Some of Google Inc.’s cars were snapping up a lot more than pictures during the company’s Street View mapping project—they collected personal data, such as emails and passwords, from unencrypted Wi-Fi networks as they drove by. Google initially claimed that a rogue employee was responsible for the data collection, but the Federal Communications Commission’s 17-month inquiry into the Street View project found that the engineer had told at least one superior what he was doing, and that seven other engineers could also have known about it.
The 800-pound gorilla of a technology company admitted to these privacy violations in a settlement with 38 state attorneys general on March 12. Google received a $7 million fine as part of the deal, which also requires the company to set up an internal privacy program and a privacy public awareness campaign.
According to Christopher Wolf, director of Hogan Lovells’ privacy and information management practice group, the number of states participating in the settlement shows that state attorneys general will be active on privacy issues. “That’s another set of cops on the beat to enforce the privacy laws that we have in the U.S.,” he says.
Within six months from the date of the settlement, Google must set up a framework to educate its employees on privacy issues, host an annual “Privacy Week” and provide in-house counsel with refresher training for new products. The company must also create a YouTube video teaching users how to encrypt their Wi-Fi networks, post daily online ads promoting it for two years and run educational newspaper ads.
For Google, $7 million is what coins between the couch cushions are for most of us. According to the New York Times, the company has a net income of about $32 million per day. With that in mind, even the $22.5 million fine in Google’s 2012 settlement with the Federal Trade Commission (FTC) over allegations that Google bypassed the Safari browser’s privacy settings isn’t much of a deterrent.
“Google has become a serial privacy violator,” says John Simpson, privacy project director at Consumer Watchdog, a non-profit consumer advocacy organization. “The paltry fines become nothing more than the cost of doing business.”
Senator Richard Blumenthal, D-Conn., acknowledged this in a statement about the settlement. “More important than the money is Google’s commitment to set a model of privacy protection,” he said.
Simpson is less convinced that the requirements imposed on Google will inspire the company to better protect privacy. “The attorneys general … are going to put the fox in charge of teaching the chickens how to make their coop more secure,” he says.
Larry Page, Google’s CEO, has said he wants the company to act like a startup, which, according to Manatt, Phelps & Phillips Partner Marc Roth, means taking risks. “These companies [are under] increasing pressure to produce results and to justify stock prices. They’re going to continue to be aggressive in their [data] uses,” Roth says.
Concerns are also mounting about Google’s upcoming product Google Glass, a computer that the user wears like glasses, which can record video and take pictures, among other functions.
“[If] somebody’s wearing these glasses, you don’t know whether they’re taping you or not. That’s more than a little problematic,” Simpson says, adding, “If, as a consumer-facing company, you lose the trust of your users, it’s a big problem.”
However, Roth says, for consumers who enjoy Google’s free services, such as Gmail, Search and even Street View, relinquishing control of some of their data may be a cost of doing business for them, much like the fine in the Street View settlement is for Google. “It remains to be seen whether consumers are so offended that they stop using the service,” Roth says.
Lessons to Learn
The provisions set out in the Street View settlement offer in-house counsel a good example of how to promote privacy within their own companies. In fact, every time a settlement like this or a consent order with the FTC comes out, companies should take note, Wolf says.
“There is what I call a ‘common law of consent decrees’ that has arisen, that these enforcement actions against companies send a notice to other companies that there is certain behavior that is acceptable and certain behavior that isn’t when it comes to handling personal data,” Wolf says.
Companies that don’t have the heft of Google should interpret these guidelines in a way that makes sense for their businesses.
“The requirements are very stringent and onerous simply because Google has been in the crosshairs previously,” Roth says. “I don’t think companies will be subject to similar requirements if they are investigated. However, companies need to take a look at what these requirements are and apply them to their business to the extent reasonably necessary given what they do.”
To promote privacy and earn consumer trust at the same time, Simpson offers some simple advice: “Listen to your customers, hear what their desires are and respect them.”