Google has agreed to play ball with UK regulators to change how it collects user data in the country.
In a notice released Friday, the UK’s Information Commissioner’s Office (ICO) announced that Google will “make further changes to its privacy policy to ensure it meets the requirements of the Data Protection Act,” which spells out how data must be collected in order to ensure that the privacy of users is protected.
In March 2012, Google rolled out a privacy policy that combined the policies of all of its services into one. But the ICO found that the newly combined policy was too vague and didn’t adequately explain to users how and why their personal information was being collected.
Google has faced legal investigations and hefty fines over its privacy policies, especially in Europe where the laws tend to be stricter than in other regions. In response to requests from the European Union, Google has made small and gradual concessions in how it collects data and informs users of its data collection. But the search giant has had a hard time satisfying regulators, who always seem to push for more aggressive policy changes.
Google’s attempt to consolidate its policies in 2012 was a key move that raised concerns in Europe. France’s privacy watchdog, the Commission Nationale de l’Informatique et des Libertes (CNIL), announced in 2013 that six European countries would launch because Google “has not implemented any significant compliance measures,” despite a request for changes to the policy. Those countries included France, Germany, Italy, the Netherlands, Spain and the U.K.
In the past, Google has insisted that its privacy policy is legal and respects European law. But European data protection authorities, known as the Article 29 Working Party, have tried to tell Google what it needs to do to comply with its requirements. Last September, the group issued a six-page guideline document with specific requirements that Google should follow.
Following an investigation into the matter by the ICO, Google has agreed to make certain changes to its privacy policy by June 30 of this year and to take further action over the next two years, the ICO said. The agreement applies only to the UK and lists the following changes to which Google has agreed:
- Google will enhance the accessibility of its Privacy Policy to ensure that users can easily find information about its privacy practices.
- Google will enhance the disclosures in its Privacy Policy to describe its data processing activities more clearly, including the types and purposes for which it processes user information, a nd to provide users with information to exercise their rights.
- Google will provide clear, unambiguous and comprehensive information regarding data processing, including an exhaustive list of the types of data processed by Google and the purposes for which data is processed.
- Google will provide information to enable individuals to exercise their rights.
- Google will provide user resource covering data processed by Google and the purposes of processing.
- Google will include two provisions of the Google Terms of Service, regarding the processing of email data and the shared endorsement feature, in the text of the Google Privacy Policy.
- Google will add more information to its Privacy Policy about the entities that may collect anonymous identifiers on Google properties and the purposes to which they put that data.
- Google will implement several measures to ensure that passive users are better informed about the processing of their data and that publishers using Google products obtain the necessary consents.
- Google will revise its Privacy Policy to avoid indistinct language where possible.
- Google will enhance its guidance for employees regarding notice and consent requirements.
- Google will ensure, so far as practicable, that the requirements of the first principle are applied equally to all Google products, regardless of which terminal device the Google user is accessing them on, including mobile, tablet, desktop, and new hardware offerings.
- Google has implemented a multi-layered approach to its Privacy Policy and will make additional changes to further enhance the layers.
- Google will launch a redesigned version of Account Settings, which will allow users to find a variety of controls and information more easily, and will more prominently feature the Dashboard at the top level.
In connection with the new agreement, Steve Eckersley, head of enforcement at the ICO, issued the following statement:
This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.
Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law. Ensuring that personal data is processed fairly and transparently is a key requirement of the Act.
This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that.