Google Updates Privacy Policy, Allows Personally Identifiable Web Tracking

As first reported by  ProPublica, Google recently updated its privacy policy to remove an important consumer privacy protection. Google’s updated policy removed the preexisting ban on personally identifiable data collection, leaving users open to invasive privacy violations.

Google bought DoubleClick, an advertising network, in 2007. At that time, Google promised privacy was a priority when integrating with advertising products – and they upheld this promise for almost ten years. Google previously kept Doubleclick’s “massive database of web-browsing records” separate from other data collected (names, personally identifiable information collected from Gmail and other logins) by default.

But all that came to an end when Google updated their privacy policy a few months ago and removed language promising to keep the two sets of data separate. The new language instead reflected that user browsing habits and data “may be” combined with other information collected from various Google logins and tools. This update was enabled by default for new accounts, and existing users were prompted to opt-in. Language surrounding the opt-in was vague, however, and described the changes as simply “some new features for your Google account.” Hardly transparent to users.

The updates mean DoubleClick can use personally identifiable information collected from Gmail or other logins to customize the ads they serve. This includes using keywords found in email content, and that Google can create a profile of each user including name, email, sites visited, email content and searches conducted.

This is a huge privacy violation, and highly invasive to Google users. It also invalidates any previous claims by digital advertisers that ads are anonymous or based on aggregate data. While many other companies were already combining data across logins (Facebook, for example, had been doing this for 2 years), Google held out in not doing so. Since Google is such a large company, it’s likely they’ll set a precedent for other companies in implementing.

Google described their privacy policy changes as a way to “adjust to the smartphone revolution,” stating: “We updated our ads system, and the associated user controls, to match the way people use Google today: across many different devices,” Faville wrote. She added that the change “is 100% optional–if users do not opt-in to these changes, their Google experience will remain unchanged.”

At Golden Frog, we find these changes concerning for several reasons. First, tying personally identifiable information across logins is a large privacy violation, and takes away a users’ right to privacy online. Secondly, the way in which the changes were enacted and the language used was far from clear or transparent. Users have a right to know and understand how their data is being collected when they use free services (paid ones, too), and Google should have been more upfront about presenting the changes. Online privacy is hard enough to acheive, and with their updated privacy policy, Google has made it even harder.

Want to Opt Out? Here’s How: 

It’s possible to opt-out of Google’s identified tracking. To do so, visit the Activity controls on Google’s My Account page, and uncheck the box next to “Include Chrome browsing history and activity from websites and apps that use Google services.”  It’s also possible to delete past activity from your account.

Sources

Read more and see the text from Google’s privacy policy in articles from ProPublica and The Tech Portal.