On Monday, at the start of Data Privacy Week, attorneys general from Washington, D.C., Indiana, Texas, and the state of Washington filed a lawsuit against Google that alleges deceptive tracking of users’ location history. It stems from claims about how data settings actually function in relation to user privacy, the public’s awareness of such data collection, and the way that data is allegedly applied in apps and recommendations. Google issued statements that it plans to defend itself, asserting such claims are inaccurate.
It is far from the first data privacy litigation to go to court, might not be the last, and bears watching. Other companies that gather and use data as part of their business models--for example, to frame recommendations to users--continue their dance with regulators and end users who increasingly question where control and ownership of such data should reside.
Ambiguity is the Enemy
A top concern emerging from such discussions is a desire for greater transparency, says Jeremy Barnett, chief commercial officer of web privacy management solution provider Lokker. “I think the attorneys general want to point out there’s a lack of trust because there’s a lack of transparency,” says Barnett.
There is also a lack of clear vocabulary around data capture and usage, Barnett says. Regulators and lawmakers who evaluate privacy seem focused on the language, he says, because the terminology used may be confusing to the layperson.
“How those policies are written and what that language means has to become a lot more clear and companies have to step forward and own that,” he says. Companies have a responsibility, Barnett says, to communicate with more clarity to the customer regarding what information will be collected, how long it will be collected for, what the information will be used for, and what options customers have to opt-in or opt-out. “That is a fundamental issue with all of these lawsuits.”
The layers of development in the internet, mobile devices, and apps can make it difficult to see how many faces are behind the curtain. “There’s a lot of people that the end consumer is doing business with that they don’t really understand,” Barnett says.
Litany of Litigation
Legal challenges on how data is handled often come from varied state entities, which can lead to multiple lawsuits over the same issues. That has raised a call among some stakeholders for precedence and law to be established at the national level to clear up the confusing landscape. “We’ve seen three states in the last few years have comprehensive privacy legislation and others have passed more targeted legislation,” says Daniel Castro, vice president for the Information Technology and Innovation Foundation (ITIF). “Others have proposed and are considering moving forward with similar efforts.”
ITIF is a think tank on public policy on science and technology; its backers include such entities as the National Philanthropic Trust, Energy Innovation Fund, as well as companies from the private sector such as IBM, Google, Microsoft, and Oracle.
Castro says given the way prior tech legislation has passed at the state level, more states might take this route and create a patchwork of laws that companies must navigate unless Congress passes federal law that preempts states. That can expose businesses that operate across stateliness to a multitude of laws, he says.
“When you look at the Google lawsuit that was filed this week,” Castro says, “what it comes down to is questions about how Google was communicating to its users about control of their privacy settings.” In various privacy laws, legislators express a desire for such communication to be conducted in specific ways, he says. The patchwork approach of different policies in different states can find companies subject to lawsuits if they deviate from those rules.
“That’s obviously risky for companies,” Castro says. “It’s going to make them think twice about how they’re operating in this environment. I think it’s questionable how effective that is for actually raising consumer privacy versus increasing regulatory complexity on companies.” He sees a way forward through the establishment of clear rules for companies and rights for customers at the federal level.
The contentions in the lawsuit brought against Google speak to the ongoing conversation about commercial gains and data ownership. “These types of lawsuits show that using data is a high-risk proposition for firms,” Castro says. The issues raised in the Google lawsuit are different from instances of intent to deceive users, he says. In Google’s case, Castro says the activity happened out in the open. “This isn’t something like Cambridge Analytica, where they’re collecting massive amounts of data that nobody knew about.”
Some policymakers and regulators continue to be at odds with companies in terms what they expect to be happening, Castro says. This can include an expectation from legislators that companies ensure all consumers must first opt-in to share data and that there is a choice to not share data but still gain access to services. “Those types of requirements are pretty far apart from where most companies are,” he says.
While many companies are willing to work with legislators on how they gain consent from users or how users express their preferences, Castro says those companies likely do not want to say users can opt out of sharing data and still get access to their services if that is their business model. “That’s where there’s definitely tension,” he says.