On Monday, Google agreed to pay 37 states to settle charges that in 2011 and 2012 it had ignored a key privacy feature embedded in Apple's Safari browser. As part of the deal, Google — while not admitting fault — has also vowed to stop using the code that lets it circumvent the controls. It's a significant victory for consumers, but it's an even bigger deal for the states — some of which have already taken the lead on privacy legislation and, if this case is any indication, may become even more active in privacy litigation.
To understand why that's significant, let's look at how Google settled those same allegations at the federal level. While the outcome was the same, the government's methods were different.
The Federal Trade Commission won a $22.5 million settlement from Google last year. At issue was Safari's use of the third-party cookie blocker, a feature that prevents marketers from tracking your online activity. Unlike other browsers, Safari had enabled the blocker by default, making it much harder for advertisers to track Safari users generally. Google allegedly used a bit of code to override the feature on purpose, despite operating a separate Web page that told Safari users they could trust the privacy feature to work.
That violated a previous legal agreement between Google and the FTC barring Google from making "misrepresentations" about privacy, the government argued.
"The FTC concluded that they didn't go into whether Google broke the law, because they got them on breaking the consent agreement that was in place from the Buzz debacle," says John Simpson, the privacy project director for Consumer Watchdog.
Had it sued Google for deceptive business practices and won, the FTC would have sent a strong signal that professing to protect users' privacy on the one hand while ignoring technical anti-tracking solutions on the other might invite federal scrutiny. As it happened, the FTC won a relatively narrow victory that depended on Google's unique history with the agency.
But while the FTC seemed more cautious about the alleged Safari violation, states have shown no such restraint.
"If you're actively hacking around the privacy settings," said Simpson, "there still is a good likelihood there's a state law being violated."
The states involved in Monday's settlement broadly alleged that Google had indeed broken state consumer protection and computer privacy laws in addition to the consent agreement arguments put forth by the FTC. Washington state specifically claimed that Google had violated the Washington State Consumer Protection Act.
According to Jonathan Mayer, the privacy researcher at Stanford who first reported Google's alleged circumvention methods, states enjoy wider freedom than the federal government to bring a consumer protection case, to compel discovery and to impose monetary fines. Given a demonstrated willingness to accuse Google of breaking the law, it's reasonable to think that states might apply the same logic to other companies, too.
"The state attorneys general have both the inclination and the legal latitude … to be vigorous enforcers on consumer privacy," said Mayer. "Where the FTC can't act, we now have evidence that the state AGs might."