by Megha Rajagopalan, ProPublica
It’s the largest civil penalty the Federal Trade Commission has ever imposed for violating one of its orders.
But after the agency announced that Google will pay $22.5 million for overriding privacy settings in Apple’s Safari browser, skeptics quickly criticized the penalty as little more than symbolic for a company that had $2.8 billion in earnings last quarter.
The Los Angeles Times called the settlement “a drop in the bucket.” CNN said it amounted to “financial wrist-slap.” Advocacy group Consumer Watchdog called it “woefully insufficient,” and in a statement of dissent, the FTC’s Commissioner J. Thomas Rosch said it is “a de minimis amount of Google’s profit or revenues.”
David Vladeck, who leads the agency’s consumer protection bureau, defended the penalty. “$22.5 million may not seem like a lot of money to Google,” he said in a conference call with reporters last week. “But we think it’s quite a substantial civil penalty … We hope this sends a clear message.”
We dug up some numbers for comparison to the Google penalty:
- It’s 0.1 percent of Google CEO Larry Page’s net worth, according to Forbes.
- It would take about five hours for the company to bring in that amount, based on sales from the most recent quarter.
- It’s less than the gain Google’s stock saw Thursday, the day the FTC announced the settlement. Google added $39.2 million to its market capitalization that day.
The penalty is large by FTC standards, but other regulatory bodies recently have imposed much larger consumer protection fines:
- Capital One Financial Corp. must refund $150 million to consumers and pay a $60 million penalty to the Consumer Financial Protection Bureau after allegations of deceptive ad practices, the regulator said July 18.
- Wells Fargo Bank must pay $175 million because its independent brokers discriminated against black and Hispanic borrowers, a Justice Department probe found July 12.
- GlaxoSmithKline, the pharmaceutical company, must pay $3 billion to resolve fraud allegations over its promotion of drugs and failure to report safety data. That July 2 settlement is one of several between drug companies and the Justice Department over improper marketing.
But could the FTC have imposed a higher penalty?
Google promised the FTC last year it would not mislead customers about its privacy practices. That pledge came in a settlement over Google Buzz, a short-lived social network that publicized users’ data without their permission. The FTC could have penalized Google $16,000 per day for violating that agreement, and more if they counted each affected Safari user a violation.
It’s unclear how many Safari users Google affected. Asked that question in a Twitter chat Thursday, the FTC responded, “Hard to know exactly. Est 190M Safari users worldwide but not all saw Google’s missteps.”
James Kohm, the FTC’s associate director for enforcement, said the FTC’s goal was not to “cripple” Google or put it at a competitive disadvantage, but to send it and other privacy violators a warning that they would be under close scrutiny.
Vladeck said the penalty is based on “some multiple of sort of the company’s ill-gotten gains” as well as other factors. He said the goal was to punish Google for misrepresenting what it did with user data. Pamela Jones Harbour, a former FTC commissioner, said when negotiating a settlement, the agency typically considers factors that include “the nature of the violation, the amount of revenue received by the defendant(s), the length of time the violation continued, the financial resources of the defendant, the impact to consumers, the potential deterrent effect, and the potential impact on the marketplace.”
It’s worth noting that the FTC did not force Google to admit to any privacy violation, a fact that Rosch also criticized in his dissent of the penalty. “There is nothing to prevent future respondents with fewer resources than Google and with lower profiles than Google … from denying liability in the future too,” Rosch wrote.
In a statement responding to Rosch, the other four commissioners responded: “With a company of Google’s size, almost any penalty can be dismissed as insufficient. But it is hardly inconsequential to impose a $22.5 million civil penalty when the accompanying complaint does not allege that the conduct at issue yielded significant revenue or endured for a significant period of time.”
In February, The Wall Street Journal and a researcher at Stanford University showed that Google was circumventing privacy controls in the Safari browser to place tiny bits of data known as cookies onto users’ devices. Cookies are commonly used to track users’ online habits. In response to the revelations, the search giant began removing the cookies the same month.
But others said the even though the fine seemed low, cracking down on Google was still an important step for the FTC.
“I think it’s less about the amount of the fine, which is extraordinarily small,” said Dan Auerbach, a technologist at the Electronic Frontier Foundation, which advocates for greater privacy. “This is more a message that the FTC is sending — we take this stuff seriously and you better do that, too.”