On May 15, 2013, the consumer group, Consumer Watchdog, sent a letter to Attorney General Kamala Harris accusing Google of violating California’s Online Privacy Protection Act (“OPPA”). According to the group, the Google privacy policy is in violation of OPPA because Google does not directly link to it on its homepage.
The OPPA, codified at Business and Professions Code § 22575-22579, became effective on July 1, 2004. It applies to commercial websites that collect “personally identifiable information,” which includes users’ names, physical addresses, email addresses, telephone numbers, social security numbers, or any other relevant information that can be used to identify users. OPPA requires such websites to “conspicuously post” their privacy policies.
Under Section 22577(b) “conspicuously post,” requires the site to provide a link to the policy “on the homepage or the first significant page after entering the Web site.” The link must contain the word “privacy” and must be displayed in a manner that would be obvious to the “reasonable person.”
In 2004, law firm Cooley Godward Kronish said the bill required the policy to appear either on the homepage itself, or on a page linked to directly from the home page. That same year, the California Office of Privacy Protection (“COPP”) issued a best practices guide, recommending that companies “use a conspicuous link on your home page containing the word ‘privacy,’” in “larger type than the surrounding text, contrasting color, or symbols that call attention to it.”
Until recently, Google had a link on its homepage directing users to a page displaying the company’s privacy policy. Now, users are taken to a page that describes how Google helps them “stay safe and secure online,” ensuring users that Google “work[s] continuously to ensure strong security, protect your privacy, and make Google even more useful and efficient for you.”
According to Consumer Watchdog, this misrepresents the motivation for Google’s data collection, which enables the company to generate higher revenues from advertising sales. The group accuses Google of “burying its privacy policy and offering distractions to users.”
This is not the first time Google has faced scrutiny regarding its privacy policy. On May 30, 2008, New York Times journalist Saul Hansell posted a blog entry titled, “Is Google Violating a California Privacy Law,” suggesting that the company had violated OPPA by doing essentially the same thing. At the time, users accessed the policy by clicking a link called “About Google,” after which they had to click a second link to access the actual policy.
On June 3, 2008, a coalition of privacy groups, including the ACLU, the Center for Digital Democracy, and the Electronic Frontier Foundation, sent a letter to Google CEO Eric Schmidt urging the company to comply with the OPPA. On June 10, 2008, Assembly member Joel Anderson sent a letter to Schmidt expressing the same sentiment. Within days, Google added a hyperlink labeled, “Privacy,” linking users directly to the policy.
In 2012, the Department of Justice took over the work of the California Office for Privacy Protection, creating a new Office of Privacy Protection within the State Attorney General’s office. The new lineup includes Joanne McNabb, former chief of the COPP, as the Director of Privacy Education and Policy. The new division resides within the State’s eCrime unit.
According to Special Assistant Attorney General Travis LeBlanc, head of the new division, it will take proactive step in monitoring and regulating compliance with OPPA. The California Constitution guarantees the Right of Privacy in Article 1, Section 1, which says:
“All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
It remains to be seen what actions privacy groups and the state Attorney General will take.