The Federal Trade Commission ("FTC") recently
announced settlements of cases brought against Google and Facebook for alleged privacy
violations. The Google settlement drew headlines for being the
largest fine ever assessed for the violation of a FTC consent order
($22.5 million). But Commissioner J. Thomas Rosch's
dissents are perhaps more momentous, as they have prompted the FTC
to re-examine its practice of accepting settlements in which
companies deny wrongdoing.
The FTC's complaint against Google alleged that the
Internet services company circumvented the privacy controls in
Apple's Safari Internet browser. The FTC claimed that
despite telling Safari users that they did not need to change the
browser's default privacy settings, Google exploited an
exception in Safari's cookie-blocking software to allow
advertising tracking cookies. This, the FTC alleged, violated
a previous settlement agreement that prohibited Google from, among
other things, misrepresenting the degree of control a consumer has
over collection of her personal information. The earlier
settlement agreement resolved allegations brought in 2011 that
Google used deceptive practices and violated its public privacy
promises when it launched its social networking product, Google
Buzz (which we blogged about
here).
Senior FTC attorney Leslie Fair also blogged about the record-breaking Google
settlement, discussing some general practices to avoid FTC
scrutiny:
Companies should be aware of the cookies they use, as well as
when they make privacy promises outside of their privacy
policy. The Google complaint alleged Google made
misrepresentations on its Advertising Cookie Opt-Out Plug-In
page.
If a company joins a self-regulatory group, it needs to adhere
to the group's codes. The FTC accused Google of
misrepresenting its adherence to the Network Advertising
Initiative's Code.
Companies should be careful not to circumvent users'
preferences. Google was charged with using a cookie to work
around Safari's default cookie-blocking software.
Finally, companies should promote communication and cooperation
between IT personnel, marketing executives, and legal
advisors.
One day after the Google settlement, the FTC announced
settlement of a similar action against Facebook. The FTC alleged that the social networking company
violated its privacy policy by circumventing user
preferences. Facebook allegedly told users that their
information would be kept private despite allowing it to be shared
publicly in various ways. For example the FTC charged Facebook
with allowing certain third-party applications to access user
profile information even when the user restricted access to
"Only Friends" or "Friends of
Friends". The FTC claimed this violated Section 5 of the
Federal Trade Commission Act, which makes unlawful "unfair or
deceptive acts or practices in or affecting commerce
...."
Facebook's settlement did not include a civil penalty, but
requires the company to, among other things, give consumers
"clear and prominent" notice and obtain express consent
before sharing personal information beyond user-controlled privacy
settings, to maintain a comprehensive privacy program, and to
obtain biennial privacy audits conducted by a neutral third
party.
In both settlements, Google and Facebook explicitly denied any
wrongdoing, which has been common practice in FTC
settlements. Yet it was each company's denial of
wrongdoing that spurred Commissioner Rosch's
dissents.
Commissioner Rosch argued that it makes little sense to assess a
record-setting penalty for conduct that the defendant
denies. The Commission initially responded that Google's denial of liability
has no bearing on the FTC's determination of good reason to
believe Google had violated the previous consent order. But in
his Facebook dissent, Commissioner Rosch added that
allowing companies to deny culpability while settling claims may
not serve the public interest, and the Commission agreed. "We share Commissioner
Rosch's desire to avoid any possible public misimpression that
the Commission obtains settlements when it lacks reason to believe
that the alleged conduct occurred. ... Going forward, express
denials will be strongly disfavored." In place of express
denials, Commissioner Rosch suggested using language akin to
"neither admits nor denies."
Over the next months, the FTC will be assessing whether to
change its Rules of Practice (which control the FTC's
procedures for conducting investigational, administrative, and
judicial proceedings) in light of the new disfavor over express
denials of wrongdoing. We will continue to monitor for any
further decisions.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Entities regulated by the Securities and Exchange Commission, such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission, such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.
On April 22 Verizon released its 2013 Data Breach Investigations Report (DBIR), which has since 2008 become a leading annual survey of data breaches, with participants across the globe.
My children often use my iPhone to ask Siri the most bizarre questions. No matter what the question, however, Siri always seems to have an immediate answer.
If you got Google, Facebook and Microsoft into a room and asked them to compile a list of things that they are most afraid of, that list would probably look something like this...
A discussion on a case where a perpetrator ran off with a safe and the store's backup disk including confidential information relating to prescriptions, names, addresses and medications.
Twitter
Facebook
Digg 
