Google to give all users clearer information about data use

Google has vowed to revise its privacy policy and account settings, in order to make it clearer to people what it does with their data and give them more control. This comes as part of a settlement with the U.K. Information Commissioner’s Office, announced on Friday, but the changes will apply globally.

The ICO and other data protection regulators across the EU have been coordinating a crackdown on Google’s practices since 2012, when the company introduced a new unified privacy policy. The unified policy allowed [company]Google[/company] to mix and match personal data across its various services – between YouTube and Search, for example. However, many people did not, and still do not, appreciate what this means in terms of user profiling.

Google has faced repeated fines over its refusal to change the policy in countries such as France, Italy and Germany, but the sums involved were chickenfeed for a company of Google’s girth. The U.K.’s ICO hasn’t fined Google in this way, but has repeatedly said that Google’s settlement proposals didn’t go far enough.

Now this long-running drama may be drawing to a close. On Friday the ICO triumphantly brandished an undertaking in which Google said it would do the following things during the next two years:

  • Make its privacy policy easier to find, and be clearer in that policy about what user information it processes and why.
  • Provide users with “information to exercise their rights” and launch a redesigned account settings version to give them more control.
  • Add two provisions from the Google terms of service to the privacy policy, regarding email data and the “shared endorsement” feature.
  • Add to the privacy policy information about “the entities that may collect anonymous identifiers on Google properties and the purposes to which they put that data.”
  • “Take several measures” to tell passive users – those using third-party services that are plugged into Google services, such as advertising – more about what’s happening with their data. Those running the third-party services will also need to “obtain the necessary consents” for this data collection.
  • “Enhance its guidance for employees regarding notice and consent requirements.”

Google also said it would continuously evaluate the privacy impact of future changes to its services and keep users informed, especially where the changes “might not be within the reasonable expectations of service users.” Particularly significant changes to the privacy policy will be “reviewed by user experience specialists and with representative user groups before the policy and associated tools are launched as appropriate.”

The changes will make sure Google is compliant with the U.K. Data Protection Act, which is based on European law. It is not yet clear whether this is the end of the matter as far as the other EU data protection authorities are concerned — I understand that the changes will apply in all countries around the world, though.

Here’s what ICO enforcement head Steve Eckersley said in a statement:

Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.

Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law… This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.

Although the list of commitments is fairly comprehensive, some terms are vague and the proof may lie in the implementation. For example, the EU privacy watchdogs previously demanded that users get the opportunity to “choose when their data are combined, for instance with dedicated buttons in the services.” That’s not merely a matter of giving users “information to exercise their rights”, so it will be interesting to see what the redesigned account settings entail.

So far, Google has merely said:

We’re pleased that the ICO has decided to close its investigation. We have agreed improvements to our privacy policy and will continue to work constructively with the Commissioner and his team in the future.

Even if this does indicate a conclusion to the unified privacy policy saga, then Google still faces major regulatory headaches in Europe. These include the big search antitrust case – tied in with digital agenda commissioner Günther Oettinger’s apparent desire to extend a version of the “Google tax” copyright levy across Europe – and a potential second antitrust case over Android.

Still, one at a time, eh?

This article was updated at 8.15am PT to note that the changes will apply globally.

Will consumers trade the keys to the data castle for a $5 gift card?

There’s shift happening in the world of online data collection, meaning consumers might expect to get paid for access to their data rather than always playing the role of uncompensated mark. Done right, it’s a system where both sides of the equation stand to win.

Today in Social

Regular readers know I’m highly skeptical about U.S. consumers’ real concerns over their own privacy. As consumers, they’ve shown a willingness over the years to surrender personal information in trade for free media and other services. I’ve also often equated perceived privacy concerns with the amount of news coverage, whether it’s legitimate security breaches or hype-y “exposes.” And don’t get me started on how some traditional media, you know who you are, Wall Street Journal, would probably be happier if ad targeting was based on context, media brand, and high-wealth demographics, rather than behavioral data. Ki Mae Heussner’s write-up of a TRUSTe survey points out what business that organization is in, and describes behavioral data from Mozilla that suggests consumers may talk a better game than they play. But they do talk. If they start to act, that could make already tough online media businesses even tougher, and certainly hurt Google’s chances of becoming “an extension of your mind.”

Today in Social

Facebook will enable advertisers to re-target users with its otherwise boring right-rail ad units. They won’t be able to add additional Facebook-data-driven targeting, and this doesn’t have anything to do with Facebook’s Sponsored Stories ad units, which actually are “social” marketing. Advertisers will buy these ads via real-time bidding through eight Demand Side Platforms (DSPs). This is a smart move by Facebook, but it’s not particularly innovative. Re-targeting is an effective advertising technique for CPC direct-marketing ads – advertisers can remind a target who has expressed interest via a site visit or search that didn’t convert to an action or click through. Re-targeting inventory is valuable, but difficult to buy at scale. Facebook potentially has lots of scale and this could help it raise its prices a bit. Some are calling this an “exchange,” but that’s misleading – while it connects Facebook inventory with ad networks via the DSPs, it’s not a “network of networks.”

Today in Social

With all the consternation over online data collection, you’d think something evil – greed? – was pushing companies to risk violating user privacy. Yet a new study of online news sites by the Pew Research Center says, in fact, not very many are actually targeting their ads. The study seems a little narrow. For one thing, it focused on home pages, and mostly on sites from traditional media companies. Yes, that’s where premium ads run, but it isn’t where re-targeting, for example, makes the most sense. And Pew seems disappointed that it found so many house ads when it’s possible that they’re a good use of inventory space, assuming the companies did some ad yield analysis. Nonetheless, you’ve got to wonder when all this data collecting will pay off.

ADmantX raises $2.8M for semantic ad technology

Semantic ad tech company ADmantX has raised $2.8 million in funding from Atlante Ventures Mezzogiorno, the venture arm of Italian bank Intesa Sanpaolo. The funds come just a few months after ADmantX came out of beta to provide ad targeting based on semantic analysis.

Privacy Legislation’s Potential Impact on Online Media

Last week, the bipartisan Kerry-McCain bill proposed legislation on a Commercial Privacy Bill of Rights that would put the FTC in charge of policing the online collection, sharing and use of personal information. That has far-reaching implications for the online media business.

Privacy Legislation’s Potential Impact on Online Media

Because the Kerry-McCain online privacy bill is watered down relative to prior proposals, it will face less industry resistance, and is more likely to be passed this year. That has far-reaching implications for online advertising and targeting.

Today in Social

Today, there’s talk of privacy and browser “Do Not Track” mechanisms. Mozilla said it would propose one for possible inclusion in Firefox. Google actually released a Chrome extension supporting opt-outs, and promised open-source features for other browsers. Microsoft was talking last month, and the FTC thinks it and Mozilla are ahead. But Google’s shipping code, even if it may not be a perfect solution – its extension allows users to keep their opt-out preferences they might otherwise lose when cleaning their cookie cache. Google is basing its work on self-regulation by National Advertising Initiative members that include the top 15 ad networks. Mozilla concedes it needs widespread industry adoption for its header approach. Whatever the technology solution, this is all good progress, and may fend off government regulation if it’s promoted widely enough. That would be good for everyone.

Online Trackers Peel Back Curtain Before FTC Steps In

A collection of data miners and tracking companies is creating a one-stop shop for consumers to see how ads are targeting them and how they can opt-out if they choose. The move is a preemptive attempt to head off a possible “Do Not Track” registry.