Last year, we outlined Google’s commitment to comply with Europe’s new General Data Protection Regulation (GDPR), across all of the services we provide in the European Union. We’ve been working on our compliance efforts for over eighteen months, and ahead of the new law coming into effect, here’s an update on some of the key steps we've taken.
Improved user transparency
We’re updating our current Privacy Policy to make it easier to understand what information we collect, and why we collect it. We’ve improved the navigation and organization of the policy to make it easier to find what you’re looking for; explained our practices in more detail and with clearer language; and added more detail about the options you have to manage, export, and delete data from our services. The policy now also includes explanatory videos and illustrations, because a visual description can be easier to understand than text alone. And we've made it easier to jump to your privacy settings directly from the policy, helping you make choices about your privacy.
Although we’re taking these steps to make our Privacy Policy easier to understand, it’s important to note that nothing is changing about your current settings or how your information is processed. You’ll continue to have granular control over the data you share with us when you use our services, but with clearer explanations. The updated policy is already available to read and we’ll be emailing all of our users about it individually.
Improved user controls
Every day, nearly 20 million people around the globe visit My Account, our central hub that brings together all the different ways you can review your Google security, privacy and ad settings. As part of our GDPR compliance efforts, we’ve improved both the controls and the clarity of information in My Account so that people are better informed about how and why their data is collected. Within My Account, you can:
- Use Activity Controls to choose what activity is saved to your Google Account. We provide simple on/off switches to control Location History, Web and App Activity, YouTube Search History and more, across all devices that are signed in to your account.
- View or delete data—including search history, location history, browsing history—from our services using My Activity. To make it easier to browse your past online activity, we have given you tools to search by topic, date, and product. You can permanently delete specific activities, entire days or weeks of activity that you don’t want associated with your account.
- Take a Security Checkup or Privacy Checkup to reassure yourself that your account is secure, and that your privacy settings work for you. We’ve recently added an option that allows you to subscribe to more frequent prompts to take the Privacy Checkup.
- Manage or mute the ads you see on Google, on websites and in apps using the recently upgraded Ads Settings tool and Mute This Ad control. We have provided more information about how and why certain ads are personalized, and will also be further simplifying the look and feel of these tools in the coming months.
- Get a clear overview of all the Google products that you use—and the data associated with them—via Google Dashboard. We’ve recently made the Dashboard more mobile-friendly so it's now easy to use across different devices.
Improved data portability
Since its launch in 2011, people around the world have used our Download Your Data tool to export data from products like Google Photos, Drive, Calendar, Google Play Music and Gmail, either to their own computer, or to storage services like OneDrive, Dropbox and Box. We are further improving and expanding this feature, adding more Google services, including more contextual data controls, and creating a new setting that helps people schedule regular downloads.
While we’ve enabled people to download data from our services for many years, the GDPR encourages companies to enable direct service-to-service data transfers where feasible, for example from Google Photos to another photo service. To support that aim, we've recently initiated the Data Transfer Project on GitHub, providing early-stage open source code that will, in time, be of use to any developer wanting to offer seamless transfer of data from one service directly into an alternative (or vice versa).
Parental consent and improved tools for children online.
Under the new rules, companies must get consent from parents to process their children’s data in certain circumstances. To obtain that consent and to make sure that parents and children have the tools to manage their online experiences, we’re rolling out Family Link–already available in various countries around the world–throughout the EU.
Through Family Link, parents can create a Google Account for their child and are required to provide consent for certain processing of their child’s data. Family Link also allows parents to set certain digital ground rules on their child’s Android device– like approving or blocking apps, keeping an eye on screen time, or remotely locking their child’s device. We plan to evolve Family Link’s functionality over time, working closely with parents and advocacy groups.
Helping our business customers and partners
The GDPR places new obligations on Google, but also on any business providing services to people in the EU. That includes our partners around the globe: advertisers, publishers, developers and cloud customers. We’ve been working with them to prepare for May 25th, consulting with regulators, civil society groups, academics, industry groups and others.
For our advertising partners, we’ve clarified how our advertising policies will change when the GDPR takes effect. We already ask publishers to get consent from their users for the use of our ad tech on their sites and apps under existing legislation, but we’ve now updated that requirement in line with GDPR guidance. We’re also working closely with our publisher partners to provide a range of tools to help them gather user consent, and have built a solution for publishers that want to show non-personalized ads, using only contextual information.
For our Google Cloud customers, we’ve updated our data processing terms for G Suite and Google Cloud Platform and provided detailed information to customers about our approach to data portability, data incident notifications, secure infrastructure and third party audits and certifications, among other features. For more information, visit the Google Cloud blog.
Strengthening our privacy compliance program
Over the last decade, Google has built a strong global privacy compliance program, taking advice from regulators around the world. Across the company, we have dedicated teams of engineers and compliance experts who work in full-time privacy roles, ensuring that no Google product launches without a comprehensive privacy review. We’ve now further improved our privacy program, enhancing our product launch review processes, and more comprehensively documenting our processing of data, in line with the accountability requirements of the GDPR.
This is a snapshot of things we’ve done to date to be ready for May 25, 2018. But our commitment to compliance with the GDPR, and the rights it gives people, will continue long beyond this date. As we evolve our products over time, we’ll continue to improve our Privacy Program and the protections we offer to users. Our ambition is to have the highest possible standards of data security and privacy, and to put our users and partners in control.
Posted by William Malcolm, Director, Privacy Legal, EMEA