Unnoticed change in Google’s Privacy Policy enables more invasive online ad tracking

By Asheeta Regidi A small change to Google’s Privacy Policy in June this year removed the clause which kept Double Click data and user’s personal information separate (see change here). This means that the online ads you see are no longer based on anonymous cookie data, but on your personal information as well. This change remained unnoticed until it was discovered through an investigation by ProPublica. The good news, however, is that for existing users (prior to June 2016), the change is optional, and users can-opt-out. Online ad tracking and the need for anonymity Whenever you search for something online, say a particular product on a shopping website, you now know and expect ads relating to that product showing up at every website you visit. This is known as online ad tracking. Online ad tracking is possible because of ‘cookies’. Cookies enable websites to collect information, purportedly anonymous information, on user behavior on their site. This means that when you search for the product online, the websites will collect data on which product you searched for, how many pages you visited, which ads you clicked, etc. This data is compiled together, but it does not include ‘personally identifiable information’, or any information that can reveal your identity of the user, such as your name, e-mail address, etc. The idea of the internet keeping records of our every online movement feels highly intrusive. However, so long as the data collected by cookies is anonymous, there is a shred of privacy. [caption id=“attachment_221759” align=“aligncenter” width=“640”]  Image: Getty Images[/caption] Your web browsing activity is no longer private Google first bought DoubleClick in 2007. DoubleClick provides ad serving services, and for this purpose collects extensive data on users’ web browsing habits. The Privacy Policy previously assured users that they ‘…will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent’. This important line maintained the separation between anonymous data and personally identifiable information. The June Privacy Policy replaced this crucial line with, ‘Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google’. On contacting Google about the change to the Policy, ProPublica was told that the change was required because Google had ‘updated (their) ads system and the associated user controls, to match the way people used Google today, across many different devices’. You may have noticed ads now follow you across your various devices. Meaning that if you made the search for a product on your laptop, you see related ads on your smartphone, and also your PC. What Google’s new system does now is to combine the anonymous data collected through DoubleClick, with the trove of personal information in the possession of Google, to deliver more targeted ads, anywhere you go. Basically, your web browsing activities are no longer private, and DoubleClick has access to your personal information.  Google has access to your every movement Given the volume of data Google has in its possession, the change is certainly worrying. Google has assured users that it will not use e-mail keyword scanning, meaning that the contents of your e-mails are still private. However, this is just one minor part of the information Google has access to. To name a few, Google has access to your activities on Google search, your YouTube browsing activities, your Gmail, apps you’ve downloaded from Google PlayStore and your location and movements through Google Maps. Basically, Google has the ability to prepare a chart on your every movement, both in the offline and online world, which can be identified based on your personal name. Is the change legal? Unfortunately, yes, the change is legal. Google has gone back on the promises it made to its users in 2007, much like **Facebook did when it decided to share WhatsApp data** a few months ago. This, however, does not make the change to the Privacy Policy illegal. Under privacy laws, so long as Google informs users that ‘a’ change was made, it is under no obligation to inform the users of what these changes are. The change made by Google, and earlier by Facebook, was a major change in policy, and users ought to have been informed of the details. All that a change to a privacy policy needs is the consent of the users. Google, in fact, acquired this consent from its users when it made the change in June, by prompting users to “receive new features for their Google account”. Since the change to the sharing of data with DoubleClick went completely unnoticed at the time, most users by now will have accepted the changes. How to opt-out While the data that has been shared already cannot be reversed, thankfully, Google has given users the option to opt-out. To opt-out, you need to visit the ‘ Activity Controls’ section on Googles’ ‘My Account page’, and uncheck the box titled “Include Chrome browsing history and activity from websites and apps that use Google services."  Change in privacy laws needed A stricter procedure needs to be put in place for any change in a privacy policy. Companies like Facebook and Google must be compelled under law to inform their users properly of changes to their privacy policies. Restrictions also need to be placed on what information the companies can collect, what they use it for, and who they can share it with. Lastly, as online targeted advertising gets increasingly invasive, this needs to be subjected to rules and some basic standards. In an era where the huge benefits of technology are being grossly undermined by the invasion of privacy, the law needs to be more stringent. If privacy laws are not improved, the only way left to maintain privacy will be to discontinue the use of all technology and go completely offline. The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.