Google's Paltry Privacy Proposal

The Web search company is pushing for standards that likely would do little to keep businesses from harming consumers

Google (GOOG) wants new, international standards for the way consumer information is collected and used. The Web search provider issued the call on its Web site on Sept. 14, arguing that the existing confusion of international privacy law hampers the growth of Internet companies and doesn't really protect consumers.

Google hasn't said much about its ultimate strategy, but what little is known merits closer examination. On one hand, Google's call can be seen as shrewd, forward-thinking business planning. Google has no legal obligation (in the U.S. anyway) to do much of anything to protect user privacy. Yet it has been making efforts. The company voluntarily agreed to purge identifiable information from its databases after 18 months, for example.

Removing Obstacles to DoubleClick Deal

I'm sure shareholders approve of Google's attempt to create international privacy consensus. It's much better for Google executives to participate in the creation of a standard they can live with than have one—or worse, many—imposed on them. Indeed, self-regulation, especially when it's ambiguous, is better for the Internet industry than imposed laws with heavy financial sanctions for violations. From this viewpoint, I commend Google for sensing the imminent danger and trying to protect itself.

But Google's new emphasis on standards must also be viewed in light of its planned takeover of DoubleClick (, 4/14/07), a company that tracks Web surfing behavior to help marketers measure the effectiveness of their ads. The transaction has drawn withering criticism from privacy and antitrust advocates around the world (, 9/28/07).

DoubleClick has not endeared itself to many consumers because of its privacy-unfriendly practices. The idea of such a company being sucked into the maw of the search leviathan raises genuine concerns. Not only might the combined entity own the market for online advertising, but any information gleaned from DoubleClick's tracking tools could also be combined with the rest of Google's information archives. The enlarged company would know and be able to store data on what we search for, where we go with Google maps, what our houses look like in StreetView, and even the content of our e-mail messages. While the deal is ultimately expected to win regulators' approval, the government can still impose conditions, such as limits on what can be done with user information. Given the scrutiny of the planned deal, Google's call for international privacy laws takes on a more self-serving than philanthropic aura.

Proposed Alignment with APEC Standards

And what of the foundation on which Google wants to base the new standards? Google says the standard should be based on the APEC (Asia-Pacific Economic Cooperation) privacy framework, which was proposed in 2004 and adopted by many of its member countries. It stands out among privacy policies for the unusually weak standard it uses for determining whether a company has violated rules. Under the APEC framework, any action taken against an offending company would be calculated after the fact by examining actual, demonstrable damage to people. Google Global Privacy Counsel Peter Fleischer extols the virtues of this approach, saying it focuses "on privacy harms, not abstractions."

The Google/APEC approach shifts the burden of proof onto the victim, clearing off a virtually obstacle-free privacy playing field in which companies like Google/Double-Click can collect, analyze, and use customer data with little regard for consumer comfort. Tangible harm is a very difficult thing for the victim to prove and is probably only practical for cases of identity theft.

It also excludes many other kinds of privacy violation, such as simple embarrassment. The process of proving financial harm from a privacy violation is expensive, lengthy, and can rack up huge legal bills.

Privacy laws should serve the same purpose as environmental protection regulations; they should act as a deterrent to stop an undesirable outcome. Punishing the guilty after years of expensive legal hassle is hardly the point or purpose—it doesn't stop businesses from hurting customers in the first place. It's like making it legal for someone to shoot a gun into a crowd, and charging them only if they hit someone.

This kind of privacy framework will not serve the desired purpose of protecting consumers against privacy violations. It serves primarily to protect the company's bottom line by reducing the costs of future litigation and international legal defense fees.

A widespread rush to adopt an APEC-like standard could have a devastating aftereffect—international acceptance of such a diluted policy would make it difficult to pass tougher laws at local or national levels.

Google Should Set the Highest Standard

No business sector would allow this kind of regulation to be applied to them, making it difficult to assert their rights. Would the Recording Industry Association of America accept the restriction of only being able to sue a pirate if he'd been caught red-handed selling stolen music, instead of their current practice of shotgunning legal action against anyone leaving a mere digital trail of a download? When it comes to the music industry's penchant for protecting trademarks and copyrights, the mere hint of an abstraction seems to be plenty.

We consumers deserve better than this. Companies like Google should go the extra mile and voluntarily protect our information better than the toughest international law, not try to keep pace with the weakest. The more Google seeks to become the center of our online informational interactions, the more it should raise the bar on its own ethical behavior. Although its attempt at formulating some kind of global privacy standard is appreciated, it is not too late—but it is far too little.

Before it's here, it's on the Bloomberg Terminal.