We trust search engines with information that we won’t tell our family, friends, or doctors. But do they deserve our trust? Typically search engines keep logs of all the searches you make, tied to a unique cookie, or possibly even your real name. The law does not directly limit what companies can do with that data themselves, and, of course, the government can ask for it , or the data can simply be accidentally exposed for the world to see .
Until recently, Yahoo! was the industry-leader when it came to minimizing the amount of time that search log data was kept in identifiable form. While Google and Microsoft were storing search data in identifiable form for between six and eighteen months, Yahoo! was only keeping this data for 90 days, a policy that earned them accolades  from both public interest groups and legislators.
But last week, Yahoo! announced  that it will soon be sextupling the length of time it keeps these logs (bringing the retention length to 18 months), and it will be reevaluating the retention periods for other data as well. While Yahoo! promises that the change will be a “move forward” for users and will offer them “a more robust individualized experience,” the company never actually specifies how this data will be used. (Does “individualized experience” refer to search? advertisements? Something else?) Some users might well want a “robust individualized” experience through Yahoo!, but it’s hard to tell exactly what that means right now.
Despite historic levels of attention to consumer privacy by the press, the Federal Trade Commission, the Department of Commerce, and Congress, the search industry has not stepped up to offer strong, industry-wide privacy protections for consumers. While the behavioral advertising industry, which has been under the harshest spotlight, has started to roll out a self-regulatory program  with broad (though not comprehensive) industry participation, other industries aren’t developing comparable programs. Indeed, instead of collaborating to develop protections for consumers, many companies feel compelled to run a race to the bottom with respect to how much data they collect and how long they retain it. Under the current regulatory environment, there seem to be few incentives for any individual company, or even any industry at large, to reduce data collection and retention.
In short, Yahoo!’s decision to backtrack on its efforts to protect user privacy serves as a case study for why Congress needs to pass a baseline consumer privacy bill this Congress. If companies truly believe that placing limitations on their use of consumer data puts them at a competitive disadvantage, then self-regulation by itself will be insufficient to protect consumers. We expect many companies, especially those struggling to balance a commitment to best practices with legitimate concerns about losing their competitive advantage, feel the same way.