EPIC v. FTC (Enforcement of the Google Consent Order)
Introduction
EPIC filed a lawsuit to compel the Federal Trade Commission to enforce the Google consent order and block Google's proposed consolidation of user data. EPIC sought action prior to March 1, when Google implemented changes in its terms of service that allowed the company to combine user data without user consent. This change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The Federal District Court of the District of Columbia heard the case before the March 1 deadline on an expedited schedule, and ultimately ruled that, because courts lack jurisdiction over agency enforcement actions, it was unable to compel the FTC to enforce the consent order. However, the court acknowledged "serious concerns" with Google's changes.
Top News
- EPIC Says FTC Responsible for Cambridge Analytica: EPIC has filed comments on the FTC's proposed consent order with the individuals responsible for the Cambridge Analytica breach that impacted 87 million Facebook users, and possibly the outcome of the Brexit vote. EPIC wrote: "the Cambridge Analytica breach could have been prevented if the Commission had enforced the Consent Order." EPIC pointed to numerous reports that Facebook's improper sharing of personal data with third party developers was known to the FTC after the 2011 Consent Order. EPIC is currently pursuing two cases against the FTC, one to obtain the release of the complete biennial audits, the other to block the FTC's proposed settlement that would leave the Facebook's business practices largely unchanged. (Sep. 3, 2019)
- Court Grants Facebook's Motion to Intervene in EPIC v. FTC: The D.C. District Court has granted Facebook's motion to intervene in EPIC's case against the Federal Trade Commission for the release of the biennial audits required by the 2011 Consent Order. The FTC turned over redacted reports to EPIC but withheld certain information, citing a confidential business information provision. EPIC explained to the court, the "release of the full audits is crucial for Congress, the States Attorneys General, and the public to evaluate how the Cambridge Analytica breach occurred." EPIC opposed Facebook's attempt to intervene but the Court granted Facebook's motion. Before the same judge, EPIC is also pursuing intervention in United States v. Facebook, a case concerning the proposed settlement between FTC and Facebook. Facebook's answer to EPIC's complaint is due September 3, 2019. The case is EPIC v. FTC, No. 18-942 (D.D.C). (Aug. 28, 2019)
- EPIC Opposes Facebook's Intervention in FOIA Case for Release of FTC's Facebook Audits: In a recent court filing, EPIC opposed Facebook's attempt to intervene in EPIC's lawsuit against the Federal Trade Commission for the release of records concerning the company's compliance with the 2011 Consent Order. EPIC told the court hearing EPIC v. FTC that Facebook does not have standing to intervene because it has not established that it would suffer a substantial competitive harm as a result of public disclosure of the information EPIC is seeking. EPIC also explained that under the Freedom of Information Act companies do not decide for themselves what information they wish to withhold from the public. EPIC's FOIA lawsuit is one of several activities that EPIC is pursuing to hold Facebook accountable for compliance under the 2011 consent order. In a related FOIA lawsuit, EPIC determined that there are more than 26,000 complaints against Facebook currently pending at the FTC. EPIC also launched the #EnforcetheOrder campaign to pressure the FTC to take enforcement action against Facebook. The case is EPIC v. FTC, No. 18-942 (D.D.C). (Jun. 17, 2019)
- EPIC Challenges FTC's Withholdings of Records Regarding Irish Audits of Facebook: EPIC has submitted a Freedom of Information Act appeal challenging the Federal Trade Commission's withholdings of 42 pages of records about the Irish Data Protection Commissioner's inquiries regarding Facebook's compliance with the FTC Consent Order In response to EPIC's FOIA request the FTC released 413 pages of publicly available documents but withheld 42 pages in full under several exemptions, including an exemption protecting records compiled for law enforcement purposes. In 2011 the Irish Data Protection Commissioner initiated an audit of Facebook Ireland, a subsidiary of Facebook that is responsible for data protection for all Facebook users outside of the U.S. and Canada, to assess its compliance with both Irish Data Protection law and EU law. The 2011 audit found that the safeguards for third party applications did not ensure security for user data. The 2012 re-audit found a "satisfactory response" from Facebook regarding preventing third party applications from