Skip to main content

Google pays BIG to state Attorney Generals for Improper Consumer Tracking

Written by Julia Siripurapu

Earlier this month, Google, Inc. (“Google” or “Company”) entered into an  agreement with the Attorney Generals of 37 states and the District of Columbia, settling allegations of violation of  the participating states’ consumer protection or applicable computer abuse statutes (the “Settlement Agreement”).

Here’s what got the tech giant in trouble: Google informed users of Apple Inc.’s Safari web browser (“Safari Browser”) via a notice posted on its web page describing the DoubleClick opt-out plugin that the Safari Browser is set by default to block all third-party cookies and that if a user does not change those default settings, she/he will accomplish the same thing as setting the opt-out cookie. Subsequent to making this statement, from June 1, 2011 through February 15, 2012, Google intentionally altered its DoubleClick advertising platform coding to circumvent the default Safari Browser cookie-blocking settings and enabled the placement of DoubleClick cookies on users’ Safari Browsers, without the users’ knowledge or consent. The browsing history collected from the Safari Browser users was then sent to advertisers.

In addition to agreeing to pay a hefty civil penalty of $17,000,000.00 (“Penalty”) to settle the allegations, as part of the settlement, Google has also agreed to modify its privacy practices as follows:

1. Not employ HTTP Form POST functionality that uses javascript to submit a form without affirmative user action for the purpose of overriding a browser cookie-blocking setting so that it may place an HTTP Cookie on such browser, without that user’s prior consent, except “to detect, prevent, or otherwise address fraud, security or technical issues, or to protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.”

2. Not “misrepresent a material fact nor omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which they are made, not misleading,” regarding the use of Google’s Ads Setting tool or any other Google product, service or tool to directly manage how Google serves ads to their browsers.

3. Within ninety (90) days from the Settlement Agreement effective date of November 8, 2013 (“Effective Date”) and for a period of five (5) years from the Effective Date, “provide a separate stand-alone page or pages on the domain designed to give information to users about Cookies (the ‘Cookie Page’),” their use by the Company, and how they can be managed.  Google must post and maintain a hyperlink to the Cookie Page of a “type, size, and location, and contrast highly with the background on which it appears, so that it will be sufficiently noticeable for an ordinary consumer” on the web page where Google posts its privacy policy as well as on any other reasonably related pages within Google’s Help Center identified by Google.

4.Maintain until February 15, 2014 (when DoubleClick cookies expire by design) systems configured to instruct Safari Browsers to “expire any Cookie placed from the domain by Google through February 15, 2012 if those systems encounter such a Cookie, with the exception of the DoubleClick opt-out Cookie.”

The Penalty amount, due within thirty (30) days from the Effective Date, will be divided and paid directly to each of the Attorneys General in the amount designated by the Executive Committee of the Multistate, a committee of all the states involved, led by Maryland. The Maryland Attorney General announced this week (press release) that Maryland will receive over $1,000,000 and the Boston Herald reported that Massachusetts will receive $357,000 as part of the settlement. Last year, Google settled similar claims with the Federal Trade Commission for $22.5 million (see our blog post here).

But Google may not be done with this issue just yet. At the end of October, a group of U.S. consumers filed a notice with the 3rd Circuit of their intent to appeal U.S. District Court Judge Sue Robinson's dismissal of the class-action lawsuit brought against Google, Vibrant Media Inc., and Media Innovation Group, LLC, a unit of U.K. based WPP PLC, and PointRoll, Inc. alleging that the four companies circumvented the Safari Browser’s default privacy settings. A lawsuit on the same claims was also brought against Google earlier this year in the U.K.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.