What do Google’s changes to its privacy policy actually mean?

If you’ve been using Google lately, you might be aware of some of the changes they’re making to their privacy policy. However, you might be unsure as to what these changes actually mean. So, to clarify what they mean to you and their significance in relation to the General Data Protection Regulation (GDPR), we spoke to several industry experts about the issue.

Will my privacy be more at risk?

GDPR was brought in back in May 2018, in response to increasing demands for internet users to have more control over their personal data.

However, the demand for privacy has not let up there. According to the Global Consumer State of Mind Report 2021 from Trūata, 76% of global consumers believe that brands need to do more to protect their data and over six in ten (62%) agree it is now a key differentiator when choosing to engage with a brand or product.

With this in mind, we asked Nadia Kadhim, CEO of cybersecurity platform Naq Cyber and GDPR lawyer, whether Google’s changes to their privacy policy meant their privacy would be more at risk.

Nadia comments: “The most recent changes in Google’s privacy policy do not necessarily mean that user’s privacy is more at risk. In fact, it seems a few more stringent privacy controls have been put in place to protect users.

“For instance, they have added that Google won’t be showing any personalised ads on the basis of the user’s content from Google Drive, Gmail, or photos, which is a great and overdue addition to the Google Privacy Policy.

“However, one important update is that users from the UK are no longer customers of Google Ireland, but rather of Google LLC, which has important consequences under the UK GDPR.

“Under the UK GDPR, data must be processed within the UK but can be transferred to countries within the EEA (which includes the EU, Liechtenstein, Iceland and Norway) on the basis of a so-called adequacy decision.

“Google LLC is an American company, so additional legal and security measures must be taken by UK businesses to ensure that the international data transfer from the UK to Google in the USA is compliant. This includes having the right policies in place, legal contracts which include Standard Contractual Clauses, as well as ensuring data is encrypted and anonymised where possible.”

Back in January 2020, Google also announced that they would be getting rid of third-party cookies. Cookies are text files containing small pieces or data that are used to track, personalise and save information about the user’s interaction with a website.

Third-party cookies are created by websites (or domains) that are different from the one you are browsing and are usually linked to advertisements on a particular website page. Third-party cookies let advertisers or analytics companies track an individual’s browsing history across the web on any sites that contain their ads.

This means that the advertiser can track users across multiple websites. For example, they could determine that a user first searched for running apparel at a specific outdoor website then checked a specific sporting goods site and then looked for running apparel at a certain online sportswear boutique.

At the start of October, Google also announced that it would be turning on two-factor authentication by default. This is an electric authentication method that adds an extra layer of protection to online accounts beyond a username and password. Two-factor authentication methods include sending a code to your mobile phone via text, mobile phone applications and even scanning fingerprints.

Commenting on these changes, Andrew Oury, Chartered Accountant, Chartered Tax Adviser and Partner at Oury Clark, said: “Google’s move to introduce two-factor authentication and its plan to move away from third-party cookies are small, yet promising, steps towards better data security.

“GDPR in principle is a noble cause but I think most people would agree that, in practice, it leaves a lot to be desired. The endless pop-ups on every website has led to most people clicking “accept all” without thinking, agreeing to goodness knows what terms over their data.

“It remains to be seen if Google’s changes will succeed in more adequately protecting people’s data but it’s certain that we’re in the midst of a sea change in how data is protected, spoken about and accessed, and more changes will certainly be coming down the line.”

Does the GDPR regulation have an impact on what changes can be made to a privacy policy?

GDPRWith the new privacy policy changes meaning UK businesses who transfer data to Google in the USA must take additional measures, this raises important questions as to the effect the General Data Protection Regulation (GDPR) has on the changes a company makes to their privacy policy. Do companies adhere to the GDPR regulation too?

A survey of SMEs by marketing data and insight company REaD Group found that 85% of UK SMEs are familiar with the General Data Protection Regulation, but more than half are not cleaning their data, so its legal requirements are not being adhered to.

The survey of 1,110 SMEs also found that only 40% hold their customer and prospect data in a CRM or other database, whilst 25% of those with a CRM indicated they did not run data cleaning or update processes. This rose to 61% of SMEs overall. The GDPR requires all customer data to be clean and up-to-date in order to be compliant and legal.

“Concerningly, over 80% of companies are in fact not GRPR compliant,” continues Nadia. “They often don’t know what to do or where to start when it comes to tackling their business’ compliance and, therefore, fail to put the right policies in place, take the right organisational measures, such as train their staff, and take technical security measures to ensure the data is protected.”

Positively, however, the survey by REaD revealed that 85% of all SMEs said they were familiar with the GDPR, regardless of whether they had customer data in a CRM or other database. Of those with a CRM or database, only six percent were not familiar, meaning that the majority of those who hold customer or prospect data are familiar with the regulations governing storage of that data.

80% of all respondents were aware that GDPR requires data to be kept clean and accurate or be deleted, leaving one-fifth of SMEs who were not.

“GDPR refers to anything referenced as personally identifiable information not in the public domain, such as someone’s mobile number,” says Oliver Rowe, Founder and CEO of telecoms company Fusion Communications.

“If an employee is now working remotely and part of their role involves contacting customers, their employer needs to provide company equipment, for example a company mobile or soft client telephone.

“If they fail to do so, the employer has no visibility or control over that element of customer contact, and customers’ mobile numbers could be stored on an employee’s personal mobile, which could easily lead to personal data breaches.

“Best practice would be for employers to ensure all home workers are issued with a company mobile device with some element of calls, texts and data and a company soft client for the landline system on it.”

How difficult is GDPR to enforce?

In 2020, UK businesses paid roughly £39.7mi in fines from the UK’s data protection watchdog, the Information Commissioners Office (ICO), for breaching GDPR. This is the second-highest total, behind Italy, for countries where the GDPR is active.

However, the UK figure was accounted for by just three cases, which raises important questions as to how difficult GDPR has been to enforce, especially where smaller businesses are concerned.

Nadia comments: “GDPR isn’t necessarily hard to enforce, but rather the ICO has chosen to focus on larger corporates first. They often react to complaints about a non-compliant form of data processing, which is then quite easy for them to check.

“They have a look at the policies a company has in place, the organisational and technical security measures a company takes and whether or not their staff has been adequately trained, etc. If this is not up to standard, a fine is issued.

“However, more and more fines are being given out to small businesses for having an inadequate privacy policy; last month alone nearly 20 fines have been given out to small businesses and they averaged at £15,000, enough to put millions of small business owners, and their staff, out of a job.”

“The fines that have been given out so far are, as I suspect, just the tip of the iceberg and small businesses need to tackle their compliance as soon as possible, to ensure they don’t go out of business as a result of a fine that could easily have been avoided.”