accessing unauthorized user information. Following the 2012 re-audit, the FTC and Irish Data Protection Commissioner signed a Memorandum of Understanding to mutually assist and exchange information to protect consumer privacy. Two years after the Irish Data Protection Commissioner determined a "satisfactory response," Cambridge Analytica improperly harvested the personal data of millions of users to use for political purposes. The FTC announced that it was reopening the Facebook investigation after the Cambridge Analytica scandal but to date, there has been no announcement, no report, and no fine. EPIC is holding FTC accountable to its 2011 consent order enforcement obligations in EPIC v. FTC seeking the full release of the Facebook Assessments and related records. (Nov. 21, 2018)
- EPIC v. FTC: EPIC Obtains Facebook-FTC Emails About 2011 Consent Order: In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Following a detailed complaint by EPIC and other consumer privacy organizations, the FTC issued an order in 2011 that required biennial audits of Facebook's privacy practices. EPIC pursued public release of these reports and related emails to understand why the FTC failed to bring an enforcement action action against the company. Today the FTC released to EPIC 89 emails between the FTC and Facebook from the years 2011, 2012, 2013, 2014, 2015, 2016, 2017, and 2018. In March 2018, following the Cambridge Analytica data breach, the FTC announced it was reopening the Facebook investigation. To date, there is still no announcement, no report, and no fine. (Oct. 19, 2018)
- EPIC v. FTC: EPIC Obtains Emails about Facebook Audits: In response to EPIC's Freedom of Information Act lawsuit, the FTC has released communications about Facebook's biennial audits. The audits are required by the FTC's 2011 Consent Order with Facebook, which followed a detailed complaint by EPIC and other consumer privacy organizations. The emails show that the FTC had concerns about the scope of Facebook's 2015 assessment, stating "PwC's report does not demonstrate whether and how Facebook addressed the impact of acquisitions on its Privacy Program." In other email, the FTC expressed similar concerns about the 2017 assessment and whether the audit evaluated the company's acquisitions impact on Facebook's privacy program. EPIC had previously opposed Facebook's acquisition of WhatsApp and submitted detailed comments for the FTC's review of the merger remedy process. In March 2018, following the Cambridge Analytica breach, the FTC announced it was reopening the Facebook investigation, but still there is no announcement, no report, and no fine. (Oct. 15, 2018)
- EPIC FOIA: EPIC Obtains Facebook Privacy Documents: In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission has released supplemental materials from the biennial Facebook audits (production 1, production 2, production 3, production 4). The audits were required by the FTC's 2011 Consent Order with Facebook. The documents include letters from the FTC to Facebook inquiring about Facebook's relationship with Instagram and telling the company that "whenever a corporate change such as an acquisition may affect the design and/or implementation of the Company's privacy program, the Company must notify the Commission." EPIC opposed Facebook's acquisition of WhatsApp and submitted comments for the FTC's review of the merger remedy process. FTC reopened its investigation into Facebook in March after EPIC, consumer groups urged action. The UK Information Commissioner completed its initial investigation, published report, and issued a fine in July. The FTC begins hearings this week on competition and consumer protection in the 21st century. (Sep. 12, 2018)
- In EPIC FOIA Case, FTC Releases New Information from Facebook Audits: In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission today released materials, previously withheld, from the biennial Facebook audits. The audits were required by the FTC's 2011 Consent Order with Facebook. Heavily redacted versions of those audits were previously available on the FTC's website. But in March, following the Cambridge Analytica breach, EPIC filed an urgent FOIA request for the complete 2013, 2015, 2017 Facebook audits. (The 2017 audit covers the period the Cambridge Analytica breach.) In a detailed letter to Congress in April, EPIC explained that the FTC failed to review the reports and failed to enforce the 2011 consent order against Facebook. The documents released today to EPIC contain information that was not previously available to the public. EPIC is currently reviewing the documents obtained from the FTC. (Jun. 26, 2018)
