Letter from Google re privacy policy changes — February 2012

PDF version (2.65 MB)

Google France SARL
38, avenue de l’Opera
75002 Paris

Main: +33 (0) 1 42 68 53 00
Fax: +33 (0) 1 53 01 08 15

Timothy Pilgrim
Australian Privacy Commissioner

Paris, February 29, 2012,

Via Email

Re: Changes to Google’s Privacy Policy

Dear Commissioner Pilgrim,

Thank you for your letter of February 23, 2012 on behalf of the Asia Pacific Privacy Authorities about Google’s plans to update our privacy policies by consolidating them into one document, publicly available on our site at www.google.com/policies/privacy/preview. We are responding directly to you, respectfully requesting that you distribute this response amongst your fellow APPA members who co-signed your letter.

We thank you for your positive comments about our efforts to create a better and more user-friendly privacy policy, as well as your comments about our extensive efforts to inform all our users of the upcoming changes.

We are pleased to answer your questions, and we welcome the opportunity to correct some of the misconceptions that have been circulated about our updated privacy policy. It’s important to note that the use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo! and Apple.

We believe that the relevant issue is whether users have choices about how their data is collected and used. Google’s privacy policy — like that of other companies — is a document that applies to all consumers using our products and services. However, we have built meaningful privacy controls into our products, and we are committed to continue offering those choices in the future.

Your letter asks specific questions about some of Google’s products, and the privacy controls available to users. The most important product-specific privacy explanations have been incorporated into our main Privacy Policy. We feel there are many ways to communicate about our product-specific privacy practices without creating formal privacy notices. For example, we point our users to our Privacy Center, Help Center articles, in-product notifications, published FAQs and our Good to Know website to explain what information we collect and how we use it.

There are several other key points that we appreciate the opportunity to clarify:

Our approach to privacy has not changed. We’ll continue to focus on providing transparency, control, and security to our users. In fact, the announcement of changes to our privacy policy is a great example of our effort to lead the industry in transparency. It’s been the most extensive user notification effort in Google’s history — including promotions on our homepage, emails to our users, just-in-time notifications, and more — to ensure that our users have many opportunities to learn about these changes.

Google users continue to have choice and control. The main change in the updated privacy policy is for users signed into Google Accounts – but the updated privacy policy applies to all users of Google products, whether signed-in or not. Individuals don’t need to sign in to use many of our services including Search, Maps, and YouTube. If a user is signed in, she can still edit or turn off her search history, switch Gmail chat to off the record, control the way Google tailors ads to her interests using our Ads Preferences Manager, use Incognito mode on Chrome, or use any of the other privacy tools we offer. These privacy tools are listed at www.google.com/privacy/tools.

The privacy policy changes don’t affect our users’ existing privacy settings. If a user has already used our privacy tools to opt out of personalized search or ads, for example, she will remain opted out.

Our users’ private information remains private. The updated privacy policy does not change the visibility of any information a user has stored with Google. The update is about making our services more useful for that individual user, not about making information visible to third parties.

We’re not collecting any new or additional data about users. Our updated privacy policy simply makes it clear that we use data to refine and improve our users’ experiences on Google — whichever services they use. This is something we have already done for a long time for many of our products.

We are not selling our users’ data. We do not sell users’ personally identifiable information, and that will not change under the updated privacy policy.

Our users can use as much or as little of Google as they want. For example, a user might have a Google Account and choose to use Gmail, but not use Google+. Or she could keep her data separated with different accounts — for example, one for YouTube and another for Gmail.

We will continue to offer our data liberation tools. Our users will continue to have the ability to take their information elsewhere quickly and simply (more information about data liberation is available at www.dataliberation.org).

There are two reasons why we’re updating our privacy policies: to make them simpler and more understandable, and to improve the user experience across Google.

The first reason is simplicity. Google started out in 1998 as a search engine, but since then, like other technology companies, we’ve added a whole range of different services. Gmail, Google Maps, Google Apps, Blogger, Chrome, Android, YouTube, and Google+ are just a few of our many services now used by millions of people around the world.

Historically when we launched (or acquired) a new service, we added a new privacy policy, or left the existing one for that service in place. This approach eventually created a wide range of policies.

In September 2010, we took a first step toward simplifying these policies by folding a dozen service-specific notices into our main Privacy Policy. But that still left more than 70 notices. So we’ve re-written our main Google Privacy Policy to make it much more readable, while incorporating most of our existing service-specific privacy notices. This now gives users one comprehensive document that outlines our privacy commitments across our services.

The second reason is to create a better user experience. Generally speaking, the main Google Privacy Policy applies across Google, allowing data to be used generally to improve our services, unless it is limited by a specific restriction in the privacy notice for a particular service. Most of our privacy policies have traditionally allowed us to combine information gathered in connection with one service with information from other services when users are signed into their Google Accounts. By combining information within a user’s account we can improve their experience across Google.

