In March 2012, Google combined its many and varied privacy policies into one. Google argued this change benefitted users by distilling a complicated and potentially contradictory array of policies into a simplified approach that was easier to understand. It also allowed Google to use data across its network for any purpose, including ad targeting or product development.
The Europeans, and specifically France’s National Commission for Computing and Civil Liberties (CNIL), focused on that pooling or aggregation of user data under the new policy and asked Google a series of questions about how data would be used by the company and whether users were notified accordingly.
In a letter issued last October, CNIL, on behalf of European data protection authorities, laid out a number of concerns to Google CEO Larry Page. Among them, CNIL said Google had failed, during the investigation, to address key questions regarding data usage and user consent:
Reuters quotes European authorities who characterize Google’s policy as “high risk” (for individuals). The Reuters article adds that the various European privacy regulators have established a “working group” and will offer a coordinated response by this summer.
What that “response” or “action” might be is unclear, although fines are one possibility.
Below is the text of CNIL’s letter to Google CEO Larry Page from October, 2012.