-4365 (FTC July 27, 2012), available at http://www.ftc.gov/os/caselist/0923184/120810facebookdo.pdf [hereinafter Facebook Order] (see related report in this issue). In the complaint in Google I, the FTC claimed that Google had failed to adhere to the U.S. Safe Harbor Privacy Principles of Notice and Choice, such as by failing to inform customers before using the information collected from them for a purpose different than that for which it was originally collected.

As a result, the Google I Consent Order addressed the failure to comply with the Safe Harbor Principles by requiring that Google cease misrepresenting that it complied with a “program sponsored by the government or other entity.” With the proposed Google II Consent Order, we learn that not only does the Safe Harbor program fit within this definition, but so does the NAI Code. It should be expected that other references to other programs might follow, such as compliance with the COPPA safe harbor program, or rules and guidelines of other similar organizations.

FTC Common Law of Privacy—2012 Edition

Google II shows an evolution or a refinement of the FTC “Common Law,” such as in the expansion or clarification of the notion of where privacy promises are deemed to be made. In its early cases addressing consumer privacy and the protection of personal information, the FTC first focused on violations of companies’ privacy promises made in their public website privacy statements.

Then, in several consent orders issued in 2011, including Google I and Facebook, ⁴²The proposed consent decree with Facebook was first released Nov. 29, 2011 (10 PVLR 1759, 12/5/11), and the final version Aug. 10, 2012. the FTC expanded the scope of its enforcement and investigations to violations of the Safe Harbor Principles that were outlined in a 2001 agreement between the U.S. Department of Commerce and the European Commission. These orders showed that the FTC would look into promises or statements made about a company’s alleged compliance with a government-sponsored program—the Safe Harbor Principles—when assessing whether a company has misrepresented its privacy practices.

Now, with Google II, the FTC expands again the scope of its enforcement actions to include a violation the NAI Code. In future cases, it is likely that we may see similar interest into compliance with other industry standards.

An extrapolation from this case, and the trends of these past few years, also leads to the conclusion or prediction that the FTC—and, likely, state regulators, as well—will expand the scope of its investigation into other disclosures describing companies’ practices. Will the next investigation inquire into compliance with other safe harbor programs such as the programs under COPPA? How about investigations into cookie disclosures that many companies are beginning to post on their websites? Or opt-out pages allowing individuals to opt out of a company’s use of behavioral tracking technologies and third-party cookies?

As the FTC and state regulators refine and expand the way in which they conduct their investigations and enforcement actions, companies also must evolve and refine and expand the way they ensure that they comply with U.S. privacy laws, and make good on their promises to operate in accordance with these laws and the promises that they make under these laws. In practice, this means that businesses must ensure that all of the representations that they make about their privacy compliance or privacy commitments are true and accurately and correctly reflect all their practices.

Businesses Must Look Beyond Their Website Privacy Statement

The proposed Google II Consent Order and related Google II Complaint send a very strong message. This message is that companies have to pay attention to ALL privacy promises that they may make in numerous places other than in a company’s online privacy statement. These promises are found, for example, in other representations made by the company, such as through its regulatory filings, or in its marketing or promotional documents.

In the Google I enforcement action, the FTC looked at the promises and representations made with respect to Google’s compliance with the Safe Harbor Principles issued by agreement between the Department of Commerce and the European Commission. In the Google II enforcement action, the FTC looked at the promises and representations that resulted from Google’s statements in its marketing materials that it complied with the Self-Regulatory Code of Conduct of the NAI and was a member of the NAI.

Companies often use their memberships in industry groups or privacy programs as a way to show their values, and to express their commitment to certain standards of practice. This was the case for Google with the Safe Harbor Principles of the Department of Commerce and the European Commission (Google I), and with the NAI Code of Conduct (Google II).

