Google is paying a $17 million settlement to 37 U.S. states to resolve allegations that the company violated consumer privacy by using tracking cookies to capture the searching habits of Apple Safari Web browser users from 2011 to 2012.
The settlement, which also includes an agreement with Washington, D.C., was announced by New York Attorney General Eric T. Schneiderman on Nov. 18.
“Consumers should be able to know whether there are other eyes surfing the Web with them,” Schneiderman said in a statement. “By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust.”
The case emerged when reports began sprouting in 2012 that Google had altered its Google DoubleClick advertising platform to circumvent default privacy settlings in Safari. Those default Safari privacy settings would have prevented cookies from collecting information on the searching habits of Safari users. By quietly changing those settings, Google was able to capture information about Safari users and their searches, which collected the ire of many users and attorneys general in many states across the nation.
“Google disabled this coding method in February 2012 after the practice was widely reported on the Internet and in the media,” according to the statement.
In their case against Google, the attorneys general alleged that “Google’s circumvention of Safari’s default privacy settings for blocking third-party cookies violates state consumer protection and related computer privacy laws,” which allowed the states to band together and seek changes from Google. The states alleged that “Google failed to inform Safari users that it was circumventing their privacy settings and that Google’s earlier representation that third-party cookies were blocked for Safari users was misleading,” according to the statement.
A Google spokesperson told eWEEK: “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers. We’re pleased to have worked with the state attorneys general to reach this agreement.”
In July 2012, Google reached a record $22.5 million settlement with the FTC to resolve federal charges related to the same issue, that Google bypassed Apple Safari browser privacy settings that blocked cookies for their users. The settlement was criticized by the Competitive Enterprise Institute, an industry group, as “a dangerously overbroad precedent that will chill Internet innovation and hurt online startups,” the Institute said in a statement at that time.
The FTC charged that for several months in 2011 and 2012, Google placed a certain advertising tracking cookie on the computers of Safari users who visited sites within Google’s DoubleClick advertising network. It charged that Google placed the cookies on consumers’ computers in many cases by circumventing the Safari browser’s default cookie-blocking setting.
Placing the cookies on the computers of Safari browsers violated the terms of an October 2011 settlement between Google and the FTC over deceptive practices related to the launch of Google Buzz, the late unlamented original attempt by Google to compete with Facebook in the social media space. Google later abandoned Buzz and went to work on its successor, Google +, which launched in June 2011.
Google to Pay $17M to Settle Safari Browser Tracking Case
In addition to the $17 million settlement with the states, Google also agreed not to use similar code “to override a browser’s cookie-blocking settings without the consumer’s consent unless it is necessary to do so in order to detect, prevent or otherwise address fraud, security or technical issues,” according to the settlement. Google also agreed to “not misrepresent or omit material information to consumers about how they can use any particular Google product, service or tool to directly manage how Google serves advertisements to their browsers”
Google will also provide better information to consumers about tracking cookies and how they can be managed, as well as continue to “maintain systems designed to ensure the expiration of the third-party cookies set on Safari Web browsers while their default settings had been circumvented,” according to the statement.
In addition to New York and Washington, D.C., the other plaintiffs in the case were the states of Connecticut, Florida, Illinois, Ohio, Maryland, New Jersey, Texas, Vermont, Washington, Alabama, Arizona, Arkansas, California, District of Columbia, Indiana, Iowa, Kansas, Kentucky, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Mexico, North Carolina, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Virginia and Wisconsin.
Another user privacy case is still pending against Google involving the then-undisclosed collection of unsecured wireless personal user data during Street View imaging projects around the nation. In September, Google lost its latest court appeal in the matter, which occurred when the company collected the WiFi data from unsuspecting citizens as its Street View vehicles drove around communities throughout the United States. Google attempted to get the case thrown out by saying the WiFi communications it had captured were not in violation of federal wiretapping laws, but the latest court again rejected that argument.
In a similar case in Europe in April 2013, Google was hit with an $189,167 fine in Germany for Street View data collection that occurred there without disclosure to affected residents as Street View vehicles combed German streets collecting information for its maps from 2007 to 2010.
The Street View program came under scrutiny both in the United States and in Europe after it was learned that Google was gathering the information street by street during those years. The company apparently collected unsecured WiFi data as the vehicles drove around cities and neighborhoods, including personal information such as passwords, emails, text messages, users’ Internet use histories and other information, which was retrievable from unsecured home and business networks. According to a 2012 report from the U.S. Federal Communications Commission, the Street View vehicles had collected more than 200GB of such payload data.
Google officials maintained that the data on the WiFi networks was being used to help Google create better location-based services, after initially denying that payload data had been collected. They later admitted that the Street View cars had collected such personal information and laid the blame at the feet of a rogue engineer who they said put that capability into the software on his own accord.
German officials were the first to uncover Google’s collection of such data from WiFi routers in Germany back in 2010. Soon after, Google said it had collected similar information through Street View in other nations around the world.