With implementation of the EU ePrivacy Directive amendments this year and a draft EU Regulation slated to replace the Data Protection Directive, the global environment for online privacy will only become more demanding. The trend is toward more informative and granular privacy policies, with more conspicuous privacy options for Internet and mobile users. Service providers should take this trend into account in planning and updating their online privacy practices, if they want to reach a global audience without running head on into global compliance problems.
Privacy advocates in the United States and the United Kingdom have called for government investigations of the planned cross-matching of online behavioral data, and the chairman of the US Federal Trade Commission expressed concern over what he termed the "binary," "somewhat brutal choice" offered by Google to accept or decline all such profiling.
Yesterday, the president of CNIL, the French data protection authority, issued an open letter to Google's CEO announcing a further investigation and the initial conclusion that the new privacy practices would not conform to European data privacy laws:
. . . our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects.
Once again, the technologically possible (and commercially attractive) seems to have outpaced social and legal consensus. Google's treatment of user data is on a scale matched by few, but online enterprises of all sizes will be watching to see how Google fares in the face of official and public reservations.
One conclusion is easy: the watchword for anyone offering products or services online should be "transparency." This concept appears repeatedly in the CNIL letter and also in the White House Consumer Privacy Bill of Rights released last week. Enterprises need to say, perhaps in greater detail than before, what they are doing with user data, and they also need to explain why it is good for consumers. As we move toward more of an opt-in approach to personal data collection and especially behavioral profiling, users will need to be persuaded of its value.