On October 14th, 2005, Google put up a new privacy policy, replacing one that had been in effect since July 1st, 2004 (available here). This fact alone does not seem particularly newsworthy, but what has been interesting to observe is the extensive coverage on the internet of this change. People have been analyzing the changes, comparing the previous policy to the new one, and generally commenting on Google and privacy.

Google has also put up a new section entitled Google Privacy Policy Highlights, which seems to be an attempt to quickly capture the essence of the privacy policy for those who won’t read the entirety of the document. Given that so few people actually read privacy policies, this may be a benefit for consumers and regular internet users in getting them to read anything at all about what they are agreeing to when they use Google services. However, providing these highlights necessarily risks omitting details that may be important to some individuals.

The implications and legal status of a highlights document is also unclear. Just as in the case of the HIPAA Privacy Rule, a privacy policy highlights page may benefit users by making policies more readily accessible and actually read. However, following the Privacy Rule is necessary but not sufficient for HIPAA compliance; likewise, a company adhering to its highlighted privacy policy elements may still be violating other aspects of their policy. Furthermore, while Google still seems to be squarely on the side of good, more devious or uncaring companies may use a privacy policy highlights document to deceptively portray their privacy practices, knowing few (if any) people will take the time to review the longer, more legally significant full policy.

Google has continued to make previous versions of the privacy policy available for review/download, which is a good business practice but could go further. Granted, Google is doing more than most companies in this respect, but the next step would be to actually highlight the changes between two documents. Very few (if any) sites are providing this sort of privacy policy insight, so curious/concerned individuals are left to use other means for such analysis, such as this HTML diff tool. Using this tool, one can view the changes from the old policy to the new one here, although this only provides a literal diff between the documents and no high-level insight. Another text comparison that emphasizes the changes between documents is here.

Google largely disclosed more details regarding already-mentioned policies, such as what security measures are in place and how users can update/remove PII. There are a few new policies, though, such as providing users the ability to opt out of providing PII and the relationship Google has with affiliates regarding PII. Read on for more detailed analysis of the changes Google made to its policy.

So in general terms, what changes did Google make to their policy? Starting from the beginning:

• Introduction: Google seems to have generalized their overview, no longer naming specific products or services that the policy applies to, and noting that many of Google’s services have their own privacy policy as well.

• Information collection: This section was reorganized, yet seems to be largely presenting the same policies as were present in the previous version. The first four sections are a reorganization of old content.
• Information collection: The section entitled “Affiliated sites” appears to be a new addition to the privacy policy. As Google now offers services in conjunction with other sites, Google is now acknowledging that they are sharing PII with those affiliates, and they also encourage the user to read affiliates’ separate policies.
• Information collection: The next section, “Links”, adds a link of its own, pointing to the FAQ now to provide further explanation of how Google uses links to identify requests, and how those links can contain PII. The FAQ indicates this privacy policy change was necessitated by newer services such as Google Toolbar and Google Web Accelerator.
• Information collection: Google now presents a list of its purposes in collecting information from its users. Again Google defers to the privacy policies of individual services for full disclosure.
• Information collection: Google ends this section with an apparently new policy - the disclosure of processing PII for a third party (e.g. advertising partners).
• Choices: This section appears to be entirely new. In the old privacy policy, Google did not mention opting out at all. Here, Google is emphasizing the consent aspect to their PII gathering and the user’s right to opt out (albeit at the risk of a loss/reduction of services provided).
• Information sharing: Google adds a statement that they will enforce opt-in consent for any “sensitive” PII sharing - what qualifies as “sensitive” is defined in the FAQ as including “information we know to be related to confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality and tied to personal information.”
• Information sharing: Google expands upon reasons that it might share information in cases of suspected fraud, security risks, or Terms of Service (ToS) violations.
• Information sharing: Google makes it clear that the aggregated information being shared is always non-PII.
• Information security: This section was more than doubled in length; previously two sentences, security now receives coverage of two full paragraphs. The new parts describe Google’s security measures in more detail and mention confidentiality obligations that bind Google employees, contractors, and agents.
• Data integrity: This entirely new section details how Google attempts to maintain “accurate, complete, and current” PII, but how this requires user participation and help to achieve. Google also states that they review their practices to make sure that they are only collecting the PII that they need to provide/improve a particular service.
• Accessing and updating PII: A much longer section than before, adding details on how users can update or remove the stored PII that Google has on them (with certain conditions/restrictions also detailed).
• Enforcement: A clear statement of how to contact Google with comments, questions, concerns etc; this is an improved presentation of old information, with the addition of an address to mail in concerns (in lieu of contacting Google via the web).

  This entry was posted by Paul Otto (pnotto@ncsu.edu) on Tuesday, October 18th, 2005 at 11:04 am and is filed under Privacy Policies. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
  
  Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.