Recently the Federal Trade Commission (FTC) reached a record $22.5 million settlement with Google for consumer privacy violations of an earlier order involving what is called “online behavioral advertising” (OBA). The Google case is a roadmap for avoiding serious legal missteps for tracking of consumer interests in violation of a company’s own policies and claims that are commonly made and often overlooked. In the Google settlement, the FTC sent a loud and clear message that it will not tolerate promises and claims made in fine print to protect the privacy of consumers and breaking those promises by use of cookies and user tracking tools in day-to-day operations long after the promises in fine print are forgotten. The terms of the Google settlement apply just to Google, but corporate executives can learn a lot from the Google case and other recent FTC actions that touch on user tracking. This article addresses the practical steps companies should take in view of the FTC action in the Google case.

Potential Impact On Your Company and Who Should be Accountable

In addition to your legal staff, your IT director and your chief marketing officer both need to be accountable to avoid these serious legal missteps. Even if your company is not under a previous order with the FTC that would expose it to a multi-million dollar fine, being subject to a fine of one-tenth of $22.5 million could mean a $2.25 million fine that could be more than a big headache for executives and shareholders of a mid-sized or small company. Even the CEO, the COO, and the CFO better be aware of the potential for big liability for a mismatch between what obscure fine print says are privacy policies and representations, and what is actually done with cookies to expose consumer information and track consumer interests and behavior.

Overlooked Privacy Claims in the Google Case

Most companies have gotten the message that what they say in their privacy policies has to line up with their day-to-day operations. The problem is that many companies are conveying claims not just in a formal privacy policy in the fine print on the website, but also where the company states choice mechanisms, opt-outs, and other ways consumers can customize their experience. The FTC’s complaint against Google highlights alleged misrepresentations on the company’s Advertising Cookie Opt-Out Plug-in page that were overlooked for compliance. Cookies are the unique file codes placed on a consumer’s computer when a website is opened and consumer choices are made on the website.

Google claimed in its fine print that for users of the Safari browser that it would not place tracking cookies on the users’ computers or serve them targeted advertisements. The FTC charged, however, that Google placed tracking cookies on users’ computers, used the cookies for tracking users’ interests and websites visited and served targeted ads to the interests of consumers. The FTC alleged that Google used codes to disguise its cookies to work around Safari’s opt-out default setting.

Overlooked Claims of Self-Regulatory Compliance

Many companies promote on their website their affiliation with self-regulatory programs. For example, to join the Network Advertising Initiative (NAI), a voluntary self-regulatory group for the online advertising industry, company members agree to disclose to users their data collection and use practices. Although Google touted its NAI membership on its website, the FTC says the company did not truthfully disclose what it was doing with Safari users’ data. Therefore, the FTC charged that Google misrepresented the extent to which it honored NAI’s Code. Membership in self-regulatory programs is voluntary, but once your company advertises its adherence to an industry code, your company must live up to its terms to avoid potential liability from an FTC action.

Key Points

  • The CEO and top executives of your company must often repeat that they are committed to compliance with consumer privacy and advertising laws and they will hold the IT director and Chief Marketing Officer accountable.
  • Your legal staff or outside counsel must often engage in live training of your IT staff and marketing staff on compliance with consumer privacy and advertising laws.
  • Your information technology staff needs to take the lead in compliance before your marketing managers and legal advisors get involved.
  • It helps for a company to adopt an internal consumer privacy policy that places primary responsibility on the IT Department and secondary responsibility on the marketing staff for compliance with laws and regulations on the use of cookies and user tracking tools.
  • The internal policy should require that IT department make and update a list of all the places on your company websites, social media promotions and sponsored blogs where privacy representations and claims are made, maintain an inventory of the cookies they use, and not launch new ones without both marketing and legal review.
  • The internal policy should also require that the marketing staff make and update a separate list of all the user tracking tools being used on your company websites, social media promotions and sponsored blogs and maintain an inventory of the categories of data being collected from users, and not launch new tracking tools or categories of data being collected without both IT and legal review.
  • Sidestepping users’ preferences can lead to costly legal missteps.