In a somewhat frustrating Twitter chat following the Google settlement, one of the first questions – tweeted by Berin Szoka of TechFreedom – was, “How can message sent by today’s ruling be “clear” when there’s no admission of liability?” It was a question that had also been raised by one commissioner who had dissented from the settlement, J. Thomas Rosch. In his dissent, Rosch wrote, in part:
First, the Stipulated Order for Permanent Injunction and Civil Penalty Judgment provides that “Defendant denies any violation of the FTC Order, any and all liability for the claims set forth in the Complaint, and all material allegations of the Complaint save for those regarding jurisdiction and venue.” Yet, at the very same time, the Commission supports a civil penalty of $22.5 million against Google for that very same conduct. Condoning a denial of liability in circumstances such as these is unprecedented.
The commissioner’s dissent resonated with a number of people involved in the chat and elsewhere. And the following day, when the FTC announced it had given final approval to the settlement with Facebook, we saw Rosch dissenting again on allowing companies to deny liability:
I dissent from acceptance of this final consent order for two reasons. First, in the Agreement Containing Consent Order, respondent Facebook “expressly denies the allegations set forth in the complaint, except for the jurisdictional facts.” Our Federal Trade Commission Rules of Practice do not provide for such a denial. Beyond that, as I read Section 5, Commissioners are authorized to accept a consent agreement only if there is reason to believe that a respondent is engaging in an unfair or deceptive act or practice and that acceptance of the consent agreement is in the interest of the public. I respectfully suggest that the whole reason for requiring the Commission to conclude that there is “reason to believe” is to force the Commission to come to grips with the probability that the respondent did engage in conduct creating liability. I would further argue that in the real world, if the Commission allows the respondent to expressly deny that it did engage in that conduct (or to use language that is tantamount to an express denial), there is a questionable basis for us to conclude that that probability exists (or that the consent is in the public interest either). Accordingly, I cannot find that either the “reason to believe” or the “in the interest of the public” requirement is satisfied when, as here, there is an express denial of the allegations set forth in the complaint.
But even “neither admits nor denies” language, which Rosch indicates would be more acceptable, may be problematic. Edward Wyatt reports in the New York Times that an SEC settlement using that language was rejected by a judge who said that such language provided the court with no basis to determine whether a settlement was in the public interest.
Companies are clearly motivated to deny guilt – particularly if they are being sued in other courts by consumers over the actions alleged in an FTC complaint. But this blogger – and at least some other privacy advocates – agree with Commissioner Rosch that denials should not be permitted in a settlement. Might the FTC find itself having to litigate in court if they push for an actual admission of guilt? Possibly, but allowing a company to deny responsibility or guilt may confuse many consumers and dilutes the message the FTC hopes to send.
Wyatt reports that while the majority of the Commission disagreed with Rosch’s claim that acceptance of denials undermined the outcomes, they were open to his ideas and wanted “to avoid any possible public misimpression that the commission obtains settlements when it lacks reason to believe that the alleged conduct occurred.”
In the future, “express denials will be strongly disfavored,” the commissioners said. And in the coming months, they added, the commission will consider whether to modify its policy.
I hope they do modify the policy.
I also hope that they will consider how to inject more transparency into their processes, many of which are exempt from FOIA. As I sit here at my keyboard, I still have no clear idea why the Google fine was $22.5 million for a privacy violation that we have no proof caused any actual significant harm to consumers. Was most of the fine because they violated a consent order, or was it for the underlying violation itself? And would the fine have been less if Google had not denied liability? From the FTC’s responses to my tweeted questions, it seems that even if this was accidental or unintentional on Google’s part, that was not necessarily relevant to their decision-making. The FTC tweeted, “Unintentional” is Google’s story. FTC’s cmplt doesn’t adopt that perspective. Many considerations went into penalty amount.”
But what factors? We don’t even have any statement in their release that there was actual harm suffered by consumers as a result of this violation. Was this basically a $22.5M reminder to stick to the assurances you give consumers?
In response to my inquiry about how they arrived at $22.5 million, Jim Kohm, Associate Director of the FTC’s Division of Enforcement, wrote:
The suit alleges that Google violated the terms of an order it agreed to abide by. The FTC takes such agreements seriously and enforces them to protect the public. In this case, Safari browser users visited a webpage presumably to protect their information, and received misrepresentations that left them vulnerable to the very acts that they were trying to protect themselves from. This is not Google’s first privacy misstep, and therefore, the fine in this manner was appropriate to focus Google’s attention on its privacy obligations.
So if – or should I say, when – Facebook violates the consent order it just signed, what fine do you expect to see? The FTC clearly wanted to send a strong message. Sadly, the message still seems a bit murky.
And can there be unintended consequences of the Google fine? Berin Szoka and others have argued that such penalties will stifle innovation and may lead companies to disclose less in their privacy policies for fear that some inaccuracy will result in multi-million dollar fines. And because the FTC has no authority to fine companies for violations if there is not already a consent order in effect, what message will most businesses take home from the Google fine? Will, as Berin suggests, they be more reluctant to create help pages that may become inaccurate when conditions change due to third parties? I put the question to the FTC, and Kohm replied:
Companies have a strong incentive to disclose their practices as to what information they collect from consumers and why, so that they can build their customers’ trust.
That may be true, but I bet they have even stronger incentive to avoid FTC charges for making inaccurate statements under a strict liability approach.
It’s fairly cold day in Hell when I find myself in substantial agreement with Berin Szoka, but in this case, I think he’s raised some valid concerns. I hope the FTC will respond by opening up a new roundtable or discussion with stakeholders and privacy advocates about where we go from here.
h/t, Marie-Andree Weiss.