First appeared in Information Week
Google has consolidated its privacy policies, as it said it
would, despite the concerns of regulators in the U.S., Europe, and Asia.
Alma Whitten, Google director of privacy, product and
engineering, said in a blog post that the consolidation effort makes it easier
to understand the company's privacy policy, enables a better experience for
signed-in Google users, and leaves existing privacy controls intact.
Although EU Justice Commissioner Viviane Reding told the BBC
that Google's privacy policy consolidation violates data protection laws,
Google maintains that its changes are legally compliant.
"We are confident that our new simple, clear and
transparent privacy policy respects all European data protection laws and
principles," a company spokesperson said in an email. "It provides
all the information required in Articles 10 & 11 of the directive, plus
much additional information, and it follows the guidelines published by the
Article 29 Working Party in 2004."
NYU Stern School of Business professor Arun Sundararajan
says Google is moving in the right direction, but hasn't yet done enough to
protect consumers.
"On the one hand, I do give Google credit for providing
a greater level of transparency about what information they have about their
consumers," Sundararajan said in a phone interview. "What Google
isn't doing enough of is telling us what they're going to do with this information.
That's a little troubling to me. The policy doesn't say enough about what
limits Google will place on this information for advertising purposes. And
beyond one small assurance they've given us [about not sharing personal
information], we don't know how much they're going to share with marketing
partners."
Sundararajan says he doesn't see Google's privacy policy
consolidation as altering the privacy risks consumers face. "I see it as a
move where Google is reducing its own risk. But I'd like to see them be more
forthright in spelling out what they will and won't do with customer
data."
Sundararajan suggests that Google's distinction between
"personally identifiable information" and "non-personally
identifiable information" is outdated, given the extent to which non-personally
identifiable data can be correlated to identify someone.
"Re-identifying people based on their [anonymized]
activity data is not hard and it's getting increasingly easier," he said.
Sundararajan proposes that companies and regulators adopt an
"intent-based" approach to privacy as an alternative to burdensome
rules that attempt to define permissible privacy practices.
As he sees it, companies should consider the intention of
the customer who provided the data as a guideline for how the customer's data
can be used. If a customer signs up for an online service with an email
address, for example, the company should be able to use that address to contact
the customer about the service but not to identify the customer for an activity
profile or some other purpose.
"If companies start to align the way they use their
data with the intent the customer had when providing the information, this will
go a long way toward mitigating the privacy risk," he said. "There
are good-intentioned firms out there that just don't have good guidelines about
how to responsibly manage consumer data."
