Member Article

On 1 March 2012, Google launched a new privacy policy by consolidating over 60 of its global privacy policies into one document. The new privacy policy does not indicate that Google will collect any new or additional data about users. What it does do, however, is inform people that Google will merge data which it already collects from services such as YouTube and Web History (which records all searches performed on Google.com) with other Google products and services. Google will now be able to draw upon data from a larger amount of Google services (such as Web History, YouTube, Gmail, Blogger, Google TV and Google+) and build more complete user profiles by allowing those services to exchange information other about a user's practices.

Prior to these changes, Google would have been precluded under its privacy policy, for example, from recommending sports videos on YouTube to a user who had previously searched for 'sport' on Google, even where that user was signed into the same Google Account when using both services.

Although the main changes in the updated privacy policy affect users signed into Google Accounts, the new policy applies to all users of Google products (whether signed-in to Google accounts or not).

Google has said it believes these changes will provide a more tailored and relevant end-user experience.

The new privacy policy does not present a significant departure from Google's pre-1 March position. What it does demonstrate, however, is a new era in customer notification. The announcement of changes to Google's privacy policy was an extensive and exhaustive user notification effort to over 350 million authenticated users including promotions on the Google homepage, emails to all users, and pop-up notifications.

Although most organisations will lack the vast user base and reach as Google, the approach employed by Google may be indicative of a new approach to privacy notification which could come to be expected by both consumers and regulators alike.

National Privacy Principle (NPP) 5 in the Federal Privacy Act requires an organisation to set out in a document (usually called a 'privacy policy') clearly expressed policies on its management of personal information, including what sort of personal information the organisation holds, for what purposes, and how it collects, holds, uses and discloses that information.

NPP 1.3 also requires an organisation, at or before the time of collecting personal information about an individual, to take reasonable steps to ensure that individual is aware of matters including the identity of the organisation, the purposes for which the information is collected, organisations to whom that information may be disclosed, or consequences for the individual if that information is not provided. This is usually done by way of a collection statement, which should also be reflected in an organisation's privacy policy.

If an organisation makes a departure from its information handling practices, these should be reflected in its privacy policy and/or collection statement. It should also take reasonable steps to notify consumers of those changes. How this should be achieved will depend upon the nature of the change, the type of personal information collected and how the organisation usually interacts with the people about whom it collects personal information.

 

Link to article