UPDATED 5/30, 8:45 AM After I wrote about Google’s spat with an advertising trade group over the company’s refusal to put a link to its privacy policy on the home page of Google.com, I discovered that there is actually a California law on the subject.

The California Online Privacy Protection Act of 2003 requires the operator of a commercial Web site that collects personal information about users to “conspicuously post its privacy policy on its Web site.”

How conspicuously? The site needs to link to the policy “located on the homepage or first significant page after entering the Web site.” And the law has some rules for how prominent the link must be.

Google certainly knows about the law. Just before it took effect in 2004, the Mountain View, Calif.-based company expanded the disclosures in its privacy policy in order to comply, according to a report by CNet.

Google, which wants to keep its home page very simple, puts a link to its privacy policy on a page called “About Google,” to which it links from its home page. Steve Langdon, a Google spokesman, said in an e-mail message that Google interprets the law as allowing the company to use other methods to provide notice of its privacy policy:

By having a link to our privacy policy one click from our home page, and because the privacy policy is easily found by using the search box on the home page, we comply with this statute.

I don’t see any discussion of any alternatives to a home-page privacy link in published analyses of the law. For example, a 2004 analysis by the law firm Cooley Godward Kronish doesn’t list any other option for conspicuous notice other than placing the privacy policy itself or a link to it on a site’s home page. And the California Office of Information Security and Data Protection offers this recommendation to Web sites:

Use a conspicuous link on your home page containing the word “privacy.” Make the link conspicuous by using larger type than the surrounding text, contrasting color, or symbols that call attention to it.

I’ve left a phone message for and sent an e-mail message to Joanne McNabb, the chief of California’s Office of Privacy Protection, seeking more clarification of the law. I’ll post her response if I hear from her.

Does Google’s decision to do something different really matter? Google argues that anyone who is curious about its privacy policy can simply search Google to find it. Moreover, privacy policies are more about fine print and legal mumbo jumbo than information that is really useful to people. Also, it’s worth noting that Google says it makes far less use of the data it collects about its users than many other big Web companies. Yahoo and AOL, for example, display advertising based both on information provided by users and on the users’ online surfing behavior. Google doesn’t.

On the other hand, it doesn’t seem like it would be that hard for Google to put a single seven-letter word somewhere on its home page to help those who want to know more about its privacy practices.

Privacy experts say Google is under the microscope because it collects and retains so much information about so many people.

“It wouldn’t be a big privacy issue if it wasn’t Google saying everyone else may be doing this but we don’t need to,” said Marc Rotenberg, the director of the Electronic Privacy Information Center.

UPDATE (For those who like legal details):



I had asked Chris Hoofnagle, a senior fellow with the Berkeley Center for Law & Technology, to help me understand Google’s argument. The company pointed out that the law presents some options that include placing the link to the privacy policy on the “first significant page” after the home page. And it allows more flexibility to “online services” than to Web sites.

Here is what Mr Hoofnagle wrote back: