Those who favor expanding the FTC’s role with respect to privacy should take a close look at what the agency does with the authority it already has. The most recent exhibit is the FTC’s imposition of a $22.5 million penalty on Google for bypassing the privacy settings on Apple’s Safari browser and thereby violating the terms of Google’s 2011 consent decree with the FTC. Since this is the largest fine the FTC has ever imposed, one would think Google must have committed a pretty serious violation that resulted in substantial harm to consumers. But there is no evidence that consumers have been harmed at all. (Dan Castro has written a nice blog post on this). Instead, the FTC has uncovered just enough of a technical violation to be able to say to Google “gotcha again.”
The issue is difficult to explain briefly, but essentially what happened is this: Google’s social network, Google +, has a “+1” button that, like Facebook’s “Like” button, gives users a way to indicate content they like. This feature doesn’t work with Apple’s Safari browser, which has a do-not-track feature that is turned on by default, so Google developed a tool that made the Safari browser work like other browsers.
Whether or not Google technically violated its consent decree, it is difficult to see how the Commission’s action will benefit consumers. Paradoxically, the action is likely to undermine one of the Commission’s principle recommendations: “greater transparency” concerning information collection and use practices. The $22 million fine sends exactly the opposite message to Google as well as other firms subject to FTC jurisdiction. The more transparent a company is about how it collects and uses data, the greater the risk of making a mistake and getting in trouble with the FTC. So, companies will find it in their interest to give users less information about web site privacy practices.
In addition, there is a cost to the +1 users the FTC is supposedly protecting. Now that Google has “corrected” the problem, Safari users who want to use +1 need to manually log in to their Google account, which equates to submitting a form, which then allows additional Google cookies to be installed anyway. This is quite a cumbersome process. Moreover, the pre-correction Google workaround meant that only additional cookies from Google’s Doubleclick network could be installed, while blocking cookies from any other third party. The current fix forces users who want to use the +1 function to change the cookie settings for the entire browser, opening their phones to cookies from any website, unless they take the trouble to switch settings back to ‘never accept’ cookies after they have successfully ‘+1’ the content they set out to share.
That FTC privacy-related enforcement is not based on demonstrable consumer benefits should not come as a surprise to those who have been following the agency’s work in this area. In the past two years, the Commission has released two privacy reports (here and here) that contain no evidence of consumer harm from current privacy practices. In fact, the Commission explicitly rejects the harm-based approach to privacy. This, of course, makes analysis of the benefits of proposed measures difficult, since if there are benefits they will consist of reduced harms.
So, what are the broader lessons from this episode? First, we should be wary of privacy legislation that gives the FTC additional authority to write new rules and enforce them (which virtually all privacy legislative proposals would do). If new legislation is enacted, it should only be with a strict mandate that any new regulations address significant harms and pass a cost-benefit test.
Another lesson may be for companies like Google, who understandably are anxious to avoid protracted litigation and get on with their businesses. These companies probably need to reassess the cost-benefit calculation that induced them to settle in the first place.