Google agrees another settlement in US over Safari cookie tracking claims

Out-Law News | 19 Nov 2013 | 2:40 pm | 3 min. read

UPDATED:  Google has made payments totalling $17 million to a number of US states to settle claims that it infringed state laws when it bypassed internet users' browser settings to place cookies in their browsers.

It is the second time that Google has agreed a settlement with regulators in the US over action it took to serve third party tracking cookies to users of Apple's Safari browsers despite users setting the browser up to block that from happening. Last year it agreed to pay $22.5m as part of a settlement agreement with the Federal Trade Commission.

The company has now agreed to pay a further $17m spread between 37 states and the District of Columbia as part of its latest deal to settle claims that it breached consumer protection and computer privacy laws.

Google has also, generally, committed not to use code that allows it to override browser settings blocking cookies in future without first obtaining consent from internet users. The company can, though, deploy such code "for the purpose of detecting, preventing or otherwise addressing fraud, security or technical issues, or protecting against harm to the rights, property or safety of Google, its users or the public as required or permitted by law", according to the settlement agreement (22-page / 1.99MB PDF).

Other commitments Google has made under the deal include agreeing not to misrepresent or omit material details about settings it uses to allow individuals to manage how adverts are served, as well as agreeing to display information about cookies, the purposes for which they are used and how users can manage them.

"Consumers should be able to know whether there are other eyes surfing the web with them," New York Attorney General Eric Schneiderman said in a statement. "By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust. We must give consumers the reassurance that they can browse the Internet safely and securely."

Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com said that "the settlement is a good example of regulatory action focused on consumer interests rather than technology itself".

"As we all know, the EU approach to cookies has been to impose blanket rules which largely seek to prohibit the use of certain technologies on the assumption that they are always damaging to privacy rights, subject to explicit exceptions. But the approach taken here seems to be looking at the damage that browser-related technologies can cause, namely, advantages gained through deceptive trade practices", he said.

"This is a better approach than simply focussing on whether or not certain technologies are used and attaching liability on that basis. It moves the discussion away from data protection specific questions – are privacy rights being infringed, to a more important discussion of, are technology companies causing detriment to consumers in the broader sense", he added.

The FTC said in August last year that Google placed a certain advertising tracking cookie on the devices of Safari users who visited sites within its 'DoubleClick' advertising network over the course of several months between 2011 and 2012. It did so despite having previously told these users that they would not have to take action to block these cookies as Safari's default privacy settings "effectively accomplished the same thing" as opting out, the FTC said.

Google reached a separate settlement with the FTC in October 2011 which, among other things, prevented it from "misrepresenting the extent to which consumers can exercise control over the collection of their information", the FTC said. That deal related to Google's now defunct social networking service Google Buzz.

Google claimed that its actions were unintentional, resulting from a change to the browser of which it had been unaware. It claimed that it stopped tracking Safari users and showing them personalised advertising once the issue was brought to its attention, according to the settlement, under the terms of which it did not have to accept responsibility for the breach.

The Information Commissioner's Office (ICO) in the UK told Out-Law.com in February 2012 that it was "making enquiries with Google" to establish whether the way in which it serves cookies complied with the Privacy and Electronic Communications Regulations (PECR) after complaints from a rival technology company.

Microsoft claimed that Google had been serving third-party cookies capable of tracking users' online behaviour even when those users had adjusted settings in the Internet Explorer browser to prevent it happening.

The ICO told Out-Law.com that it decided against taking enforcement action against Google after conducting its probe into the case.

 "After making enquiries and assessing the facts relating to this issue the ICO decided that no further action was required,” a spokesperson for the watchdog said in a statement. “This decision was reached after it became clear that the breach would not fulfil the criteria required for our office to take formal enforcement action - as explained in our regulatory action policy. This includes the ability to demonstrate that the incident caused, or had the potential to cause, significant detriment to the individuals affected."

Google's privacy policy is currently separately under scrutiny from the ICO, as well as number of other watchdogs across the EU, amidst concern that it is non-compliant with data protection laws.

Editor's note 20/11/13: a comment from the ICO was added to the story.