BEST OF ECT NEWS

Google’s Privacy Policy Pitfalls

This story was originally published on March 14, 2012, and is brought to you today as part of our Best of ECT News series.

Even before Google launched its new privacy policy earlier this month, consolidating separate privacy policies for more than 60 applications, legal issues had surfaced.

Now, attorneys general from more than 31 States have accused Google of violating privacy laws because of complaints from users that they were finding ads are popping up on YouTube just after they did a search on Google Maps about the same subject.

EU regulators told Google prior to the launch that the new privacy policy compromises the privacy of EU citizens and violates EU laws.

How Important Is It?

The overwhelming majority of people in the U.S. and EU use Google every day, so the scope of Google’s potential privacy issues is huge. The Pew Research Center reported in August 2011 that 92 percent of all adults in the U.S. use a search engine and email every day. Couple that statistic with comScorce’s estimate that Google controls 66.2 percent of the U.S. search engine market and 80 percent of the EU search engine market, and it’s clear Google accumulates great volumes of personal search data.

Since Google saves users’ searches for 18 months in the U.S. and 12 months in the EU, many government officials are leery of the way Google exploits users’ privacy and uses that information to generate more ad revenue. And that’s just the search engine side.

There are many other Google applications affected by the new policy, including YouTube, Maps, Mobile, Latitude, Google Voice, Google Docs and many others Google’s new privacy policy is relevant to every user, because it allows Google to aggregate information across applications.

So, if you are using Gmail, Google will be able to use information it learns through your emails when you do a search on Google’s search engine. For example, if you are logged in to Gmail and also entering data on Google’s word processing app, you may get advice about the correct spelling of one of your contacts from Gmail or Google+.

What Personal Information Is It Using?

Google’s new privacy policy applies to all Google services except for Chrome (browser), Books and Wallet (mobile payment processor) , each of which will still be governed by a separate privacy policy. Under the new consolidated privacy policy, Google tracks all activity on Google services of users who are logged in, which provides the data it can share, as mentioned above.

Google includes in its privacy policy a description of Key Terms that includes details about what Google may use to track users, including cookies and IP address. Among other things it can use:

  • Anonymous identifier – An anonymous identifier is a random string of characters that used for the same purposes as a cookie on platforms, including certain mobile devices, where cookie technology is not available.
  • Server logs – As with most websites, Google’s servers automatically record the page requests made when you visit its sites. These “server logs” typically include your Web request, Internet Protocol address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser.

Google suggests its new privacy policy helps users by simplifying the user experience, but if you read it (few people do), you will notice that there are eight or so embedded links that lead to more contractual terms and definitions included in the privacy policy. As a result, you have to read all of the ancillary links, not just the privacy policy alone. So, while it is “simplified,” it could be misleading as well.

What Does Google Say?

In January, Google announced consolidation of its privacy policies in itsofficial blog:

“So we’re rolling out a new main privacy policy that covers the majority of our products and explains what information we collect, and how we use it, in a much more readable way. While we’ve had to keep a handful of separate privacy notices for legal and other reasons, we’re consolidating more than 60 into our main Privacy Policy.”

Google went on to say that the new privacy policy will allow a better user experience:

“Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience.”

As for selling or sharing personal information:

“We don’t sell your personal information, nor do we share it externally without your permission except in very limited circumstances like a valid court order.

Google also gives users choices about how the information is used. Of course, users need to read the privacy policy and click on the applicable link to set their preferences.

Comments and Critiques

The Electronic Privacy Information Center (EPIC) filed a Motion to enjoin Google from implementing new ToS [Terms of Service] and Privacy Policies early this month. In February, EPIC filed a Motion for Temporary relief against the Federal Trade Commission (FTC) to enforce Google’s March 2011 Agreement Containing Consent Order, which included the FTC’s oversight on Google’s privacy policies for 20 years. EPIC’s Motion came on the heels of the EU’s request that Google slow down the implementation of the new ToS and privacy policies.

EPIC’s Motion claims that Google’s new ToS and privacy policies violate the FTC Consent Order and includes the following claims: Users will no longer be able to keep personal information they provide to use the Google email service for simply that service; Google will be able to combine the user information provided for email with other Google services, including the Google social network service.

However, a federal court in Washington, D.C., ruled that it did not have the authority to force the FTC to enjoin Google from implementing its new privacy policy and ToS.

EU Claims

Although Google claims its new privacy policy helps simplify its privacy rules, the EU claims otherwise, maintaining specifically that the new privacy policy “makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service.”

The EU gave the lead role to investigate Google’s new privacy policy to the French Commission nationale de l’informatique et des libertes (CNIL). CNIL states that it “is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties.”

In February, CNIL sent a letter to Google CEO Larry Page (as a follow-up to an earlier letter) complaining that Google failed to properly consult EU authorities about the new Google privacy policies and that the

“…preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive of Data Protection (95/46/CE), especially regarding information provided to data subjects.”

The CNIL highlighted the significance of Google’s penetration in the EU with the following statistics about Google’s usage. Google accounts for

  • more than 80 percent of the European search engine market;
  • around 30 percent of the European smartphone market;
  • 40 percent of the global online video market; and
  • more than 40 percent of the global online advertisement market.

Google disagrees with EPIC and the EU, but has offered to respond to inquiries from regulators.

Summing Up

Given the market power that generated more than US$38 billion in revenue and $9.7 billion of net income from advertising in 2011, these new privacy policies are surely created to help increase revenue.

There will likely be many challenges in the weeks to come from around the world, and perhaps in courts in the U.S. and EU.

Peter S. Vogel

E-Commerce Times columnist Peter S. Vogel is a trial partner atGardere Wynne Sewell, where he is chair of the eDiscovery Team and Chair of the Technology Industry Team. Before practicing law, he was a systems programmer on mainframes, received a masters in computer science, and taught graduate courses in information systems and operations research. His blog coverscontemporary technology topics.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels