How the FTC handles the EFF petition charging that Google has violated its enforceable pledge to protect K-12 students’ privacy will speak volumes to the world about two big things.
First, whether FTC Commissioners believe Google is subject to U.S. privacy law, or not.
And second, whether Google’s uniquely bad privacy rap sheet, combined with its unique “mass indiscriminate surveillance” of EU citizens, warrants uniquely excluding Google from what otherwise should be a timely reconstitution of the US-EU Data Safe Harbor.
(Note: In 2011, the FTC identified Google as a unique US-EU safe harbor violator in the FTC-Google-Buzz Privacy Consent Decree saying: “this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.”
However, these initial defenses are partial and do not refute the core of EFF’s complaint that Google did not appropriately protect K-12 students differently and more than adult consumers, and that Google never sought the explicit approval of the K-12 students’ parents to use the students’ private data for Google’s direct or indirect commercial purposes. (Please note how this EFF petition’s core charges are highly analogous to the EU’s privacy concerns that Google does not protect Europeans’ privacy any differently than Americans, despite the EU’s much stricter privacy laws, and Google does seek the explicit prior approval of Europeans before using their private information for commercial purposes — per EU law.)
Summary of why the EFF Petition is a legitimate litmus test of FTC-Google privacy enforcement
- FTC sanctioned Google a privacy violator in 2011 and as a recidivist in 2012.
- FTC has known of Google Apps for Education privacy violations for ~two years and not acted.
- FTC stopped Google privacy enforcement after they shut down all Google antitrust cases.
- EFF’s problems with Google’s privacy practices mirror the EU’s problems with Google.
- If the FTC ignores EFF’s petition, State Attorneys General will need to protect minors’ privacy.
Why the EFF Petition is a legitimate litmus test of FTC-Google privacy enforcement
First, the FTC sanctioned Google as a serious FTC privacy violator in 2011 and as a recidivist violator in 2012, meaning Google should warrant stiff prosecutorial scrutiny, and punishment, if found guilty again of privacy violations via the EFF’s petition.
A 2011 FTC announcement sanctioning Google for privacy violations has eerie parallels with EFF’s complaint.
It stated that: “Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. … “When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.””
A 2012 FTC announcement sanctioning Google for privacy violations that broke the FTC-Google-Buzz Consent Decree also has eerie parallels with EFF’s complaint.
It stated: “Google Inc. has agreed to pay a record $22.5 million civil penalty to settle Federal Trade Commission charges that it misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC. … The settlement is part of the FTC’s ongoing efforts make sure companies live up to the privacy promises they make to consumers, and is the largest penalty the agency has ever obtained for a violation of a Commission order. … The FTC charged that Google’s misrepresentations violated a settlement it reached with the agency in October 2011, which barred Google from – among other things – misrepresenting the extent to which consumers can exercise control over the collection of their information.”
Second, the FTC has known of Google Apps for Education privacy problems for almost two years with no action.
In March 2014, Education Week reported that Google was exposed in a civil suit deposition to have secretly read all student-Gmail before it was received without any notice or “informed consent,” for the commercial purpose of creating a targeted advertising profile on the student for the future.
In an April 2014 mea culpa blog post Google effectively had to admit that for three years until April 29th 2014, Google secretly had been illegally collecting private student data for advertising purposes in violation of their public privacy representations and FERPA.
The analysis here by world-leading privacy advocate Simon Davies explains why this three-years-late, Google privacy invasion disclosure affecting minors is especially serious, inadequate and misleading.
Third, the FTC’s nonexistent Google privacy enforcement record 2013-2015 is in stark contrast to its tougher 2009-2012 privacy enforcement record — suggesting a political change after the 2012 election.
