ICO requires changes to Google privacy policy

Company signs formal undertaking

The Information Commissioner’s Office (ICO) has required Google to sign a formal undertaking to improve its privacy policy and provide users with more and clearer information about how it uses personal data gathered from its online products and services.

The formal undertaking came after an investigation by data protection authorities across Europe (led by the French data protection authority under the auspices of the Article 29 Working Party) after concerns were expressed about Google’s new privacy policy – introduced in March 2012 – which combined around 70 pre-existing privacy policies into one. The ICO found that the policy was too vague when describing Google’s use of personal data. After a long period of investigation and discussion, during which Google had already made some changes to the policy in response to concerns, the undertaking requires further changes and ongoing collaboration with the ICO over any future changes.

The points of concern highlighted in the undertaking, which is available on the ICO website, will be of interest to many, in particular online service providers and those who combine personal data obtained across a number of different products and/or services.

Key areas of concern/potential improvement which emerge are:

  • data controllers must ensure that sufficient, easily accessible, information is provided describing the ways in which, and purposes for which users’  personal data is processed -practical examples can assist to illustrate what this means for users in practice
  • any processing which does not accord with users’ reasonable expectations should be brought to their attention
  • where personal data is to be combined across products and services this should be explained to users
  • additional relevant information, such as use of Cookies, should be made easily accessible from the main privacy policy
  • technical terms may need to be explained
  • where data is collected from so-called “passive users” i.e. those whose data is obtained not because they used the data controller’s services, but because they visit a website which does (in the case of Google, e.g. websites which use Google Analytics), information should be provided, and contracts with partners should ensure data collection is disclosed  to users
  • data policies should be documented internally

The ICO news story, together with the text of the undertaking signed by Google Inc. can be found on the ICO website here.

For discussion of a few of the key issues businesses, lawyers, and the general public are likely to face over the coming year, see Data Protection: Key Issues 2015 by 5RB‘s Felicity McMahon.