On October 14th, 2005, Google put up a new privacy policy, replacing one that had been in effect since July 1st, 2004 (available here). This fact alone does not seem particularly newsworthy, but what has been interesting to observe is the extensive coverage on the internet of this change. People have been analyzing the changes, comparing the previous policy to the new one, and generally commenting on Google and privacy.

Google has also put up a new section entitled Google Privacy Policy Highlights, which seems to be an attempt to quickly capture the essence of the privacy policy for those who won’t read the entirety of the document. Given that so few people actually read privacy policies, this may be a benefit for consumers and regular internet users in getting them to read anything at all about what they are agreeing to when they use Google services. However, providing these highlights necessarily risks omitting details that may be important to some individuals.

The implications and legal status of a highlights document is also unclear. Just as in the case of the HIPAA Privacy Rule, a privacy policy highlights page may benefit users by making policies more readily accessible and actually read. However, following the Privacy Rule is necessary but not sufficient for HIPAA compliance; likewise, a company adhering to its highlighted privacy policy elements may still be violating other aspects of their policy. Furthermore, while Google still seems to be squarely on the side of good, more devious or uncaring companies may use a privacy policy highlights document to deceptively portray their privacy practices, knowing few (if any) people will take the time to review the longer, more legally significant full policy.

Google has continued to make previous versions of the privacy policy available for review/download, which is a good business practice but could go further. Granted, Google is doing more than most companies in this respect, but the next step would be to actually highlight the changes between two documents. Very few (if any) sites are providing this sort of privacy policy insight, so curious/concerned individuals are left to use other means for such analysis, such as this HTML diff tool. Using this tool, one can view the changes from the old policy to the new one here, although this only provides a literal diff between the documents and no high-level insight. Another text comparison that emphasizes the changes between documents is here.

Read the rest of this entry »