Regulators in Europe are demanding that Google rethink recent revisions to its privacy policy.
In a five-page letter to CEO Larry Page, EU officials say the company's new privacy policy, which took effect March 1, leaves consumers in the dark about how Google collects or uses their data. The officials also say that in some case, Google's decision to combine data about users from across more than one platform might be illegal.
The letter, dated today, was signed by the chairman of the EU's Article 29 Working Party and other officials. They say that Google should "develop new tools to give users more control over their personal data."
The EU launched its inquiry into Google's privacy practices after the company announced it would start aggregating data about users across a variety of platforms -- including Android, Gmail and YouTube. That shift applies only to users who are signed in.
Google says that the new policy allows it to target ads and search results more precisely by drawing on a broader pool of information about users than in the past. The company isn't collecting any additional data or sharing information with outsiders.
Google has always maintained that its new policy -- which took effect on March 1 -- doesn't pose any new privacy risks. But EU officials see things differently.
"Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it," the letter states. "Combining personal data on such a large scale creates high risks to the privacy of users."
The officials recommend that Google clarify how it combines data and also that it "develop new tools to give users more control over their personal data."
Currently, even though Google doesn't let people opt out of the privacy policy, users can stop it from combining data across platforms by signing out of services, or using different browsers for different tasks.
This is a helpful move - only an organisation with the heavyweight mass of the EU can force Google to open up its methodologies.
Certainly privacy campaigners will be pleased and I think VRM (Vendor Relationship Management) watchers will be happy if a simpler concealment tool than not signing in/using multiple browsers were developed.
Brands can find out your IP address and computer tracking by checking a combination of your browser / country / apps and plugins you use. They aren't unique but probably pretty easy to identify unique users - as a proxy these are much more scary than Google's open approach to data aggregation.
The Do Not Track directive is probably easy to work-round for the determined brand marketer. Calling Google out is just the first round in this long-running saga.