The letter is the latest in a series of communications with Google following investigations by a number of national agencies over Google’s decision to consolidate its privacy policies in 2012. The introduction of a single, sweeping policy has raised concerns over Google’s ability to aggregate and evaluate extensively its users’ personal data from their different Google service accounts, thereby enhancing significantly the potential for creating enriched customer profiles without properly informed consent [PeepBeep!].
The proposed compliance measures include:
- informing users of any new recipients of their personal data and how it will be used (avoiding phrases that are too vague, such as “and our partners”);
- avoiding indistinct language such as “we may …” and using, e.g., “if you used services A and B, we will …”;
- providing clear employee policies;
- adopting a multi-layered approach to the provision of its privacy notice;
- obtaining user consent prior to processing;
- providing users with tools to control the use of their data between its services; and,
- defining its data retention policies.
The Article 29 Working Party states that it remains open to discuss any other measures that Google would propose to address its legal requirements and it reserves its position to issue guidance on specific issues to the entire industry at a later point.