Google will pay US$22.5 million (NZ$27.7 million) to settle charges it bypassed the privacy settings of customers using Apple's Safari browser, the US Federal Trade Commission said on Thursday.
The deal ends an FTC probe into allegations that Google used computer code known as "cookies" to trick the Safari browser on iPhones and iPads so the Internet search company could monitor users who had blocked such tracking.
The practice was in violation of a 2011 consent decree Google had negotiated with the FTC over botched rollouts of the social network Buzz, which is now defunct.
Companies such as Google and Facebook rely on collecting user data for a large part of their revenue, but lawmakers and privacy advocates have argued that tech companies are generally not doing enough to safeguard customer privacy.
Both Google, the world's No. 1 search engine, and Facebook, the No. 1 social networking site, last year agreed to 20 years of audits to ensure consumers' privacy after the FTC found they had engaged in deceptive privacy practices.
"No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers," FTC Chairman Jon Leibowitz said in a statement.
Google was not required to admit to any liability, and the settlement does not constitute an admission of wrongdoing.
It was the largest penalty ever placed on a company for violating an FTC order, yet the fine is a drop in the bucket compared to Google's second-quarter revenue of US$12.21 billion.
"The Commission has allowed Google to buy its way out of trouble for an amount that probably is less than the company spends on lunches for its employees and with no admission it did anything wrong," said John Simpson, privacy project director for the nonprofit Consumer Watchdog.
The group said unless Google admitted to violating the FTC order, it planned to try to block the settlement, which needs court approval.
Still, revelations of the privacy misstep embarrassed Google. David Vladeck, director of the FTC's Bureau of Consumer Protection, acknowledged the penalty may seem small, but said it sends a clear message to protect privacy in the future.
"We have Google under order for another 19 years ... and if there's further violations, one could anticipate that the Commission would insist on increasingly higher civil penalties," Vladeck said on a call with reporters.
Google also must disable the tracking cookies that ended up on Safari users' computers and devices after visiting websites in Google's DoubleClick advertising network, despite assurances they would not be tracked due to Safari's default settings.
Google is also the subject of a wide-ranging antitrust investigation by the FTC and European regulators over accusations it manipulated search results to favour its own products.
PRIVACY SNAFUS 'INADVERTENT'
Launched in February 2010 to compete with Twitter, Buzz initially used its Gmail customers' email contact lists to create social networks of Buzz contacts the rest of the world could see, which led to an uproar. Google quickly changed the settings so that contacts were kept private by default. It settled with the FTC on Buzz in March 2011.
Google has said the tracking of Safari users was inadvertent and that it collected no personal information such as names, addresses or credit card data. But the tracking was done despite assurances Safari could be set to protect user privacy.
The company said the investigation was prompted by a 2009 help centre Web page that predated a change in Apple's cookie-handling policy.
"We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple's browsers," a Google spokesperson said on Thursday.
The Safari issue was not Google's first brush with potential privacy violations.
The FTC has closed its investigation into the issue, which was also probed by the governments of Britain, France, Singapore and Switzerland, among others.
Vladeck said Google's repeated defense that privacy blunders were inadvertent was troubling to the agency and raised red flags for regulators.
"A company like Google that is the steward of personal information from hundreds of millions of people has to do better," he said.