EPIC v. FTC (Enforcement of the Google Consent Order)

EPIC v. FTC (Enforcement of Google Consent Order)


EPIC filed a lawsuit to compel the Federal Trade Commission to enforce the Google consent order and block Google's proposed consolidation of user data. EPIC sought action prior to March 1, when Google implemented changes in its terms of service that allowed the company to combine user data without user consent. This change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The Federal District Court of the District of Columbia heard the case before the March 1 deadline on an expedited schedule, and ultimately ruled that, because courts lack jurisdiction over agency enforcement actions, it was unable to compel the FTC to enforce the consent order. However, the court acknowledged "serious concerns" with Google's changes.

Top News

  • In EPIC FOIA Case, FTC Releases New Information from Facebook Audits: In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission today released materials, previously withheld, from the biennial Facebook audits. The audits were required by the FTC's 2011 Consent Order with Facebook. Heavily redacted versions of those audits were previously available on the FTC's website. But in March, following the Cambridge Analytica breach, EPIC filed an urgent FOIA request for the complete 2013, 2015, 2017 Facebook audits. (The 2017 audit covers the period the Cambridge Analytica breach.) In a detailed letter to Congress in April, EPIC explained that the FTC failed to review the reports and failed to enforce the 2011 consent order against Facebook. The documents released today to EPIC contain information that was not previously available to the public. EPIC is currently reviewing the documents obtained from the FTC. (Jun. 26, 2018)
  • FTC Commissioner Chopra: "FTC orders are not suggestions": Incoming Federal Trade Commissioner Rohit Chopra issued a memo today warning that the FTC will enforce its consent orders against companies that violate the law. "FTC orders are not suggestions," said Chopra. Chopra said the FTC should seek structural remedies as well as monetary fines. EPIC has repeatedly told the FTC to enforce its orders, and even sued the agency, EPIC v. FTC, for failing to enforce the order against Google following the Buzz fiasco. More recently, EPIC and a coalition of consumer groups told the FTC that the Cambridge Analytica breach could have been avoided had FTC enforced the 2011 Consent Order against Facebook. The FTC has since confirmed that it is investigating Facebook for the breach. According to the former Acting Director of the FTC's Bureau of Consumer Protection, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." (May. 14, 2018)
  • Dutch Privacy Officials Find Google Violates National Privacy Law: The Dutch Data Protection Authority has found that Google's 2012 privacy policy change violates Dutch data protection law. Google's policy change, which EPIC also opposed, consolidated user data across more than 60 separate services and gave Google the ability to track and profile users in extraordinary detail. The Dutch DPA has ordered Google to: (1) obtain "unambiguous consent of users for the combining of personal data" from different Google services; (2) describe in detail the personal data are used by each Google service; and (3) clearly explain to consumers that YouTube is a Google service. Google must comply with the Dutch officials' order by February 2015 or face $19 million in fines. In issuing the decision, Jacob Kohnstamm, chairman of the Dutch DPA, stated, "Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested." In 2012, EPIC sued the Federal Trade Commission to block Google's 2012 policy change, which violated a 2011 FTC Consent Order. That Consent Order followed an extensive EPIC FTC Complaint and findings by the FTC concerning Google's business practices. For more information, see EPIC: EPIC v. FTC (Enforcement of the Google Consent Order), EPIC: In re Google Buzz, and EPIC: Federal Trade Commission. (Dec. 16, 2014)
  • Privacy Lawsuit Against Google for Policy Change Moves Forward: A federal court in California has ruled that a class action privacy lawsuit against Google can continue. The plaintiffs are Android users who sued Google in 2012 after the company consolidated user data across many separate services, including Gmail, Google+, and Youtube. They allege that Google concealed a plan to modify its privacy policies and also that Google violated the privacy policy for GooglePlay. After dismissing similar claims, the court held that the case may now go forward. In 2012, EPIC objected to the same change in Google's policy and urged the Federal Trade Commission to block the change because of a 2011 consent order in which Google agreed not to combine user data without user consent. After the FTC failed to act, EPIC sued the agency. Members of Congress, state Attorneys General, European Justice Officials, technical experts, and IT managers in government and the private sector also expressed concern about the 2012 Google policy change. For more information, see EPIC: EPIC v. FTC (Google Consent Order) and EPIC: FTC. (Jul. 22, 2014)
  • European Privacy Authorities Give Google 3 Months to Comply with Law: European data protection authorities have ordered Google to comply with data protection law or face fines. The French Data Protection Authority, which led the investigation into Google's consolidation of user data, said that "Google has not implemented any significant compliance measures" and gave the company three months to comply with its requirements. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google’s changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Jun. 20, 2013)
