The letter, which stopped short of calling Google’s data collection methods illegal, follows a nine-month investigation into the company’s data-collection policies led by France’s Commission Nationale de l’Informatique et des Libertés (CNIL).
According to Reuters, the letter was signed by 24 of the EU’s 27 data regulators, plus those from Croatia and Liechtenstein.
The letter said that the massive amounts of data sucked up by Google’s far-ranging reach raises concerns about user privacy:
"Combining personal data on such a large scale creates high risks to the privacy of users."
"Therefore, Google should modify its practices when combining data across services for these purposes."
- It’s not clear enough in explaining to users what data is collected and how it will be used;
- It’s too difficult for users to opt out of data collection and combination; and
- Google doesn’t always say how long it will hold onto data.
Beyond those concerns, the commission noted that Google treats all collected data the same, regardless of whether it's a simple search term or a credit card number, and regards any and all data types as fair game for any purpose stated in its new policy.
Regulators would prefer to see Google customize its treatment of data as appropriate to the type of data collected, to get more concrete about now-hazy parts of the policy, and to enable users to more easily detach themselves from the search giant's wide and sticky data web.
For example, as it now stands, the regulators pointed out, users have to take six actions to get out of targeted advertising.
Given Google's ever-expanding data universe and the overwhelming number of nooks and crannies a user's data can get wedged into, getting a handle on one's privacy can indeed be daunting.
Advertising: Google shares non-personally identifiable information (PII) between Google services and ad networks by default so as to personalize ads.
Street View: Images including those of men leaving strip clubs, protesters at an abortion clinic and sunbathers in bikinis have caused concern for privacy advocates. Street View has been banned in India and in Germany, while Australia has ordered Google to destroy personal data harvested by its image-collecting cars.
Web History: Google keeps track of search terms and items clicked on when using Google services.
Google Chat: Google by default keeps records of conversations.
Google Analytics: Many websites use Google Analytics to track usage information, page views, and anonymous browser statistics.
Search Personalization: Google customizes search results based on what users click on and search for, regardless of whether you've signed into a Google account.
It's a bit of work to track them all down and opt out, as you can see when you check out Chester's guide.
Indeed, one problem the EU regulators raised in the letter is that the onus is on the user to figure out how to opt out of Google's myriad data-collection techniques.
They'd rather see Google instead ask users for explicit consent when bundling data from its services, the letter said.
The BBC reported that one of its sources at Google said that the company would look closely at the recommendations but that the findings weren't as serious as some industry watchers had predicted.
Google’s global privacy counsel, Peter Fleischer, told the AP that the company is reviewing the commission’s report but believes its policy respects European law.
Isabelle Falque-Pierrotin, president of the French National Commission on Computing and Freedom, told the AP that Google has three to four months to respond, but there's no hard deadline.
But if Google fails to comply with the regulators' recommendations, it could push the situation into what she called a "contentious phase", she said, without giving details.
Does making its data-collection techniques more understandable work in Google's favor? Hardly. User ignorance is bliss for Google's bottom line.
As one industry watcher told the BBC, if people realised just how much data Google is amassing, they'd opt out en masse, threatening the company's bountiful ad revenues.
Auke Haagsma, a director for the Initiative for a Competitive Online Marketplace (Icomp), told the BBC that offering all of Google's tasty free services and reaping profits off the ads those services dish out just isn't compatible with data collection clarity:
"In Google's business model there is an inherent conflict of interest."
"On the one hand Google wants to offer good services to users, but on the other it's being paid for by advertising."
"Google is collecting so much data. If people realise that, they are afraid people will say no."
I have one friend, Tom Henderson, who went cold turkey on Google services in the spring, cutting himself out of the rich Google tapestry that make our lives so comfortable that many of us roll over and show our bellies to get them.
He's detailed the pain of the Google divorce and outlined a list of replacement services he uses, though as of the spring, he just couldn't find a good YouTube substitute.
He's a better man than I.
Could you do it? Could you divorce Google?
Or are you, as am I, admittedly, a Google addict?
Using Ghostery in FF stops these tracking cookies that are used for this information gathering – but it also blocks the polls that Sophos like to having some of these items.
Google have a history of poor security and walking rough-shod all over personal privacy and safety, so it's right that the EU should force them to make users opt-in rather than opt-out – but they stopped short of that this time. Why?
Dropped Android phones for Nokia windows phone. Switched Gmail to Live. At least you can easily opt out and delete bloatware you don’t want. People are starting to see behind the curtain and say enough.