2-23-2012By Meg Roggensack
Senior Advisor, Business and Human Rights
Today the White House will host a privacy summit to launch a series of initiatives aimed at protecting consumers using the internet. According to Politico, the White House will ask Congress to adopt a consumerprivacy online bill of rights, and will ask companies to do more to addressconsumer privacy concerns.
The White House has it almost right. Consumers are at risk, and companies have not done nearly enough to explain that danger, let alone mitigate the risk. The FTC is working to address the most salient abuses, but that still leaves a considerable gap which companies need to fill. The first step is making sure users fully understand – before providing personal information – what the real risks are.
Google recently submitted its initial privacy compliance report to the FTC, and there are some brightspots in it. There are noteworthy policies and internal compliance safeguards designed to rigorously review third party services providers, and to train board officers in privacy standards. But despite these advances, user privacy is still not sufficiently protected.
The Wall Street Journal recently reported that Google has been tracking Safari users, apparently without their knowledge or consent, which raises troubling new questions about what Google is prepared to do to obtain personal data.
Where does this leave Google’s users? Why hasn’t the company provided users with specifics about what user data is collected, and what Google does with it?
Without advanced degrees, most of us have no real understanding of what information is being collected and how it is used, leaving users at the mercy of company insiders and their preferred practices. For users in Bahrain, Syria, Russia, China and the world’s other undemocratic regimes, the lack of transparency about data collection can mean life or death, a lengthy prison sentence, a brutal interrogation, and the elimination of entire networks of activists fighting for change.
Members of the Congressional Bi-Partisan Privacy Caucus have called on the FTC to investigate the Safari breach, but it’s unclear what steps the FTC is prepared to take. One prominent blogger has called for new legislation giving users a private right of action to sue when software designs put privacy at risk.
What steps should Google take to clearly and prominently disclose both the purpose and process of sharing of user information?
We recommend that Google spell out, with examples written for the average user to understand, how its new policy will operate, what it means in practice, and how it differs from prior policies and practices.
Google publishes a set of Frequently Asked Questions (FAQs) regarding its privacy policies that fails to provide that needed clarity. Google’s privacy FAQs should address the following questions: How is it obtaining “express affirmative consent” from users? Does an opt-out policy satisfy this standard? What does such a policy mean in practice? Does it leave a user off the internet?
As Google indicates, it is working to create a beautifully simple, intuitive user experience. But at what price? At a loss of fundamental privacy? Google needs to do more to make the cost to users clear up front, before any information is collected or any new policy is implemented. Then, and only then, will users be able to make informed choices about the personal data that is collected about them.