- FTC Commissioner Chopra: "FTC orders are not suggestions": Incoming Federal Trade Commissioner Rohit Chopra issued a memo today warning that the FTC will enforce its consent orders against companies that violate the law. "FTC orders are not suggestions," said Chopra. Chopra said the FTC should seek structural remedies as well as monetary fines. EPIC has repeatedly told the FTC to enforce its orders, and even sued the agency, EPIC v. FTC, for failing to enforce the order against Google following the Buzz fiasco. More recently, EPIC and a coalition of consumer groups told the FTC that the Cambridge Analytica breach could have been avoided had FTC enforced the 2011 Consent Order against Facebook. The FTC has since confirmed that it is investigating Facebook for the breach. According to the former Acting Director of the FTC's Bureau of Consumer Protection, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." (May. 14, 2018)
- Dutch Privacy Officials Find Google Violates National Privacy Law: The Dutch Data Protection Authority has found that Google's 2012 privacy policy change violates Dutch data protection law. Google's policy change, which EPIC also opposed, consolidated user data across more than 60 separate services and gave Google the ability to track and profile users in extraordinary detail. The Dutch DPA has ordered Google to: (1) obtain "unambiguous consent of users for the combining of personal data" from different Google services; (2) describe in detail the personal data are used by each Google service; and (3) clearly explain to consumers that YouTube is a Google service. Google must comply with the Dutch officials' order by February 2015 or face $19 million in fines. In issuing the decision, Jacob Kohnstamm, chairman of the Dutch DPA, stated, "Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested." In 2012, EPIC sued the Federal Trade Commission to block Google's 2012 policy change, which violated a 2011 FTC Consent Order. That Consent Order followed an extensive EPIC FTC Complaint and findings by the FTC concerning Google's business practices. For more information, see EPIC: EPIC v. FTC (Enforcement of the Google Consent Order), EPIC: In re Google Buzz, and EPIC: Federal Trade Commission. (Dec. 16, 2014)
Background
On February 9, 2010, Google attempted to launch Buzz, a social networking service linked to Gmail, Google's email service. Google Buzz was an online service that compiled and made public a Gmail user's social networking list based on address book and Gchat list contacts. In response, EPIC filed a complaint with the FTC, highlighting several aspects of the Google Buzz service that threatened Gmail users' privacy. The complaint alleged that Google engaged in unfair and deceptive trade practices by transforming its email service into a social networking service without offering users meaningful control over their information or opt-in consent.
On October 13, 2011, having determined that Google did engage in unfair and deceptive trade practices, the FTC issued a consent order establishing new privacy safeguards for users of all Google products and services and subjecting the company to regular privacy audits. This order bars Google from misrepresenting the company’s privacy practices, requires the company to obtain users’ consent before disclosing personal data, and requires the company to develop and comply with a comprehensive privacy program.
On January 24, 2012, Google announced that it would change its terms of service for current users of more than 60 Google services, including Gmail, Google+, Youtube, and the Android mobile operating system. Rather than keeping personal information about a user of a given Google service separate from information gathered from other Google services, Google will consolidate user data from across its services and create a single merged profile for each user. The change will become effective on March 1, 2012.
On February 24, 2012, five privacy organizations, including EPIC, wrote to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1.
On February 28, 2012, the head of the French Data Protection Agency, on behalf of European privacy agencies, warned that Google's proposed change violates European Union privacy law. She is reiterated the recommendation of Europe's Justice Minister that Google suspend the change. In an interview with C-Span, the Chairman of the Federal Trade Commission said that users of Google services face a "brutal choice."
EPIC's Lawsuit
Procedural History
On February 8, 2012 in the D.C. District Court, EPIC filed a complaint and motion for a temporary restraining order and preliminary injunction compelling the FTC to enforce the Google consent order. On February 9, 2012, the court set an expedited briefing schedule in order to make a decision before Google's March 1, 2012 change in business practices.
