From a Legal Standpoint, Should You Go With Google Docs or Office Online?

Reader Resource

Position yourself for growth in 2017—join us live at the Entrepreneur 360.
Flash Sale—save up to $200 on registration. Ends Thursday. Secure Your Seat »

Not so long ago when a startup or enterprise was determining the cost of an employee, one of the single largest expenses was the licenses for the back-office software that business runs on.

In a world of the $300 laptop, paying $219 for a copy of Microsoft Office Home & Business is hard to swallow. As a result, companies are turning to the cloud, using Google for Business and Microsoft Office Online instead. 

It is easy to think that the two big fish in the market are equal competitors, but in truth the devil is in the details on these two offerings, and picking wrong can be very painful. Most people pick their back office based on the user experience. I’ll explain why that is wrong a bit later, but first, a quick rundown on the two.

Related: FBI to Apple, Google: Your New Privacy Policies Are Making People Less Safe

Microsoft was a bit late to the game getting Office Online to be comparable to Office for desktop, and while I would like to say that Word Online is better than Google Docs, I am writing this article in Google Docs. Not because the fit and finish is better on Google Docs, or that Google Docs is easier to use, it is just that Microsoft doesn’t have the same level of ease of collaboration. Rather than bouncing between the two, it is easier for me to use Google Docs all the time.

For spreadsheets however, all the collaboration in the world can’t save Google. Excel is just that much more awesome, especially for power users.

Knowing this, you might pick one based on whether you do more spreadsheets or word processing. I know a lot of companies who did. Or based off of the “I hate” one company or the other. But what actually really matters is the privacy policies of each.

Both Microsoft and Google comply with the Federal Information Security Management Act (FISMA, which many government agencies require), ISO 27001 (one of the strictest security benchmark standards used in business and government relating to intrusion prevention) and SSAE 16 (a standard for how security is audited, and breaches are reported).

If you sign a Business Associate Agreement both can be used for Protected Health Information under HIPAA. Both also allow you to opt into the model-contract clauses necessary to make them U.S.-EU Safe Harbor Framework compliant (this is required if you want to move private user data between the EU and U.S. or vice versa). So you would think both are at the same level of privacy. The Electronic Privacy Information Center (EPIC) disagrees.

FERPA, short for Family Educational Rights and Privacy Act, is a compliance standard for schools and those working with student records. Google for Education has a more strict privacy policy than Google for Business, but HIPAA is generally considered stricter than FERPA, so one can infer that if the strictest of Google’s compliance isn’t compliant with a standard that is not the strictest, that Google is out of compliance with both.

Related: These 3 Legal Traps Can Stop a New Business in its Tracks

Google recently made headlines for providing information about a user who had child pornography in his Gmail, but Microsoft made headlines for not turning over emails stored outside the U.S. in contempt of a court order. In California, Google was named in a class-action lawsuit (Google Inc. Gmail Litigation, 13-md-02430 ) by schools and students of schools that use Google Apps for Education, because despite a requirement of FERPA that Google claims to be in compliance of, Google is mining student emails for reasons other than “purposes authorized by the district.” The case has been resolved.

Granted, much of the issues Google are having are the result of the pace of technology. FERPA was enacted in 1974. The idea of having students with school-issued laptops was not a concern 30 years ago, but the way Google and Microsoft handle issues is what concerns me. Microsoft is going to court for being too tenacious with user privacy, and Google is going to court for failing to have enough respect for it.

This is made clear by one last category of compliance that companies often contend with, the Gramm-Leach-Biley Act (GLBA). The GLBA requires financial institutions to protect their clients' personal information. Google doesn’t make any claims to be compliant with the GLBA. Microsoft does.

That makes the decision easy for me. If you are doing anything concerning medicine, the law, children, financials or where someone might think you are doing something illegal, (such as starting a disruptive business, as in the “Uber of insert an industry”), you should likely go with Microsoft.

If you are doing something that has none of those risks, and everyone collaborates on text documents, such as an engineering startup or a graphic design firm, Google for Business is likely a better choice. That is until you start to do business with someone from the above categories of business, then you will need to do a migration.

As someone who is writing this in Google Docs, you might have figured out I am in that category of people expecting to migrate, and loathing the day it happens. If only I had invited the guys and gals from legal into the IT meeting when we picked our back office.

Related: U.S. Says Fourth Amendment Does Not Protect Digitally-Stored Data