Google is working with other companies to push consumer privacy legislation in Congress and will work with the U.S. Federal Trade Commission to fine-tune online advertising principles the agency proposed in December, the company’s top privacy executives said Wednesday.
In addition, Google is reaching out to privacy advocates in an effort to allay concerns about its acquisition of online advertising vendor DoubleClick, company officials said.
Privacy is of such concern for Google that it embeds privacy lawyers with product teams, Nicole Wong, Google’s deputy general counsel, told reporters in Washington, D.C. Google, in its own products and in policy discussions, has focused on three privacy principles: transparency of privacy policies, security of data and user choice, and control over how data is used, she said.
“People don’t like binary choices about how to use data,” Wong said. “They want to be [online] on their own terms.”
This week, Google hosted a meeting of the Consumer Privacy Legislative Forum, a group of companies focused on getting a consumer privacy bill passed in the U.S. Congress. The group, formed in 2006, doesn’t expect legislation to pass this year, but is working toward consensus on privacy issues, said Jane Horvath, Google’s senior privacy counsel. The group plans to run its ideas past privacy groups and the FTC before pushing for legislation, she said.
In addition, Google plans to file formal comments about the FTC’s proposed privacy principles for online behavior advertising, added Peter Fleischer, Google’s global privacy counsel. Among the FTC proposals: Web sites should provide clear and prominent statements that data is being collected to provide targeted ads, and companies should obtain consumer consent before using data in a different way from what the companies promised when they collected the data.
Google supports the FTC’s work on the privacy principles, Fleischer said, but it will raise some questions when it files its comments. For example, the FTC has asked for comments on what constitutes “sensitive data” and whether it should prohibit the use of sensitive data.
For example, an anonymous search on Google for health care providers that treat AIDS may be sensitive, but it’s not personally identifiable, he said. In most cases, IP (Internet Protocol) addresses are not personally identifiable—Web sites cannot connect IP addresses to individuals in most cases, he said.
The debate over what constitutes personally identifiable information is the “hardest question” in privacy, Fleischer said. “There’s a grey area in between [the obvious cases], and that’s what we’re struggling with right now,” he said.
Asked about the controversy over whether Google’s DoubleClick acquisition threatens people’s privacy, Fleischer said one issue was lost in the debate: DoubleClick doesn’t collect personally identifiable information when it serves ads. Instead, DoubleClick does collect IP addresses that give general location of the computer users and other information such as the language of the users, he said. “DoubleClick does its ad targeting anonymously,” Fleischer said.
Privacy groups, including the Electronic Information Privacy Center and the Center for Digital Democracy (CDD), unsuccessfully pushed the FTC to reject the Google purchase of DoubleClick, saying the combined company would hold massive amounts of personal data.
Jeff Chester, CDD’s executive director, was among the privacy advocates who met with Google executives this week. He praised Google for having “thoughtful” employees willing to discuss the issues, but said Google still doesn’t seem to understand the privacy concerns that are part of the DoubleClick deal.
“It’s clear that several of the Google privacy staff don’t fully comprehend the privacy implications of DoubleClick,” he said.