On February 17, 2012, the Federal Trade Commission filed an opposition and a motion to dismiss in response to EPIC's complaint. The government stated that EPIC would "deprive the Commission of the discretion to exercise its enforcement authority." The government also charged that EPIC's lawsuit is "completely baseless." On that same day, the Wall Street Journal reported that Google had subverted the privacy settings of millions of users of the Internet browser software Safari despite representations to the contrary.
In a reply brief filed in Washington, DC, on February 21, 2012, EPIC said that the Federal Trade Commission's failure to enforce the Consent Order against Google prior to March 1 would cause "irreparable injury." EPIC cited Google's plans to combine user data without consent, and pointed to numerous cases that establish the need for the Court to assess the FTC's failure to act. Dismissing arguments asserted by the government that "FTC enforcement decisions are not subject to judicial review," EPIC said that Congress has clearly told the Federal Trade Commission to enforce its final orders. And in response to a claim that EPIC's request for action by March 1 is "arbitrary," EPIC wrote "If the government is unaware that Google plans to make a substantial change in its business practices on March 1, 2012, it should turn on a computer connected to the Internet."
On February 24, 2012, a federal court dismissed EPIC's lawsuit against the FTC because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said, "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." Within hours, EPIC filed an emergency appeal with the Court of Appeals for the DC Circuit, asking the appellate court to overturn the lower court decision before March 1, when Google will change its terms of service and consolidate user data without consent. On March 5, the D.C. Circuit Court affirmed the lower court's ruling and dismissed EPIC's complaint.
Legal Arguments
EPIC argues it is entitled to a temporary restraining order and preliminary injunction requiring the FTC to enforce its consent order with Google.
EPIC argues that Google's proposed March 1, 2012 change in business practices is in clear violation of this consent order. Google violated Part I(a) of the Consent Order by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of covered information. Google also violated Part I(b) of the Consent Order by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework. Google violated Part II of the Consent Order by failing to obtain affirmative consent from users prior to sharing their information with third parties. Google violated Part III of the Consent Order by failing to comply with the requirements of a comprehensive privacy program.
EPIC argues that the FTC has violated section 706 of the Administrative Procedures Act by unlawfully withholding agency action on a required action. The FTC has a non-discretionary obligation to enforce a final order. But the agency has thus far failed to take any action regarding this matter, placing the privacy interests of Google users at grave risk. EPIC brings this suit to require the Commission to enforce the consent order.
Legal Documents
United States Court of Appeals for the District of Columbia
EPIC v. the Federal Trade Commission, Case No. 12-5054 (D.C. Cir. filed Feb. 24, 2012).
United States District Court for the District of Columbia
EPIC v. the Federal Trade Commission, Case No. 12-00206-JAB (D.D.C. filed Feb. 9, 2012).
- Court Ruling, EPIC v. FTC, No. 12-0206 (ABJ) (D.D.C. Feb. 24, 2012).
- EPIC's Opposition to FTC's Motion to Dismiss and Reply in Support of Motion for Temporary Restraining Order and Preliminary Inunction
- FTC Motion to Dismiss and Memorandum in Opposition to EPIC's Motion
- Motion for Temporary Restraining Order and Preliminary Injunction
- EPIC's Complaint for Injunctive Relief
Resources
Google's Safari Tracking
- EPIC's Letter to FTC Commissioner John Leibowitz on Google Safari Tracking, Feb. 17, 2012.
- Google's iPhone Tracking, Julia Angwin & Jennifer Valentino-Devries, Wall St. J., Feb. 17, 2012.
- Safari Trackers, Jonathan Mayer, Web Policy, Feb. 17, 2012.
In re Google Buzz
- Ctr. for Digital Democracy's FTC Complaint, In re Google Buzz, Request for Investigation and Imposition of Fines and Other Remedies for Violation of “Google Buzz” Consent Decree, No. C4336, Feb. 22, 2012.
- Google Privacy Compliance Report, as required by In re Google Buzz
- FTC Consent Order, In re Google Buzz
- FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network."
- Background: EPIC - In re Google Buzz
News Reports
News Stories and Blog Items
- Bono Mack Plans Privacy Hearing, Paul C. Barton, USA Today, Feb. 28, 2012.
