Google to give all users clearer information about data use

0 Comments

Google has vowed to revise its privacy policy and account settings, in order to make it clearer to people what it does with their data and give them more control. This comes as part of a settlement with the U.K. Information Commissioner’s Office, announced on Friday, but the changes will apply globally.

The ICO and other data protection regulators across the EU have been coordinating a crackdown on Google’s practices since 2012, when the company introduced a new unified privacy policy. The unified policy allowed [company]Google[/company] to mix and match personal data across its various services – between YouTube and Search, for example. However, many people did not, and still do not, appreciate what this means in terms of user profiling.

Google has faced repeated fines over its refusal to change the policy in countries such as France, Italy and Germany, but the sums involved were chickenfeed for a company of Google’s girth. The U.K.’s ICO hasn’t fined Google in this way, but has repeatedly said that Google’s settlement proposals didn’t go far enough.

Now this long-running drama may be drawing to a close. On Friday the ICO triumphantly brandished an undertaking in which Google said it would do the following things during the next two years:

  • Make its privacy policy easier to find, and be clearer in that policy about what user information it processes and why.
  • Provide users with “information to exercise their rights” and launch a redesigned account settings version to give them more control.
  • Add two provisions from the Google terms of service to the privacy policy, regarding email data and the “shared endorsement” feature.
  • Add to the privacy policy information about “the entities that may collect anonymous identifiers on Google properties and the purposes to which they put that data.”
  • “Take several measures” to tell passive users – those using third-party services that are plugged into Google services, such as advertising – more about what’s happening with their data. Those running the third-party services will also need to “obtain the necessary consents” for this data collection.
  • “Enhance its guidance for employees regarding notice and consent requirements.”

Google also said it would continuously evaluate the privacy impact of future changes to its services and keep users informed, especially where the changes “might not be within the reasonable expectations of service users.” Particularly significant changes to the privacy policy will be “reviewed by user experience specialists and with representative user groups before the policy and associated tools are launched as appropriate.”

The changes will make sure Google is compliant with the U.K. Data Protection Act, which is based on European law. It is not yet clear whether this is the end of the matter as far as the other EU data protection authorities are concerned — I understand that the changes will apply in all countries around the world, though.

Here’s what ICO enforcement head Steve Eckersley said in a statement:

Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.

Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law… This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.

Although the list of commitments is fairly comprehensive, some terms are vague and the proof may lie in the implementation. For example, the EU privacy watchdogs previously demanded that users get the opportunity to “choose when their data are combined, for instance with dedicated buttons in the services.” That’s not merely a matter of giving users “information to exercise their rights”, so it will be interesting to see what the redesigned account settings entail.

So far, Google has merely said:

We’re pleased that the ICO has decided to close its investigation. We have agreed improvements to our privacy policy and will continue to work constructively with the Commissioner and his team in the future.

Even if this does indicate a conclusion to the unified privacy policy saga, then Google still faces major regulatory headaches in Europe. These include the big search antitrust case – tied in with digital agenda commissioner Günther Oettinger’s apparent desire to extend a version of the “Google tax” copyright levy across Europe – and a potential second antitrust case over Android.

Still, one at a time, eh?

This article was updated at 8.15am PT to note that the changes will apply globally.

Comments are closed.