As previously reported in this blog , Google, Inc. agreed to pay $22.5 Million to settle Federal Trade Commission charges that it misrepresented its data collection practices to users of Apple, Inc.’s Safari Internet browser .  That settlement has now been approved by U.S. District Judge Susan Illston, following a challenge brought by Consumer Watchdog, an advocacy group.

The settlement arose from the alleged violation by Google of an October 2011 consent order issued by the FTC following the launch of Google’s “Buzz” social network.  That consent order prohibited Google from making future misrepresentations regarding, among other things, its collection and use of private information and its users’ control over that information.  The FTC claimed that Google violated that order by assuring users of the Safari browser that the default settings of that browser would block cookies, but then overriding that software to secretly collect cookies from Safari users.  The FTC announced the $22.5 Million settlement in August of this year.

Consumer Watchdog challenged the proposed settlement on the basis that the penalties imposed on Google were not stringent enough and permitted Google to deny that it had violated the consent order.  In addition, while the settlement imposes a timeline for the expiration of the cookies set up by Google, it does not require that Google expunge the secretly collected data which, Consumer Watchdog argued, “permits Google to continue to profit from its wrongdoing indefinitely.”   Consumer Watchdog also argued that the $22.5 Million amount, a record for an alleged violation of a consent order, was not a steep enough penalty.  Consumer Watchdog cited estimates of statutory penalties by third party analysts suggesting that a penalty between $3 and $8 Billion would be more appropriate.

Notwithstanding Consumer Watchdog’s arguments, Judge Illston order approving the proposed settlement characterized the deal as “procedurally and substantively fair, adequate, and reasonable.”  Regarding Google’s ability to continue using the secretly-collected information, Judge Illston referenced arguments by both Google and the FTC that that risk had been considered and dismissed because the information was of negligible value and was unlikely to be used.  Judge Illston also deferred to the FTC’s judgment that “the risk that a more stringent injunction would hamper Google’s ability to protect consumers from data security and malware vulnerabilities outweighed the benefits to the public.” Judge Illston was not persuaded that the $22.5 Million settlement amount was not sufficiently fair and reasonable, noting that the determination of civil penalties takes into account a number of factors, including the good or bad faith of the defendants, injury to the public, the defendants’ ability to pay, the desire to eliminate the benefits derived by the violations and the necessity of vindicating the authority of the FTC.  In this case, no allegations of large amounts of consumer loss or Google profit were made.  Therefore, Judge Illston agreed with the FTC that the $22.5 Million amount was sufficient.  Finally, Judge Illston rejected Consumer Watchdog’s argument that a fair and reasonable settlement would require Google to admit that it had violated the consent order.

Although Consumer Watchdog disagrees, the $22.5 Million settlement has been generally viewed as the FTC taking a hard-line stance on data privacy and security issues, and the FTC has characterized the settlement as being part of the FTC’s “ongoing effort to make sure companies live up to the privacy promises they make to consumers. ”

For businesses that collect and/or use personally identifiable information, the obvious take-away is that one’s policies must correctly and accurately define and describe the uses and maintenance of personal information.   It is important to note, however, that Google’s collection of information was, according to Google, not an intentional effort to override settings.  Rather, the cookies were placed to allow users to recommend products to members of their social network.

Ultimately, what the Google settlement demonstrates is the importance of making sure that those individuals responsible for developing a business’s technology closely review and provide feedback regarding policies and statements to customers regarding data protection.  Even unintentional misrepresentations about data collection can carry a hefty price tag.