For example, today we make it easy for a signed-in user to immediately add an appointment to her Calendar when a message in Gmaillooks like it’s about a meeting. As a signed-in user she can also read a Google Docs document right in her Gmail, rather than having to leave Gmail to read the document. Our ability to share information for one account across services also allows signed-in users to use Google+’s sharing feature — called “circles” — to send directions to family and friends without leaving Google Maps. And a signed-in user can use her Gmail address book to auto-complete an email address when she’s inviting someone to work on a Google Docs document. These are just a few examples of how we make our users’ experience seamless and easy by allowing information sharing among services when users are signed into their Google Accounts.

However, our privacy policies have restricted our ability to combine information within an account for two services: Web History, which is search history for signed-in users, and YouTube, the video-sharing service we acquired in 2007. (We had not updated YouTube’s original privacy policy to include Google, with the result that Google could share information with YouTube, but not vice versa.) For example, if a user is signed in and searching Google for cooking recipes, our current privacy policies wouldn’t let us recommend cooking videos when she visits YouTube based on her searches — even though she was signed into the same Google Account when using both Google Search and YouTube.

This kind of simple, intuitive experience across Google benefits our signed-in users by making things easier and letting them find useful information more quickly. Indeed, we often get suggestions from users about how to better integrate our services so that they work together more seamlessly. So our updated privacy policy makes it clear in one comprehensive document that, if a user is signed in, we may combine information she has provided from one service with information from our other services. We’ll treat that user as a single entity across all our services, which will mean a simpler, more intuitive Google experience.

People can still set up multiple accounts to manage multiple identities, move data between those accounts with Data Liberation tools, and prevent information from one account from being used to personalize another account. If Jane wants to use Google Docs and keep that separate from her personal Google+ account, she may create a work_accountjane@gmail.com account that she uses for Docs, and a personal_accountjane@gmail.com account that she uses for sharing on Google+.

In your letter, you note that the new policy does not include specific data retention deadlines for user data, in contrast to some product-specific privacy policies in the past. In particular, you mention Google Health which, as you may know, is in the process of being shut down.

We make good-faith efforts to provide our users with access to their personal information and to delete such data at their request, if it is not otherwise required to be retained by law or for legitimate business purposes.

Our data archiving system was originally built to provide highly reliable data retention in order to prevent data loss in case of failures, which must be balanced against deletion requests. After receiving a deletion request from a user, archived copies will expire and the archival system has mechanisms to subsequently overwrite expired archived data. So, while immediate deletion is not always practicable due to the way this archiving system operates, Google has processes in place to remove user data from active serving systems within a reasonable period of time after a user asks us to close his or her Google Account.

You raised some important points about Android that we’d like to clarify. We are not changing the privacy protections offered to Android users. Our updated privacy policy, like the prior versions, covers users signed into their Google Accounts on Android phones just as it does users signed into their Google Accounts from a desktop computer. It does not make any changes that especially impact users of Android phones.

Android users will continue to have many choices about whether and how they use Google services on their devices.

Android users can access nearly all of the functionality of their device without a Google Account. They can use the phone to place calls, send text messages, browse the web, download applications from third party markets, use third party applications, and use Google applications that do not require account authentication such as Google Maps. In addition to the Gmail application, users can use alternate email services on Android phones through the open-source Android email application, through the web browser, or through specific email client applications, such as Yahoo! Mail or Microsoft Hotmail for Android.

Some Google applications such as Android Market and Gmail require authentication with a Google Account in order to provide the service. For example, users must remain logged into an email client in order to receive their email in real time; otherwise, there is no means by which the email client can retrieve messages from the server for the end user.

If a user chooses to log into her Google account on her Android device, she has many options available to control how Google uses her information, similar to the desktop experience.

For example, from an Android phone, a user can access the same search history functionality that exists on the desktop. The mobile application automatically links to the web browser, where the user manages the search settings in exactly the same browser interface for mobile and desktop. In the browser, a user can turn search history on or off, edit queries, or delete the history entirely. Android users can also use the incognito mode in the browser to avoid the storage of any browsing history on their devices.

Thank you for your thoughtful questions, and I hope that this has resolved your concerns. In any case, we are committed to an on-going constructive dialogue with the members of APPA, and in that spirit, I welcome the opportunity to work with you in the future to ensure the highest levels of privacy protection for our users.


Peter Fleischer
Global Privacy Counsel
Google Inc

Société à Responsabilité Limitée unipersonnelie au capital de 7,500 €
443061 841 R.C.S. PARIS – SIRET : 443 061 841 00039 – APE 724Z
TVA intra: FR 6444 3061 841 00021