This post has been updated.
Google’s new privacy guidelines—well, they were new in 2012—have been raising hackles ever since they were announced. Regulators and activists worried that combining data from the various products offered by Google—search, YouTube, email, and others—would allow the company to track users on an unprecedented scale. Several European countries immediately opened investigations and some concluded that Google was indeed breaking national laws.
The Dutch data protection authority (DPA) found Google’s new policy in breach of the country’s law more than a year ago. Today the Dutch DPA threatened to fine Google €15 million ($18.6 million) unless it changes its behavior by the end of February 2015. The Dutch are concerned that users who input their information to one of these platforms should understand that those other platforms can also draw upon it.
To make Google more transparent to its users, the DPA demands that the company:
Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
Further clarifies the information in its privacy policy in order to provide clear and consistent information to people on which personal data are used by the different services of Google.
Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.
It’s worth noting that France and Spain have previously issued similar ultimatums, both of which were ignored by Google, which chose to swallow the fines instead.
Update, 7pm EST: Google responded to the DPA’s ultimatum, saying, “We’re disappointed with the Dutch data protection authority’s order, especially as we have already made a number of changes to our privacy policy in response to their concerns. However, we’ve recently shared some proposals for further changes with the European privacy regulators group and we look forward to discussing with them soon.”