- France Says Google Privacy Plan Likely Violates European Law, Eric Pfanner, N.Y. Times, Feb. 28, 2012.
- Google Unified Privacy Settings Unsettle Users, Cecilia Kang, Wash. Post, Feb. 27, 2012.
- Interview, FTC Chairman Jon Leibowitz, C-SPAN, Feb. 26, 2012.
- Google’s Privacy Policy: Always Changing, Not Yet Transparent, Meg Roggensack, Human Rights First, Feb. 23, 2012.
- CDD to FTC: Google Violated Buzz Consent Decree by Failing to Inform Consumers Real Reasons for its Expanded Data Practices, Ctr. for Digital Democrafy, Feb. 22, 2012.
- Pressure on Google over privacy problems mounts, Cecilia Kang, Wash. Post, Feb. 21, 2012
- FTC Responds to EPIC Google Privacy Suit, Shaylin Clark, Web Pro
News, Feb. 20, 2012.
- Will the FTC Investigate Google's Safari Gaffe, Ian Paul, PCWorld, Feb. 20, 2012.
- Google Unlikely to Back Down at Privacy Lawsuits, Christina DesMarais, PCWorld, Feb. 19, 2012.
- Setting the Record Straight on Google's Safari Tracking, Jonathan Mayer, Web Policy, Feb. 20, 2012.
- Google's iPhone Tracking, Julia Angwin & Jennifer Valentino-Devries, Wall St. J., Feb. 17, 2012.
- Safari Trackers, Jonathan Mayer, Web Policy, Feb. 17, 2012.
- Google Accused of Not Being Forthright in Report to Feds, Christina DesMarais, PCWorld, Feb. 11, 2012.
- Google Tells FTC of Progress on Privacy, Michelle Quinn & Tony Romm, Politico, Feb. 10, 2012.
- The Real Problem With Google's New Privacy Police, Thomas Gideon & James Losey, Slate, Feb. 10, 2012.
- Federal Court Expedites Case on Google Privacy Policies, Cecilia Kang, Wash. Post (blog), Feb. 9, 2012.
- Court Speeds Up FTC Suit Over Google Privacy Changes, Gautham Nagesh & Brendan Sasso, The Hill, Feb. 9, 2012.
- Watchdog Sues FTC Over New Google Privacy Policy, Jessica Guynn, L.A. Times, Feb. 8, 2012.
- Privacy Group Wanting FTC to Punish Google Files Lawsuit, Cecilia Kang, Wash. Post, Feb. 8, 2012.
- Group Urges FTC Action on Google Privacy, Byron Acohido, USA Today, Feb. 8, 2012.
- Google Privacy Changes Must Be Stopped, Group's Lawsuit Says, Sara Forden, S.F. Chronicle, Feb. 9, 2012.
- Consumer Rights Group Says Google Broke Its Promise, Somini Sengupta, N.Y. Times, Feb. 8, 2012.
- Privacy Breaches as Bad as Piracy, Gehan Gunasekara, NZ Herald News, Feb. 10, 2012.
- Group Sues FTC Over Google's Planned Privacy Update, Steven Musil, CNET, Feb. 8, 2012.
- Information Gathering for the Google Age: Some Notes on the Stored Communications Act, Stephen Juris, Forbes, Feb. 8, 2012.
- Google Refuses to Halt Privacy Policy Change, Tim Bradshaw, Financial Times, Feb. 3, 2012.
- Google: EU Group Urges Privacy Policy Change Pause, BBC, Feb. 3, 2012.
- Who Does Google Think You Are?, Karen Weise, Business Week, Feb. 2, 2012.
- House Lawmakers Request Briefing on Google Privacy Policy Changes, Brendan Sasso, The Hill, Jan. 30, 2012.
- Google Overhauls Its Privacy Policies, Mike Swift, San Jose Mercury News, Jan. 24, 2012.
- Will the FTC Investigate Google's Safari Gaffe, Ian Paul, PCWorld, Feb. 20, 2012.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.