Steve Eckersley, Head of Enforcement at the ICO, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined”.
Google has committed to implement the necessary changes by June 2015 and the updated policy will also describe the sort of parties that collect “anonymous identifiers” from Google’s services.
- the identity of the person processing the data;
- the purpose or purposes for which the data are processed;
- any third party to whom the data may be disclosed; and
- the existence of a right of access and a right of rectification.
All organisations, especially those operating in the mobile and online environments, should assess their business activities to ensure their privacy policies are an accurate reflection of their organisation’s data processing activities. Organisations that are required to register as either a data controller or data processor with the ODPC should also ensure their registration notice accurately reflects their data processing activities and is up-to-date.