​UK's privacy watchdog nails down Google privacy policy changes

The UK's data watchdog has closed its investigation into Google's consolidated privacy policy after agreeing key changes to make it simpler for consumers to understand.

Google has signed an agreement with the UK's privacy watchdog to revise the controversial single privacy policy it introduced in 2012.

The Information Commissioner's Office has agreed a memorandum of understanding with Google, requiring the search company to make a number of changes to the privacy policy by 30 June 2015, clarifying how and why it processes user data.

Google brought in its single privacy policy in early 2012, consolidating the 70 policies it previously used for different products, such as YouTube, Gmail, and search.

Read this

Google must review privacy policy, EU data regulators rule

European regulators have warned that the scope of Google's new consolidated privacy policy is "too large" and users must be given greater control over their data.

Read More

The ICO has the power to issue enforcement orders, including fines up of £500,000 for serious breaches of the Data Protection Act. While it has threatened Google with enforcement action previously, the ICO said today that an enforcement notice "wasn't appropriate or necessary" over the privacy policy.

The watchdog, and the other European regulators that form the Article 29 Working Party, have been pressing Google to improve its policy over the past two years, gaining small but for the most part unsatisfactory concessions along the way.

In signing the MOU, Google has agreed to implement key changes to improve the accessibility and content of its privacy policy and related web content.

Google hasn't agreed to unbundle its privacy policy for different services, however it has already "implemented a multi-layered approach to its Privacy Policy and will make additional changes to further enhance the layers," according to the agreement.

The company will also need to provide "clear, unambiguous and comprehensive information" about how and for what purpose it processes user data, as well as "an exhaustive list" of the types of data it processes.

It will also include "two provisions of the Google Terms of Service, regarding the processing of email data and the shared endorsement feature, in the text of the Google Privacy Policy."

Other concessions include explaining its data processing activities more clearly, and making it easier for users to find information about its privacy policy.

"This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google's commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products," Steve Eckersley, head of enforcement at the ICO.

Google said it was pleased the UK's investigation was over.

"We're pleased that the ICO has decided to close its investigation. We have agreed improvements to our privacy policy and will continue to work constructively with the Commissioner and his team in the future," a Google spokesperson told ZDNet.

European regulators were concerned from the outset of Google's policy broke European laws and would ultimately harm consumers by blending personal data across services.

The Dutch data protection authority in December threatened Google with a €15m fine unless it makes changes to the policy, while the French regulator also issued a penalty.

The full list of steps Google must take by 30 June 2015 under the MOU include:

  1. Google will enhance the accessibility of its Privacy Policy to ensure that users can easily find information about its privacy practices.
  2. Google will enhance the disclosures in its Privacy Policy to describe its data processing activities more clearly, including the types and purposes for which it processes user information, and to provide users with information to exercise their rights.
  3. Google will provide clear, unambiguous and comprehensive information regarding data processing, including an exhaustive list of the types of data processed by Google and the purposes for which data is processed.
  4. Google will provide information to enable individuals to exercise their rights.
  5. Google will provide user resource covering data processed by Google and the purposes of processing.
  6. Google will include two provisions of the Google Terms of Service, regarding the processing of email data and the shared endorsement feature, in the text of the Google Privacy Policy.
  7. Google will add more information to its Privacy Policy about the entities that may collect anonymous identifiers on Google properties and the purposes to which they put that data.
  8. Google will implement several measures to ensure that passive users are better informed about the processing of their data and that publishers using Google products obtain the necessary consents.
  9. Google will revise its Privacy Policy to avoid indistinct language where possible.
  10. Google will enhance its guidance for employees regarding notice and consent requirements.
  11. Google will ensure, so far as practicable, that the requirements of the first principle are applied equally to all Google products, regardless of which terminal device the Google user is accessing them on, including mobile, tablet, desktop, and new hardware offerings.

Read more on this story