Whatever happened to “No harm no foul”?

Safari browser

The Wall Street Journal (WSJ) reports that the Federal Trade Commission (FTC) is close to reaching a record settlement with Google for the charge that it tracked Apple Safari web browser users. Google had earlier signed a 20-year consent decree in which it agreed not to misrepresent its privacy practices to consumers. Tracking Apple Safari users appears to be in violation of that agreement because Google had posted a statement in its online help center stating that these Safari users would not be tracked. The WSJ reports that Google will pay a penalty of $22.5 million, a record fine for the FTC.

When this issue first came out I wrote a post in which I argued:

“As always, the FTC can and should investigate if it discovers legitimate concerns about the business practices of a particular company. But companies should not face punitive sanctions for actions that do not cause consumer harm and are taken in good faith. To do so would discourage the type of fast-paced innovation that has defined the remarkable progress of the Internet era.”

I stand by these comments today. It’s always good to see the FTC involved in privacy enforcement. Regulatory oversight is an important means of keeping all companies honest and on top of their policies and practices. But companies will inevitably make mistakes. The speed of development on the Internet means that products and services change rapidly online and all of the policies describing these products may not always keep up. Certainly companies should keep these updated, but in the race to innovate, it is not surprising that on occasion something gets overlooked.

However, if a mistake is unintentional and does not result in consumer harm, then regulators should work to resolve the complaint rather than impose a punitive fine. In general, the penalties for violation of a privacy policy should reflect a sliding scale based on whether consumers were harmed by a company’s actions and whether a company intentionally tried to mislead its users. The table below reflects this concept. The idea is that penalties should be designed to encourage companies to make sure that they do not intentionally mislead their users or take actions that result in user harm.

Unintentional Intentional
No Harm No Penalty Penalty
Harm Penalty Large Penalty

Unfortunately the FTC’s proposed settlement shows that the FTC is focusing its limited resources on penalizing companies for unintentional actions that do not result in any actual user harm rather than directing these resources at cases where users suffer real harm or companies intentionally tried to mislead users. As a result, this proposed settlement may discourage companies from fully disclosing details about their data handling practices in the future. For example, in this case, there does not appear to be any evidence that Google intended to mislead consumers. Instead, the penalty is likely based on the fact that the company acted out of accordance with a statement that was posted on what appears to have been an outdated page of its help center. The takeaway for many companies will be that they are better off not sharing this information with consumers because then it can’t be used against them in the future.  Or they may just decide to slow down the release of new products and services until their lawyers have signed off on everything.

Either way, regulators should think carefully about the impact of fining companies for innocent mistakes that do not result in harm. In the long term, this may leave consumers worse off.

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.