Charge Internet Giant Violated “Buzz Consent Agreement” and FTC Act

SANTA MONICA, CA – Consumer Watchdog and Privacy Rights Clearinghouse have filed a complaint with the Federal Trade Commission charging that Google violated the law and an earlier consent agreement when it forced a change in its privacy policy on users in a highly deceptive manner, without meaningful notice and consent.

The Internet giant’s action, taken on June 28, is an unfair and deceptive practice, violating Section 5 of the Federal Trade Commission Act and also violates the terms of the “Buzz Consent Agreement” Google signed with the agency, the two California-based consumer advocacy organizations’ formal complaint said.

The so-called “Buzz Consent Agreement” was reached after Google released users’ personal information in violation of its own privacy policy when launching its ill-fated social network, Buzz, to compete with Facebook. Under the 2011 agreement Google said it would not misrepresent the privacy or confidentiality of individuals’ information. The Buzz Agreement also requires Google to get informed consent before sharing users’ information with third parties if Google changes the way data is shared contrary to the privacy promises made when the data was first collected. Google violated both obligations with its action in June, the complaint said.

Consumer Watchdog and Privacy Rights Clearing House asked the FTC to claw back all advertising revenue earned by Google since the date of the change, citing past privacy violations by the internet giant as evidence that lesser penalties would not be enough to make the company respect consumers’ privacy rights. For example, the FTC issued the largest fine in its history, $22.5 million, when Google intentionally hacked Apple’s privacy protections, however that fine clearly failed to deter the company’s latest privacy violation.

“Fines Google has faced so far are but pocket change for Google. The company’s executives consider it merely the cost of doing business as they willfully violate our privacy,” said John M. Simpson, Consumer Watchdog’s Privacy Project Director. “The FTC must take meaningful action to stop this serial abuser and force it to give up its ill-gotten gains.”

Read the Consumer Watchdog and Privacy Rights Clearinghouse complaint here: http://www.consumerwatchdog.org/resources/ftc_google_complaint_12-5-2016docx.pdf

“The change marked the culmination of a nearly decade-long deception that Google has perpetrated against its users, the FTC, and the public at large,” according to the complaint.

“This announcement intentionally misled users, who had no way to discern from the wording that Google was breaking from a nearly decade-old practice and asking them if it could link their personal information to data reflecting their behavior on as many as 80% of the Internet’s leading websites,” the complaint said. “A reasonable user would have been left with precisely the impression Google was seeking to leave: that the 2016 change was to their benefit and posed no risk to their privacy. In reality, the policy change marked the consummation of a deceptive path that Google had methodically charted since it first sought to acquire DoubleClick in 2007.”

“Google is a serial privacy violator,” said Simpson. “For the last decade they pretended to care about your privacy, but amassed ever growing amounts of data about you. Remember, you’re not their customer. You are Google’s product.”

For more than a decade Google has kept information gathered through “tracking cookies” separate from information gleaned from users’ accounts. Privacy advocates warned of the danger of combining the data gathered by DoubleClick, which tracked consumers as they surfed the web, with data gathered from Google’s accounts before Google bought DoubleClick. The Internet giant said it would keep the information separate and the deal went through.

That changed last June with the new privacy policy, but rather than being candid about what it was doing, the company mislead its users, Consumer Watchdog and Privacy Rights Clearinghouse said.

“Google took affirmative steps to conceal and downplay the significance of this transformational change that eliminated the barrier between the data that Google gathers from cookies that track users’ behavior and the personal information that Google holds from its users’ accounts,” the complaint charged. “Google induced users to accept the change to its privacy policy by cloaking it in an offer to enable ‘new features’ that purport to provide ‘more control’ over users’ personal information. Unsuspecting users accepted Google’s offer in droves.”

The complaint spells out Google’s deceptive action:

This change was reflected in a parallel amendment to Google’s Privacy Policy. Google struck out the language in the policy stating that it would “not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.” Now, Google told its users that it “may combine information from one service with information, including personal information, from other Google services,” and that users’ “activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.”

Users were not clearly informed of the significance of the changes—or “features” as Google would have it—nor were they clearly and unambiguously given a chance to reject them. Existing users who did not wish to accept the changes could not decline immediately, but instead were given the option to click “more options,” leading to a second notification. There, users could select “no changes,” which presumably meant that their personal data would not be combined with tracking data from third party sites and apps.

For new users, the combination of personal and browsing data was done by default. New users are notified that Google processes data from sources like Google Maps and from “apps or sites that use Google services like ads, Analytics, and the YouTube video player.” The notification later notes: “[w]e also combine data among our services and across your devices. . .

The organizations’ complaint warned that failure to act against Google would hurt consumers and could lead other companies to engage in wrongdoing. The complaint said:

“Google is a serial re-offender. It has repeatedly violated consumers’ privacy and, when sanctioned, ignored its commitments to the FTC. Failing to take action now would send the message that as far as Google’s encroachments are concerned, consumers are on their own. Indeed, if the FTC fails to take action against the largest and most significant misappropriation of personal information—which is personal property—in the Internet era, other companies will be left to conclude that they too can avoid accountability. The public, for its part, would be left to question the value of the FTC and the ability of the Commission to protect consumers. “

The complaint said Google’s action both violated Section 5 of the Federal Trade Commission Act and the so-called “Buzz Consent Agreement.” The complaint said Google engaged in a string of deceptive acts by:

• representing that it would not combine its users’ personally-identifiable information with DoubleClick’s browsing data.

• repeatedly assuring its users that it would be transparent in how it handled their data.

• acquiring massive troves of its users’ data under false pretenses.

• concealing the nature and extent of the change to its policies in order to obtain user consent.

Google violated the Buzz Consent Order by misrepresenting

• the extent to which it protects its users’ privacy and confidentiality.

• adheres to the U.S.-EU Safe Harbor Framework.

Google was found to be hacking around privacy settings on Apple’s Safari browser and setting tracking cookies in violation of the consent decree and was fined $22.5 million in 2012. In 2010 Google was caught using its Street View cars to suck up private data including emails, passwords and financial information, from private Wi-Fi networks. The FCC fined Google $25,000 for obstructing its investigation into the Wi-Spy scandal and the Internet giant paid $7 million to settle a complaint brought by 38 state attorneys general.

– 30 –

Visit Consumer Watchdog’s website at www.conumerwatchdog.org

Visit Privacy Rights Clearinghouse site at: www.privacyrights.org