Timeline: Facebook and Google Under Regulators’ Glare

Over the years, regulators on both sides of the Atlantic have cracked down on Facebook and Google for privacy violations. But as the European Union prepares to introduce comprehensive new data protection regulation in May, European regulators have been stepping up investigations into tech industry data practices.

— MARCH 2011: The Federal Trade Commission for the first time requires a company to institute a comprehensive program to protect consumer data privacy

Google reaches a settlement with the FTC, which charged the company with using deceptive tactics and violating its own privacy promises to consumers. Google had enrolled Gmail users in its social network, Buzz, without effective ways for them to opt out of the service or limit the sharing of their personal details, the agency said.

— NOVEMBER 2011: The FTC goes after Facebook for exposing users’ information

Facebook agrees to settle charges by the FTC that it deceived users by telling them that they could keep their profile information private and then repeatedly allowing it to be shared and made public.

— AUGUST 2012: The FTC fines Google $22.5 million for Safari privacy violations

Google agrees to pay $22.5 million to settle FTC charges that the company misled people who used Apple’s Safari browser by placing advertiser tracking codes, called cookies, on their computers after Google told them that they would be opted out of such tracking. Google also violated a previous settlement that prohibited it from misleading consumers over how they could control collection of their data, the agency said.

— SEPTEMBER 2012: Facebook turns off facial recognition in Europe after complaints that the company failed to ensure user consent

After an audit by Ireland’s data protection commissioner, regulators report that Facebook turned off its photo-tagging facial recognition feature for new users in the European Union and will delete facial template data it had already collected from users there. The commissioner’s office said Facebook had not sufficiently notified users or obtained their explicit consent to use the feature.

— MAY 2017: The European Commission fines Facebook $122 million, saying the social network misled regulators about WhatsApp

The European Commission fines Facebook $122 million for misleading regulators during their investigation of the company’s acquisition of the WhatsApp messaging service. The commission, the executive arm of the European Union, says Facebook told regulators that it would be unable to automatically match an individual user’s Facebook account with his or her WhatsApp account. But WhatsApp later announced that it would begin sharing user data with Facebook.

In December, the French Data Protection Authority orders WhatsApp to stop sharing data with Facebook or face penalties. And in March, a German court bars Facebook from using data from German users of WhatsApp for Facebook’s own purposes, upholding the ruling of a lower court.

— DECEMBER 2017: German antitrust regulators censure Facebook’s data practices

In a preliminary finding, Germany’s Cartel Office reports that Facebook has abused its dominant position in the country by requiring users to allow it to endlessly amass data by tracking them through other online services. In February, the regulator says it planned to investigate whether the ability of large platforms like Facebook and Google to set up closed advertising systems and have access to user data was limiting market competition.

— FEBRUARY 2018: A Belgian court tells Facebook to stop tracking users around the web

A court in Belgium rules that Facebook must stop tracking users on third-party sites and delete the data it had already collected. The court says Facebook hadn’t sufficiently informed users about the data it gathered on their use of sites outside the social network or how it used that data.

— MAY 2018: A sweeping data privacy law is set to take effect in Europe, reshaping data collection practices

The European Union will put into effect a comprehensive privacy law, called the General Data Protection Regulation, that requires companies to obtain consent from users before processing their data and allows authorities to fine companies up to 4 percent of their annual revenue if they fail to comply.