Since the FTC’s commissioners abruptly shut down all of the FTC’s Google antitrust investigations shortly after Google’s Eric Schmidt was credited publicly (Bloomberg, Time, & Sydney Morning Herald) with being very helpful in tilting the 2012 Presidential outcome, the FTC curiously has gone from actively enforcing U.S. privacy law against Google in the first term, to apparent political immunity from FTC law enforcement in the last three years.
For more evidence that the FTC apparently was directed to politically stand down on most all potential Google enforcement matters after the 2012 Presidential election, see the Googlegate series with links at the bottom of this post.
Fourth, the EFF petition’s problems with Google’s privacy practices largely mirror the EU’s problems with Google’s privacy practices.
At core the EFF’s complaint alleges that Google did not appropriately protect K-12 students differently than adult consumers as required under the law and the Student Privacy Pledge, which is very similar to EU data protection concerns that Google treats Europeans’ private data the same way they treat Americans when EU privacy law is different and more strict than America’s.
The EFF complaint also alleges that Google never sought the explicit approval of K-12 student’s parents to use the student’s private data for Google’s commercial purposes, which is also very similar to EU complaints that Google does seek the explicit prior approval of Europeans before using their private information for commercial purposes — per EU law.
Google’s deceptive defense is that it can’t be violating privacy if when it collects users’ private data it uses that data in some way to benefit the user or the users’ privacy. This “you must trust Google” argument is transparently self-serving, irrelevant and circular.
Fifth, if the FTC is not going to protect American minors from Google privacy violations, State Attorneys General will have to fill the Federal law enforcement vacuum.
If the FTC does not sanction Google for violating the Student Privacy Pledge or the FTC-Google-Buzz decree for misrepresenting how they protect K-12 students’ privacy and how much control parents have over their student’s private data, expect the vast majority of State Attorneys General to step up and protect American minors’ privacy and safety, like they have before.
Concerning addressing the type privacy violations the EFF petition alleges, the vast majority of State AGs have acted to protect Americans’ privacy whether the FTC acted or not.
FTC staff shut down an FTC investigation of Google Street View’s unauthorized collection of WiFi signals of tens of millions of American homes, because Google apologized and promised to not do it again in a blogpost.
In stark contrast, 38 State AG’s did not relent and eventually got Google to take responsibility for the Street View privacy violations and pay a $7m fine.
And when Google paid a record FTC $22.5m fine for violating the FTC-Google-Buzz privacy consent decree by bypassing Apple users’ privacy protections to serve Apple users Google ads, 38 State Attorneys General also enforced state privacy law and secured a comparable pro-rated $17m settlement from Google.
The bottom line here is if the White House politically won’t let the FTC enforce the FTC-Google-Buzz privacy consent decree or Google’s legally enforceable Student Privacy Pledge against Google, at least 38 State Attorneys General can be counted on to step up to fulfill their sovereign law enforcement responsibilities.
The EFF complaint is serious because it alleges and provides persuasive evidence that Google continues to misrepresent its privacy practices in the same manner that the FTC found illegal twice – before the 2012 election.
The EFF complaint is doubly serious because this is also the same behavior multiple EU Member States have determined Google has engaged in repeatedly over the last several years.
Hopefully with the world watching to see if U.S. children’s privacy law still applies to Google, the FTC will be allowed to carry out its statutory law enforcement responsibilities again and protect American children from America’s worst serial privacy offender.
If not, fortunately we can expect most State Attorneys General to stand up to Google’s political bullying and do their job to protect American minors’ privacy.
Forewarned is forearmed.
Scott Cleland served as Deputy U.S. Coordinator for International Communications & Information Policy in the George H. W. Bush Administration. He is President of Precursor LLC, an emergent enterprise risk consultancy for Fortune 500 companies, some of which are Google competitors, and Chairman of NetCompetition, a pro-competition e-forum supported by broadband interests. He is also author of “Search & Destroy: Why You Can’t Trust Google Inc.” Cleland has testified before both the Senate and House antitrust subcommittees on Google and also before the relevant House oversight subcommittee on Google’s privacy problems.