Did Google Look for Loopholes to Minimize CCPA’s Data Privacy Rules?
Part 3 in a 3-part series on data privacy vs. big tech battleground.
“Don’t be evil.” In its early days, this was Google’s stated motto, then later a line in its Code of Conduct. But does the directive still hold true today? That depends on your opinion of Google’s alleged recent actions around two new compliance rules — the General Directive Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).
Google has waged several battles with GDPR, both before and after it was launched to help protect European Union citizens’ personal data. One fight resulted in a GDPR court case that the tech giant won.
A similar fight appears to have occurred before CCPA became law on January 1, 2020, although it’s not clear what the outcome is yet.
Under the CCPA, Californians gain stronger rights than most companies are likely to grant on their own. For instance, California consumers can order companies to not sell their data to other companies, whether for money or not. Consumers can also order any company that has collected their data, and anyone the company has shared that data with, to delete it from their records.
How Does CCPA Define Personal Data?
The CCPA defines personal data broadly as anything that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include:
- postal address
- IP address
- email address
- social security number
- driver’s license number
- browsing history
- search history
- geolocation data
The law also addresses emerging technologies by including biometric data, such as DNA or images of the eyes, fingerprints, hands, and faces.
Google Sought to “Water Down” CCPA
Although Google’s actions related to CCPA went somewhat under the radar, some media reported on the search and advertising company’s behind-the-scenes actions, including Bloomberg in September 2019, which reported that Google lobbyists tried to amend CCPA by introducing new language to the California state legislature.
The lobbyists’ proposal would allow Google to use data collected from website visitors for its own analysis as well as to “share” with other companies. This was in violation of the CCPA’s prohibition on the sale of user data. Google’s lobbyists also wanted to redefine “business purpose” more loosely for selling user data.Also in September, The Washington Post reported on an ongoing fight to weaken the CCPA. Their reporting mentioned “mysterious ads on Facebook and Twitter” that warned local residents about a government plot to destroy internet freedom. “The free websites and apps you use every day could start costing you,” one Twitter ad proclaimed. These legislative and marketing efforts speak to Google’s determination to reform the CCPA to fit its agenda.
Google Touts its Support of CCPA
As this fight was being waged, on its own platform, Google was reporting about its cooperation with CCPA, including notifying users about how it’s working to meet CCPA consumer privacy rules. On December 20, 2019, Google announced on its Identity & Security blog: “The security and privacy of customer data is our highest priority, and we’re committed to supporting your efforts to comply with the CCPA.”
Further it stated that Google Cloud is committed to supporting CCPA compliance across G Suite and its other products.
In fact, Google rolled out a new privacy tool that web advertisers and publishers can use to curb behavioral targeting on Google’s ad services. The “restricted data processing” tool is aimed at helping web companies comply with the CCPA. Each Google product is listed as either already operating using restricted data processing or as a product that requires additional action to enable the tool.
How Google Really Feels about CCPA
While from an outside view, Google’s action looks like cooperation with the new CCPA, it remains to be seen if there is eventually perhaps a watered down “CCPA 2.0” bill that meets Google and other tech companies’ preferred, more-moderate data privacy rules — one that ensures they can maximize their profits using individuals’ private data.
When you are entrusted with vast stores of citizens’ personal sensitive data, “not being evil” is the right thing to do. But does playing fast and loose with people’s sensitive data enter the realm of evil?
CCPA Compliance for Your Business
The first step toward ensuring you comply with data privacy laws like CCPA is ensuring proper data lifecycle management. From data discovery to classification, control to compliance, Spirion’s platform can help guide you through every step toward better data protection.