Web Companies Denying “Guilt” Prompts FTC To Reconsider Policies

Denying guilt while settling Federal Trade Commission violations might not be an option much longer.  Image credit @jbtaylor via Flickr (CC BY 2.0)

The US Federal Trade Commission (FTC) is considering language for its privacy investigations that would forbid companies from settling on violations while still denying guilt. Recently Facebook agreed to a 20-year period of privacy audits and Google agreed to pay a record $22.5 million for violating its existing 20-year privacy audit, but both Internet giants denied any wrongdoing.

Reacting to this re-violation of the original violation, FTC Commissioner J. Thomas Rosch was the lone dissenting vote in the settlements with Facebook, when FTC commissioners voted 3-1-1 (including one abstention), and with Google, when commissioners voted 4-1.

For violating an existing privacy settlement with the agency by placing behavioral tracking cookies in Apple’s Safari Web browser, Google will pay a $22.5 million settlement, which is the largest ever filed with the FTC. That is reportedly equal to the amount Google makes in five hours. In 2011 the FTC required Google to undergo privacy audits for 20 years after Google’s repurposed its users’ personal data to create the now-defunct Google Buzz chat network in 2010, which aroused privacy concerns in part because Google did not give users the option to opt-out, or decide what data could or could not be shared, ahead of time.

Facebook will now also be subject to privacy audits for 20 years, and all changes to the website’s privacy settings must now be opt-in. Facebook’s transitioning of privacy rules in December 2009 without telling users led to complaints from privacy groups and scrutiny from Congress. The FTC determined the company’s privacy policies were deceptive, resulting in a settlement with the social network announced last November.

After the FTC’s announcement of the settlement in November Facebook CEO Marc Zuckerberg blogged that the company “made a bunch of mistakes,” such as the 2009 privacy policy transition, but Facebook’s consent order (PDF) on the FTC settlement stated the company “expressly denies the allegations set forth in the complaint, except for the jurisdictional facts.” Rosch stated the FTC did not provide for such a denial and the commission should adopt clearer language in settlements to avoid such deniability. The statement is available in PDF here.

Commissioners are authorized to accept a consent agreement only if there is reason to believe that a respondent is engaging in an unfair or deceptive act or practice and that acceptance of the consent agreement is in the interest of the public. I respectfully suggest that the whole reason for requiring the Commission to conclude that there is “reason to believe” is to force the Commission to come to grips with the probability that the respondent did engage in conduct creating liability. I would further argue that in the real world, if the Commission allows the respondent to expressly deny that it did engage in that conduct (or to use language that is tantamount to an express denial), there is a questionable basis for us to conclude that that probability exists (or that the consent is in the public interest either).

A similar dissenting statement against the Google settlement released by Rosch complains about Google’s denial of wrongdoing despite it being “Google’s second bite of the apple,” as Rosch described their violation of the 2011 privacy audit.

Speaking with the New York Times, Rosch stated that to avoid a precedent of inviting denials of liability in settlements he would like the FTC to adopt language similar to that used by the Securities and Exchange Commission allowing case defendants to “neither confirm nor deny” guilt, but not to deny the agency’s findings if they settle to resolve said violations.

Similar to the way that the actions of Google and Facebook are causing greater scrutiny of the Web business, the SEC revised the “neither confirm nor deny” language in its settlements in cases where a company has admitted guilt on related offenses in a criminal case, according to reporting by the New York Times.

That clause has been successful in encouraging companies to settle, but language allowing companies to settle without admitting they have done anything wrong also led Jed S. Rakoff of US District Court in Manhattan to reject a settlement between the SEC and financial conglomerate Citigroup in November, according to reporting by the New York Times.

A list of million-dollar privacy audit settlements the FTC has made with Web companies in recent years can be found on Computerworld. The article also includes seven steps companies could take to avoid an FTC privacy investigation, such as honoring opt-outs for behavioral tracking, providing complete and accurate privacy policies, and not disclosing user data to consumers without consent.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: