This matter has been ongoing since Google launched the new privacy policy format in March 2012. Google has now signed an undertaking committing to make further changes to the privacy policy to make it clearer to individuals how their data is being obtained, used and to whom it is being disclosed.

Steve Eckersley, Head of Enforcement at the ICO, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined”.

Google has committed to implement the necessary changes by June 2015 and the updated policy will also describe the sort of parties that collect “anonymous identifiers” from Google’s services.

The Office of the Data Protection Commissioner (ODPC) in Ireland has issued guidance on the minimum information to be contained in a privacy policy, which includes:

  • the identity of the person processing the data;
  • the purpose or purposes for which the data are processed;
  • any third party to whom the data may be disclosed; and
  • the existence of a right of access and a right of rectification.

All organisations, especially those operating in the mobile and online environments, should assess their business activities to ensure their privacy policies are an accurate reflection of their organisation’s data processing activities. Organisations that are required to register as either a data controller or data processor with the ODPC should also ensure their registration notice accurately reflects their data processing activities and is up-to-date.