How will Google's new privacy policy affect you? We wade through the fine print so you know where you stand and what to do about it.
If you click through web site terms and conditions (T&Cs) without a second thought, you may not have noticed Google's dramatically different new privacy policy.
Others, however, are up in arms after the internet giant announced it had combined what used to be dozens of privacy policies for its various subsidiary sites, replacing them with a single new policy it says will help punters understand what it does with their data (complexity and sensitivity have forced separate policies for Google Wallet, Chrome and Books).
Simplifying privacy policy may sound reasonable enough, but some privacy advocates have roundly slammed Google for a policy they say opens the door to invasive sharing of personal details between Google sites; targeting of highly personalised ads based upon users' activities across Google properties; and that sinking feeling that Google knows more about you than even your own mother.
Concerns over the magnitude of the move were so broad that European Union officials asked Google to push back its March 1 deadline for introduction of the new policy so French data privacy regulator CNIL could complete a formal investigation, on behalf of the EU, into its potential effect on users' rights. The European Union's longstanding Data Protection Directive outlines strict controls on the collection, exchange and use of personal information.
A single experience
The new policy reflects changes Google has been making to its services so they can all be tied back to a user's single Google Account, rather than having different user names on different services. Google says the policy reflects "our desire to create one beautifully simple and intuitive experience across Google" – a broad corporate objective to which CEO Larry Page is so committed that he recently told employees that if they didn't agree with it, they should "probably work somewhere else".
Unification makes it easier for Google to move data between services, but it also opens the door to what could become some uncomfortable prying. For example, if you've been looking up tropical islands on Google Maps, you might find yourself served advertisements from travel agents or directed to discounted flights through the Flight Search service Google launched with ITA Software last September. If you often refer to Mozilla's Firefox browser in emails, Google might prioritise ads for its own Chrome alternative.
The options are unlimited but the core issue is that, by tying information about users back to one account, Google could run roughshod over its users' privacy. It's not a dissimilar concern to that which dogged Facebook for years and last November saw that company agree to significant changes to address the concerns of EU authorities and the US Federal Trade Commission.
Australian authorities haven't been concerned: Australian Privacy Commissioner Timothy Pilgrim has been investigating the policy in conversations with Google, and has indicated his broad support for policy consolidation as "A step in the right direction as it will make it easier for users to understand what Google will do with their personal information."
However, he added, "Thought needs to be given to how easy it is for people to control what is happening to their information." Google already offers users such controls through its Google Dashboard (see sidebar).
The fine print
Reading through the privacy policy, Google's efforts at simplification are obvious. The previous policy, for example, listed nine types of information Google might collect; the new policy combines these into just two, including user-supplied details and information collected while users use Google's services.
Google now explains in far more detail how it uses personal information – which was previously covered with broad statements about improving services and developing new ones. For example, it delineates practices for using your user name – to be "represented consistently across all our services" – or to keep records of communications with Google. Google also describes the use of cookies and technologies like pixel tags "to improve your user experience and the overall quality of our services". Cookies and anonymous identifiers will not, Google adds, be identified using sensitive categories such as race, religion, sexual orientation or health.
The new policy also lets Google combine information between services – one practice that has worried many privacy advocates because many users previously valued anonymity in some services. Google won't combine DoubleClick cookie information with personally identifiable information without user opt-in, and will get user consent before using data in other ways.
Also spelled out in the new policy are details of Google's information-security precautions and an explicit list of cases where Google will share information with external parties (with user consent, with domain administrators, where data is sent to affiliates for external processing or for legal reasons).
Whether or not the new guidelines are passed without comment or become the subject of a furious online battle remain to be seen. However, in the main Google argues that they are clearer and simpler than the previous policy – and will provide a foundation on which the company can both unify and tailor its services in the future.
