Slamming Google's violation of European privacy laws, the Article 29 Data Protection Working Party of European data protection agencies issued its much anticipated report on Google's integration of user data across the company's services. Signed by all 27 heads of European data agencies, the letter and the accompanying appendix laid out the ways Google had failed to acquire legal consent by its users for such a major change in its privacy policies and the ways this endangers privacy for users.
The investigation was launched earlier this year when Google announced that it was now combining all its services into a single account for each user, where data collected on users' YouTube viewing habits would now be combined with data on topics contained in their Gmail messages and their search inquiries. No consent was sought from users for this change and the European privacy authorities began their inquiry to determine what exactly was being done with user data and the ways it violated European privacy law.
Making User Consent Real: In the new report, the data agencies lay out a range of guidelines for Google to come into compliance with European law, including clearer modes of consent and differentiating consent for different kinds of data integration.
Everyone recognizes that consent is a bit of a joke online, with users almost automatically clicking on the "I agree" bubbles that pop up. Considering that Google is a master of interactive engagement with users online, the Working Party report noted that the company's use of "long and linear documents" explaining its privacy policies is not a reasonable approach to obtaining consent when it could instead use an "interactive presentation that allow users to explore the content of the privacy notices." Basically, users should have user-friendly interfaces to choose which data to share, which services to combine, and which data to keep private or separate.
The Tentacles of the Google Data Collection Octopus: One key point is, as the report indicates, most users are oblivious to the multiple ways that Google collects data on them and have no idea -- and no simple mechanism -- to control that data collection. For example, they point out these give different data collection mechanisms by Google:
- Tracking user behavior once they are logged into their Google account (the one users are most familiar with);
- Cookies inserted onto user computers -- the so-called PREF cookie -- that tracks each user interaction with a google.com website and third-party websites with +1 buttons for example;
- DoubleClick display advertising tracking cookies inserted on user computers from third-party websites that display DoubleClick advertisements;
- Google Analytics cookies used by third-party websites to track use of their sites
- Mobile identifiers used to replace cookies on some mobile applications.
As the Working Party argues, "there is no valid consent from the user, in particular because the user is not aware of the exact extent of the combination of data." As importantly, any consent mechanisms should actively inform users of how the data will be used so that any agreement is based on actual knowledge of why sharing the data matters.
There is some ambiguity in the report on how and whether Google is combining these different sources of data into a single profile of users, but they emphasize the problem that Google stores this data for up to two years tied to individual profiles. So users may think they have deleted data on themselves by eliminating a cookie or logging out of a Google site, but if they return to a site that inserts cookies, they may have their whole profile revived based on those unique identifiers.
Missing Exploration of Consumer Harm from Data Collection: Still, while the agencies' action is a good start, a weakness in the report is a failure to lay out exactly how such violations of user privacy harm consumers. As I've detailed in pieces such as the "Cost of Lost Privacy," regulatory authorities need to treat the economic harms to consumers from behavioral targeting more seriously so they can identify which data should be off the table for sharing with advertisers (intimate medical data, etc.) and which are relatively neutral aspects of consumer preference (preference for blue over red clothing). This actually would help shape exactly what kinds of choices should be presented most prominently to users for controlling -- and deleting -- data from advertisers' clutches.
As well, while the Working Party made a passing reference to Google's complete dominance of the search advertising field, they didn't explore how stronger privacy controls also serve reducing Google's economic power. Since Google gains its heft and irreplaceability with advertisers through its control of user data, anything that increases user power to withhold that data inevitably will also reduce that monopoly power as well.
Still, these are small concerns with a report and joint recommendations by the data protection agency heads of 27 European Union countries that call for significant new privacy protections for online users of Google (and by implication other sites) -- recommendations that should also influence the debate in the United States and around the world on better protecting user privacy and restricting the harms from behavioral targeting by advertisers.