  • FTC Releases 2012 Performance Report: The Federal Trade Commission has released its performance and accountability report for 2012. The report summarizes the agency’s activities, shows how the agency has managed its resources, and explains how it plans to address future changes. Regarding consumer privacy, the agency cites the release of a new privacy report, the adoption of a consent order with Facebook, and a $22.5 million fine against Google as its primary accomplishments . The Commission reported that it acted on 90.6% of all consumer complaints that it received, though it did not indicate how many of these actions concerned consumer privacy. The agency’s goals for the coming year include “promot[ing] stronger privacy protections through policy initiatives on a range of topics such as data brokers, mobile devices, and comprehensive online data collection.” Earlier this year, EPIC brought suit against the Federal Trade Commission for its failure to enforce a 2011 consent order. EPIC has also routinely urged the FTC to take account of public comments when the agencies sets out proposed settlements and asks for public comments. For more information, see EPIC: Federal Trade Commission and EPIC: EPIC v. FTC (Enforcement of Google Consent Order). (Nov. 20, 2012)
  • French Data Protection Authority Sends New Questions to Google: The CNIL, the French data protection authority, has sent Google new questions regarding its privacy practices after finding the company's previous response was “often incomplete or approximate." The French agency is acting on behalf of governments across Europe that have raised questions about recent changes in Google's business practices. "The fact that Google's position on personal data processings is still unclear on many points after an in-depth exchange with the CNIL raises additional concerns about Google's adequate information of its users," the letter says. Google executives met with the CNIL on Wednesday, but the data protection authority said that many of its concerns had still not been addressed. Google’s decision to consolidate user data from over 60 products and services has also been criticized in the US by Members of Congress, state Attorneys General, and IT managers in government and the private sector. EPIC brought an enforcement action to block the March 1, 2012 changes. For more information, see EPIC: Enforcement of Google Consent Order. (May. 25, 2012)
  • Pew Study: Search Engine Users Anxious About Collection of Personal Information: A Pew study found that users of search engines were pleased with the quality of search results but opposed targeted advertising and search results, and were generally anxious about the collection of personal information by search engines. Specifically, 73 percent of those surveyed were opposed to search engines tracking their searches, and 68 percent opposed behavioral advertising. 83 percent of respondents reported using Google to conduct searches. Recently, Google began combining user data gathered from more than sixty Google products and services—including Google search--to create a single, comprehensive profile for each user. For more information, see EPIC: Search Engine Privacy and EPIC: EPIC v. FTC. (Mar. 9, 2012)
  • European Justice Minister Says Google Now in Violation of EU Law: European Justice Minister Vivian Reding said today that Google's March 1 changes to its terms of service violate European Union law "in numerous respects." Commissioner Reding pointed to the failure of the company to obtain user consent, the lack of transparency, and the fact that most users do not read privacy policies. European privacy officials recently concluded that the changes do not comply with the European Union Data Protection Directive and asked the company to suspend its planned changes. In the US, EPIC has urged a federal court to require the Federal Trade Commission to determine whether Google's changes changes violate a 2011 Consent Order. The court denied the motion. The case is now on appeal. For more information, see EPIC v. FTC (Google Consent Order). (Mar. 1, 2012)
  • EU and US Consumer Groups to Google: "This plan is a mistake": The Transatlantic Consumer Dialogue, a coalition of leading consumer organizations in North America and Europe, today urged Google CEO Larry Page to drop the plan to combine user data on March 1. Citing the pending changes to Google's terms of service, the groups said "It is both unfair and unwise for you to 'change the terms of the bargain' as you propose to do." TACD said "consumers have relied on your policies and your terms of service in choosing your products." Late Friday, EPIC filed an emergency appeal with the DC Circuit of Appeals in an attempt to force the Federal Trade Commission to take action prior to March 1. For more information, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 29, 2012)


On February 9, 2010, Google attempted to launch Buzz, a social networking service linked to Gmail, Google's email service. Google Buzz was an online service that compiled and made public a Gmail user's social networking list based on address book and Gchat list contacts. In response, EPIC filed a complaint with the FTC, highlighting several aspects of the Google Buzz service that threatened Gmail users' privacy. The complaint alleged that Google engaged in unfair and deceptive trade practices by transforming its email service into a social networking service without offering users meaningful control over their information or opt-in consent.

