The Washington PostDemocracy Dies in Darkness

Opinion A lawsuit against Google points out a much bigger privacy problem

Karl A. Racine, the attorney general of Washington, D.C., in December. (Jabin Botsford/The Washington Post)
Placeholder while article actions load

Every month seems to bring a new salvo against Big Tech — the latest from three state attorneys general and the District’s Karl A. Racine (D). The lawsuit argues that Google has deceived customers into giving up sensitive data. Yet the problem is bigger than one company, and the solution can’t come only from the courts.

The complaints filed in late January by the top enforcers in D.C., Indiana, Texas and Washington allege that the world’s largest search engine told users they could prevent the company from tracking their location in account settings. In reality, the data was nonetheless hoovered up by other means. The suit also dwells on Google’s alleged employment of “dark patterns” to coerce individuals into picking not the options that best suit them but the options that best suit the business — by hiding opt-outs in mazelike navigation menus, for example, or incessantly nudging a consumer to opt in. Google argues that its controls are transparent and robust — and its products protective by design.

So far, the firm has had the better of it before the bench: An Arizona judge earlier this year kicked a similar case to trial for further fact-finding, but in doing so he pointed out that Google’s policies inform users of the company’s data-collection practices. Attorneys general are relying on existing consumer protection statutes to police platforms because Congress and most state legislatures have failed to craft rules befitting the surveillance economy that characterizes today’s Internet. Yet every case is a reminder of just how necessary and overdue those rules are — especially the comprehensive federal framework that lawmakers have been trying and failing to negotiate for the past few years.

The phenomenon the recent suits describe, after all, is not particular to Google but rather endemic to almost the entirety of the Web: Companies get to set all the rules, as long as they run those rules by consumers in convoluted terms of service that even those capable of decoding the legalistic language rarely bother to read. Other mechanisms for notice and consent, such as opt-outs and opt-ins, create similar problems. Control for the consumer is mostly an illusion. The federal privacy law the country has sorely needed for decades would replace this old regime with meaningful limitations on what data companies can collect and in what contexts, so that the burden would be on them not to violate the reasonable expectations of their users, rather than placing the burden on the users to spell out what information they will and will not allow the tech firms to have.

The question shouldn’t be whether companies gather unnecessary amounts of sensitive information about their users sneakily — it should be whether companies amass these troves at all. Until Congress ensures that’s true for the whole country, Americans will be clicking through policies and prompts that do little to protect them.