News

Announcement

February 24, 2012

Letter to Google regarding privacy policy changes

The Privacy Commissioner of Canada has sent a letter to Google to request additional information related to recently announced plans to change its privacy policy.

February 23, 2012

Mr. Colin McKay
Manager, Global Public Policy
Google
340 Albert Street
Ottawa ON
K1R 7Y6

Dear Mr. McKay:

I am writing further to Google’s recently announced plans to change its privacy policy, effective March 1, 2012, and further to a meeting between a representative of Google and officials from my Office. I am pleased to take this opportunity to provide you with some of our feedback and to request some additional information on certain practices.

As we understand it, Google has a number of goals that it wishes to achieve through this effort. Primarily, the company is aiming to reduce the number of privacy policies that currently exist (over 70) in relation to its many different products and services to one general privacy policy. In addition to that general policy, Google will still retain a small number of product-specific policies (e.g., for Google Wallet) where it believes that this makes sense or is otherwise required by law. The other goals are to create a simpler, more intuitive user experience across multiple Google products; improve search results; and make ads more relevant.

I would first like to acknowledge Google’s efforts to alert users to the new policy. Google has worked hard to simplify and streamline its privacy policy. We have long been calling for better, more user-friendly privacy policies and yours is a step in the right direction.

We do, however, have a number of questions and concerns, as outlined below, that we would appreciate receiving a response from you on.

Data retention information

As with all efforts to condense and streamline privacy information, there is always a risk that important information will be dropped. One area we noticed where important information seems to be missing in the new consolidated policy, when compared to previous service-specific policies, relates to data retention and disposal. Those service-specific policies that were reviewed provided specific deadlines for the deletion of personal information following a request for deletion from the user (e.g., Google Health – 24 hours for deletion; Picasa – 60 days for deletion). The new general policy does not include any such timelines. We strongly encourage Google to more clearly explain its data retention and disposal policies and practices, particularly those dealing with data deletion in response to a user request, and would request that you let us know how you intend to address this issue.

Linking of services and personal information

The other goals of consolidating the privacy policies are very significant and may raise privacy issues, particularly the objectives of creating a simpler user experience, improving search results and making ads more relevant to users. It is important to note that, as we understand it, the proposed changes only affect users who have, and are signed into, a Google account. For those who do not have a Google account but simply use such services as Search or YouTube, the changes reflected in the new policy have no impact. The following comments therefore concern account holders only.

Under the current policy, data sharing already takes place across certain products. For example, Google makes it easy for a signed-in user to immediately add an appointment to Google Calendar if an incoming e-mail looks like it is about a meeting. For other products, such as Search and YouTube, the data that Google collects about how individuals use a particular product have been kept separate. Specifically, a user's general search history would not be used to improve search results on YouTube. Considering that an individual's search history can be quite unique and sensitive (indicating vital facts about the person’s location, interests, age, sexual orientation, religion, health concerns, and much more), this was an important privacy protection.

We understand that, under the new policy, Google is removing this separation between its various products. In other words, Google will be linking all of a user’s data together when the user logs into his/her account and uses various services. According to Google, "information is associated with a given user only if the user is signed into their Google Account. If a user maintains two separate Google Accounts – for example a work account and a personal account – Google will not use information about one account to personalize the other". As we understand it, the policy changes do not mean that Google is collecting more information about its users than it currently does. They do, however, mean that you are going to be using the information in new ways – ways that may make some users uncomfortable. We would strongly encourage you to make it clearer to users that if they are uncomfortable with these new uses of information, they can create separate accounts. This is not clearly stated in your new policy; rather, the information about the separate accounts was clarified in one of the letters from a Google senior executive in response to queries by the Article 29 Working Party.

Google has also set out other ways and means that users can exercise their privacy preferences, some of which are listed in the new policy and some of which were, again, explained in responses to inquiries from legislators. Users should not have to be familiar with Google’s correspondence to be fully aware of their options. We would strongly encourage you to make it clear within the privacy policy language what all of the options are.

A further concern regarding the personalization of services comes from language in the new policy, where Google states that it “may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services". It is not entirely clear how this process would work and just how far it would extend. For example, will Google attempt to link existing accounts to each other or new accounts with previous accounts, either of which would contradict statements by the company that users can create and maintain separate accounts? We would appreciate your clarification of this issue.

Android users

Lastly, with respect to Android users, it is our understanding that Google currently collects the following information:

  1. device information: Google may collect device-specific information (such as hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate the device identifiers or phone number with the user's Google Account;
  2. log information: telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls; and
  3. location information: when an individual uses a location-enabled Google service, Google may collect and process information about the individual's actual location, like GPS signals sent by a mobile device. They may also use various technologies to determine location, such as sensor data from the device that may, for example, provide information on nearby Wi-Fi access points and cell towers.

Although Google has stated that some of its services can be used without signing into an account, this is not very practical if a user is accessing those services via an Android phone. While signed-out users will be able to make calls and send texts, for instance, they will not be able to download new applications, update those already installed or synchronize the phone with G-mail or Calendar. In effect, it appears that there is very little choice for Android users should they not wish Google to have the ability to link all of the services they use. This is of particular concern given the potential ease with which accounts could be linked together on the basis of the device identifier information that Google collects. We would appreciate receiving comments from Google with respect to such linking of vast quantities of personal information as a condition of service to use the Android phone.

We are aware that many authorities in other jurisdictions have raised a number of important questions and concerns with Google about the change to the privacy policy. We have been monitoring those responses and will continue to do so. We look forward to hearing more from the company on that front.

In the meantime, we would appreciate receiving your views on our three areas of concern at the earliest opportunity. Thank you again for meeting with our Office.

Sincerely,

Original signed by Patricia Kosseim for

Jennifer Stoddart
Privacy Commissioner of Canada

c.c.     The Information and Privacy Commissioners of Alberta, British Columbia and Quebec