On October 13, 2011, having determined that Google did engage in unfair and deceptive trade practices, the FTC issued a consent order establishing new privacy safeguards for users of all Google products and services and subjecting the company to regular privacy audits. This order bars Google from misrepresenting the company’s privacy practices, requires the company to obtain users’ consent before disclosing personal data, and requires the company to develop and comply with a comprehensive privacy program.

On January 24, 2012, Google announced that it would change its terms of service for current users of more than 60 Google services, including Gmail, Google+, Youtube, and the Android mobile operating system. Rather than keeping personal information about a user of a given Google service separate from information gathered from other Google services, Google will consolidate user data from across its services and create a single merged profile for each user. The change will become effective on March 1, 2012.

On February 24, 2012, five privacy organizations, including EPIC, wrote to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1.

On February 28, 2012, the head of the French Data Protection Agency, on behalf of European privacy agencies, warned that Google's proposed change violates European Union privacy law. She is reiterated the recommendation of Europe's Justice Minister that Google suspend the change. In an interview with C-Span, the Chairman of the Federal Trade Commission said that users of Google services face a "brutal choice."

EPIC's Lawsuit

Procedural History

On February 8, 2012 in the D.C. District Court, EPIC filed a complaint and motion for a temporary restraining order and preliminary injunction compelling the FTC to enforce the Google consent order. On February 9, 2012, the court set an expedited briefing schedule in order to make a decision before Google's March 1, 2012 change in business practices.

On February 17, 2012, the Federal Trade Commission filed an opposition and a motion to dismiss in response to EPIC's complaint. The government stated that EPIC would "deprive the Commission of the discretion to exercise its enforcement authority." The government also charged that EPIC's lawsuit is "completely baseless." On that same day, the Wall Street Journal reported that Google had subverted the privacy settings of millions of users of the Internet browser software Safari despite representations to the contrary.

In a reply brief filed in Washington, DC, on February 21, 2012, EPIC said that the Federal Trade Commission's failure to enforce the Consent Order against Google prior to March 1 would cause "irreparable injury." EPIC cited Google's plans to combine user data without consent, and pointed to numerous cases that establish the need for the Court to assess the FTC's failure to act. Dismissing arguments asserted by the government that "FTC enforcement decisions are not subject to judicial review," EPIC said that Congress has clearly told the Federal Trade Commission to enforce its final orders. And in response to a claim that EPIC's request for action by March 1 is "arbitrary," EPIC wrote "If the government is unaware that Google plans to make a substantial change in its business practices on March 1, 2012, it should turn on a computer connected to the Internet."

On February 24, 2012, a federal court dismissed EPIC's lawsuit against the FTC because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said, "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." Within hours, EPIC filed an emergency appeal with the Court of Appeals for the DC Circuit, asking the appellate court to overturn the lower court decision before March 1, when Google will change its terms of service and consolidate user data without consent. On March 5, the D.C. Circuit Court affirmed the lower court's ruling and dismissed EPIC's complaint.

Legal Arguments

EPIC argues it is entitled to a temporary restraining order and preliminary injunction requiring the FTC to enforce its consent order with Google.

EPIC argues that Google's proposed March 1, 2012 change in business practices is in clear violation of this consent order. Google violated Part I(a) of the Consent Order by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of covered information. Google also violated Part I(b) of the Consent Order by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework. Google violated Part II of the Consent Order by failing to obtain affirmative consent from users prior to sharing their information with third parties. Google violated Part III of the Consent Order by failing to comply with the requirements of a comprehensive privacy program.

EPIC argues that the FTC has violated section 706 of the Administrative Procedures Act by unlawfully withholding agency action on a required action. The FTC has a non-discretionary obligation to enforce a final order. But the agency has thus far failed to take any action regarding this matter, placing the privacy interests of Google users at grave risk. EPIC brings this suit to require the Commission to enforce the consent order.

Legal Documents

United States Court of Appeals for the District of Columbia

EPIC v. the Federal Trade Commission, Case No. 12-5054 (D.C. Cir. filed Feb. 24, 2012).

United States District Court for the District of Columbia

EPIC v. the Federal Trade Commission, Case No. 12-00206-JAB (D.D.C. filed Feb. 9, 2012).


Google's Safari Tracking

In re Google Buzz

News Reports

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.