US trade body fines Google record $22.5m for privacy breach

Google has been fined a record $22.5m (£14.4m) by the US Federal Trade Commission (FTC) for snooping on the internet habits of people using Apple's Safari web browser.

After Google placed cookies onto Apple devices using Safari users for several months in 2011 and 2012 without their permission, the FTC said it wanted to send a strong message by imposing the largest fine yet on a single company.

Jon Leibowitz, FTC chairman said: "The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order. No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place."

Read more: Google news | privacy

The FTC's inquiry began after a Stanford University researcher noticed that Google had placed a advertising tracking cookie on the computers of Safari users who visited sites within Google's Doubleclick advertising network.

Google had assured these users that they would automatically be opted out of such tracking, due to the default settings Safari browsers on Apple products.

Google said it had not intended the cookies to be downloaded to Safari users' devices and it had not collected any personal information such as names or card details.

The FTC said that Google had agreed "to destroy as many as possible of the DoubleClick tracking cookies placed on Safari users' computers during the relevant period."

The Government agency added that "to its credit Google started destroying those cookies early, without waiting for the settlement to be finalized, so virtually all of the relevant cookies should be gone by now."

However, Luke Scanlon, technology law expert at Pinsent Masons warned that there was a "disconnect between the amount of time and effort spent on debating the scope of data protection laws and the consequences of a breach.

He added the fine imposed by the FTC was seen by many as amounting to "nothing more than a slap on the wrists" and pointed out that "in the UK the Information Commissioner's Office monetary penalties for serious data breaches are capped at £500,000."