Google attacked over privacy policy visibility

Updated at 10:33 a.m. PDT with comments from privacy groups during a press call. Updated again at 12:08 p.m. PDT with Google's response and comment from an Internet lawyer.

Google is facing the wrath of privacy advocates once again over concerns that it's not posting its privacy policy "conspicuously" enough to comply with California law.

On Tuesday, a coalition of groups that have questioned Google's practices in the past sent a four-paragraph letter to CEO Eric Schmidt, charging that "Google's reluctance to post a link to its privacy policy on its home page is alarming."

The signatories include the Electronic Privacy Information Center, Electronic Frontier Foundation, the American Civil Liberties Union of Northern California, Privacy Rights Clearinghouse, Center for Digital Democracy, and World Privacy Forum.

What's not precisely clear is whether Google is actually doing anything unlawful. Google, for its part, disagrees with such assertions.

When asked for its response to Tuesday's letter, Google provided News.com with the following statement:

"We share the view that privacy information should be easy to find, and we believe our privacy policy is readily accessible to our users. Just as importantly, privacy information should be easy to understand. That's why, in addition to offering a Privacy Center with our privacy policy and other important information, we also created a YouTube privacy channel with videos explaining our practices and products, ran an ad campaign to draw consumers to our privacy information, posted several blogs that explain our privacy practices in detail and posted detailed frequently asked questions to help consumers understand the complex aspects of privacy. Privacy policies can be complex and not consumer friendly. To truly help consumers understand privacy, our goal is to provide accessible and useful information."

The issue started bubbling up last week, when New York Times reporter Saul Hansell posted a blog entry raising questions about Google's compliance with the California Online Privacy Protection Act of 2003. By contrast, he noted, Google's major competitors--Microsoft, Yahoo, and AOL--all provide links to their privacy policies on their home pages.

The California law in question requires commercial Web sites that collect personal information about their users to "conspicuously post its privacy policy on its Web site." It defines the action "conspicuously post" as, among other things, placing a text link to the privacy policy either "on the home page or first significant page after entering the Web site." The link itself is supposed to include the word "privacy" or appear in a larger font than the rest of the page's text.

At the moment, getting to Google's privacy policy requires clicking on "About Google" on its home page, which brings up a page that includes a link to its privacy policy at the bottom.

A Google spokesman told the New York Times last week that it's compliant with California law since the link to its privacy policy is one click away from the home page.

The chief of California's Office of Privacy Protection, Joanne McNabb, told the New York Times that her office plans to "recommend" that Google link to its privacy policy on its home page. She was quoted as saying, "Why not? It's only seven letters."

But McNabb also said her office isn't tasked with interpreting the law and can't do anything more than make recommendations.

For the privacy groups who sent the letter on Tuesday, the answer is clear.

"The straightforward reading of that law is that Google must place the word 'privacy' on the Google.com Web page linked to its privacy policy," they wrote. "Moreover, just about every major company that operates a Web site places a link to its privacy policy on its home page."

Despite criticism from privacy groups, Google has undertaken efforts designed to make its privacy practices more digestible to its users in recent months, including launching a channel on its YouTube subsidiary filled with videos aimed at explaining what sort of user data its products use and store.

In a conference call with reporters Tuesday, representatives from the privacy groups said they had not attempted to reach a resolution privately with Google before publicizing their letter, which they acknowledged was prompted by the New York Times pieces. Electronic Privacy Information Center director Marc Rotenberg suggested such a move wouldn't have accomplished anything different than would a public letter.

So why not go the next step and file a lawsuit challenging Google's privacy policy practices as a violation of California law? Rotenberg said the groups opted to send a letter instead in hopes that their gripes can be "quickly resolved" through subsequent discussions with Google.

"If Google decides it doesn't have to comply with the California law," Rotenberg said in response to a question from CNET News.com. "It does raise some very troubling questions, and we'd have to decide what to do next."

Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law, said it's not clear whether Google is in violation of the California law referenced by the privacy advocates. "I think bright minds would disagree about whether Google is in compliance with its current implementation," he said.