Letter to Google re Privacy Policy — February 2012

Mr Larry Page
CEO
Google Inc.
1600 Amphitheatre Parkway
Mountain View
California, 94043 USA

Dear Mr Page

Changes to Google’s Privacy Policy

I am writing on behalf of the Technology Working Group (TWG) of the Asia Pacific Privacy Authorities (APPA)[1]. When Google announced the upcoming changes to its privacy policy, members of APPA requested the TWG to consider the implications of the changes.

Initially, I would like to say that the TWG recognises Google’s efforts in making its privacy policies simpler and more understandable. Similarly, it notes Google’s education campaign announcing the changes. However, the TWG would suggest that combining personal information from across different services has the potential to significantly impact on the privacy of individuals. The group is also concerned that, in condensing and simplifying the privacy policies, important details may have been lost.

I would emphasise that members of APPA operate independently in differing regulatory environments. There may, therefore, be issues that are specific to particular jurisdictions. The following comments, however, represent some common concerns raised by the TWG.

1. User choice and control

Google’s new privacy policy states that ‘[w]e may use the name that you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account, so that you are represented consistently across all our services’. It is not clear from this statement whether users will be able to segregate their online identities if they use multiple Google products for different purposes. We would suggest that it is important that users, especially members of minorities or at-risk groups, be able to control the way in which their information is aggregated and shared online.

We understand that the move to a single account will primarily affect new Google account holders. We would be interested to understand how the changes will affect existing users, who may hold several accounts for different Google products, including Google Apps accounts.

We welcome Google’s efforts in developing a number of privacy tools such as the Dashboard and the Opt-out in the Ads Preference Manager. We would question, however, whether users can access these tools readily. We would encourage Google to ensure that these tools are easy to locate and that the Dashboard enables users to view all information associated with their account, including telephone numbers and device identifiers if these are held.

2. Level of detail in the policy

Google’s new privacy policy combines policies from a number of different products and services and significantly reduces the length of these documents. While improving the readability of the privacy policy is a positive step, it is important that detail is not lost. Some product-specific privacy policies contain timeframes for the deletion of information following a request from a user, such as the Picasa policy, which states that data will be deleted within 60 days of a user’s request. These timeframes have not been carried forward to the new policy.

We note that Google’s privacy policy states that ‘[w]hen showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health’. It further states that Google requires opt-in consent for the sharing of any sensitive personal information with third parties. This implies that, although sensitive information will not be used to serve ads via a cookie or anonymous identifier, Google will nevertheless collect sensitive personal information.  We would be interested if Google could clarify its policies regarding deletion of information and handling of sensitive personal information.

3. Impact on Android users

The changes to Google’s privacy policy potentially have a substantial impact on Android users, as use of Android smartphones and tablets requires users to have Google accounts. We would like to understand the extent to which Android users will be affected by the changes and the options that will be available to them.

I look forward to your response to these issues.

Yours sincerely

[Signature]

Timothy Pilgrim
Australian Privacy Commissioner

28 February 2012

---

[1] APPA comprises the following privacy authorities: Office of the Australian Information Commissioner, Australia; Office of the Information and Privacy Commissioner, British Columbia, Canada; Office of the Privacy Commissioner, Canada; Office of the Privacy Commissioner for Personal Data, Hong Kong; Korea Internet & Security Agency, Korea; Federal Institute for Access to Information and Data Protection, Mexico; Office of the New South Wales Privacy Commissioner, Australia; Office of the Privacy Commissioner, New Zealand; Office of the Northern Territory Information Commissioner, Australia; Office of the Information Commissioner, Queensland, Australia; Federal Trade Commission, United States of America; Office of the Victorian Privacy Commissioner, Australia. The US Federal Trade Commission is not a signatory to this letter.