By Jonathan I. Ezor

No matter the context or jurisdiction, one concept underlies every view of the best practices in data privacy: transparency. The mandate to disclose what personal information is collected, how it is used and with whom and for what purpose it is shared is essential to enable informed consent to the collection, along with the other user rights that constitute privacy best practices. That disclosure may be to governmental agencies as well as the users themselves, but the ultimate goal is that the users will know what information from and about them is being collected and used by the organizations with which they interact.

One recent description of best practices, the Consumer Privacy Bill of Rights issued by the Obama administration, defines transparency this way: “Consumers have a right to easily understandable and accessible information about privacy and security practices.” At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise individual control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers and whether and for what purposes they may share personal data with third parties.

Other lists of privacy ideals and requirements, including the Federal Trade Commission’s Fair Information Practice Principles as well as the European Union’s Data Protection Directive, include and highlight transparency through disclosure to users. Transparency of data collection is also a key part of the best practices long recommended by advocacy groups including the Electronic Privacy Information Center, the Electronic Frontier Foundation and the Future of Privacy Forum.

Transparency has become a keyword for companies’ and service providers’ discussions of their own data practices. Notably, Google, whose business goes far beyond its original focus on online search, publishes a semi-annual transparency report disclosing the number and disposition of government requests of information from Google, along with other statistics such as content removal requests. Twitter has recently begun publishing its own transparency report, following Google’s lead.

Transparency, though, goes beyond disclosure about data collection and reports about governmental information requests. Rather, transparency covers not only how the organization is using the information it collects from—and about—consumers but also how the organization itself is structured, especially if it operates multiple business units or affiliated companies with different names which transfer customer information among themselves. Even if the privacy policy states that the company may be sharing data with its affiliates, that may not give consumers sufficient notice and understanding for them to fully consent.

As one illustration of the challenges of transparency even with the best intentions, consider Google. While the company publicly promotes its dedication to privacy, offers a user Dashboard for profile management and has received praise from advocacy groups such as the Electronic Frontier Foundation, Google users still have no clear way to determine all the ways Google is using their personal information.

The challenge comes from the sheer diversity of Google’s operations and frequent acquisitions. It’s almost impossible to discover the entire range of products, services and brands Google owns and controls, and through which it is collecting user information. The company’s products page lists categories including web, mobile, media, geo, home and office, social, specialized search and innovation, and includes products such as Orkut, Blogger and Picasa, whose names might not immediately identify them as Google services. A link to mobile on that page leads to another page which briefly describes the Android operating system owned and licensed by Google and running on devices from many manufacturers, the Google-branded Nexus devices, and further links to Google apps running on both Android and Apple’s iOS operating system.

Beyond those, Google owns numerous businesses operating under other brand names and is constantly acquiring others. Among the popular consumer brands that are owned and operated by Google, and therefore could be feeding information into the central Google databases, are the hardware manufacturer Motorola Mobility and the restaurant guide Zagat; the latter links to Google’s privacy policy as its own. Google also provides GPS-supplementing location data derived from mapped WiFi hotspots and access points to its own operating system and others, such as Apple, derived from information transmitted by Android devices back to Google. Users seeking to understand all of Google’s practices must discover and consider these additional channels as well.

The example of Google demonstrates that transparency must be maintained through ongoing review of and revisions to an organization’s disclosure and procedures. “Privacy by design” must include embedding privacy awareness and reviews in all business practices, especially in the area of mergers and acquisitions. Otherwise, even a company dedicated to and intending to promote best practices in privacy may fail to provide enough information to consumers for them to make informed decisions about whether and how to share their personal information with the company, leading to potential reputational and legal risks.

Jonathan Ezor is assistant professor of law and director at the Center for Innovation in Business, Law and Technology at Touro College’s Jacob D. Fuchsberg Law Center. He can be reached at jezor@tourolaw.edu.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»