These statements about compliance with programs or adherence to values or principles are not intended to be used just for marketing purposes or to make customers feel good. These statements are promises or commitments. They must be accurate, and they will be taken seriously; and indeed, the FTC and other regulators will take these promises into account. As shown in the Google II cases, failure to comply with the rules, principles and codes of conduct associated with membership in these programs could be fatal. Such a failure would expose the company to claims of unfair and deceptive practices; or in the case of Google, to substantial fines for failure to comply with a consent decree barring misrepresentation if the deficiency happens to also violate a pre-existing consent decree.

If your company makes promises or statements about its privacy practices:

• Look for and monitor all representations made by, or on behalf of, your company about its privacy and security program; look everywhere, and not just in the official company privacy statement.

• Educate your information technology, information security, marketing, sales, legal, and other staff on the need for proper communications and concerted action so that those who write or develop the company’s disclosures and statements can make clear, complete and accurate descriptions about data collection, data processing and data governance. These representations may have significant consequences, and may create a minefield if not created properly.

• If your company claims that it is a member of a self-regulatory or government program, make sure that it has complied with all applicable rules, codes of conduct, or principles of that self-regulatory or government program.

• Periodically compare ALL promises that your business makes, in its privacy statement, in its filings and self-certifications, in its cookie disclosures, in its marketing documents, and the like, with what each of your products, services, applications, technologies, devices, cookies, tags, etc. actually does.

• Ensure that the company abides by ALL of its promises in ALL of its products and services, and at ALL times.

A U.S. Message to the World

The FTC action against the world’s most popular search engine provides the U.S. government with an opportunity to show the rest of the world, and especially the European Union and the Asia-Pacific Economic Cooperation member economies, ⁴³See, e.g., the recent approval of the United States in the Asia-Pacific Economic Cooperation Cross Border Privacy Rules (CBPR) System, and the appointment of the FTC as the system’s first privacy enforcement authority. United States, FTC Approved to Participate in APEC Cross-Border Privacy Rules System, 11 Privacy & Sec. Law Rep. (Bloomberg BNA) 1191 (July 30, 2012) (11 PVLR 1191, 7/30/12). that it cares about privacy and is serious about enforcement. In its press release, the FTC announced that this settlement was “part of the FTC’s ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers.” ⁴⁴Google II Press Release, supra note 8.

While Google has already been the subject of an FTC enforcement action that was concluded in 2011 (Google I) ⁴⁵Federal Trade Commission, List of FTC Documents Relating to In re Google Inc. (FTC File No. 102 3136), http://ftc.gov/os/caselist/1023136/index.shtm (last visited Aug. 16, 2012). and that applies to the entire Google operation, the company has continued to attract the attention of regulators throughout the world. Google’s activities, faux pas or inadvertent errors, have been the focus of numerous investigations abroad, some of which are still ongoing, ⁴⁶See, e.g., current or recent investigation by CNIL (French data protection authority) (11 PVLR 1243, 8/6/12); Information Commissioner’s Office (U.K. data protection authority) (11 PVLR 1212, 7/30/12); AEPD (Spanish data protection authority) (11 PVLR 773, 5/7/12); Canada’s federal Privacy Commissioner (11 PVLR 526, 3/19/12); or KCC (Korea Communications Commission) (11 PVLR 426, 3/5/12). and others have resulted in fines. ⁴⁷See, e.g., €100,000 fine against Google assessed by France’s data protection authority (CNIL) in March 2011, as a result of Google’s nonconsensual collection of Wi-Fi data through its Latitude geolocation identification service (10 PVLR 479, 3/28/11). At a time when most of the rest of the world thinks that there is no adequate privacy protection in the United States, it is important for the U.S. government to show that it does monitor the activities of U.S. companies—especially the most popular ones, such as Google or Facebook ⁴⁸See Facebook Order, supra note 41.—to explain and demonstrate that its values with respect to the protection of personal information and the intensity of its enforcement efforts are consistent with, if not stronger than, those of the other world leaders.