« GPL3 adoption going smoothly... | Main | ISPs slow to fess up about being slow »

02 August 2007

Google's new cookie & server log policies: will they satisfy the data protection authorities?

In the last few months of 2007, Google announced in 2 posts on its blog (post one, post two) that it was changing its policies on cookies and server logs. This followed investigations into Google by various data protection bodies, including one by the Article 29 Working Group of EU data protection authorities (see IMPACT story on the latter).

In essence, the new policies are:

  • Server logs. Google keeps a log of the searches that are performed. Google has announced that it will anonymous its logs after a "limited period" of 18 - 24 months, unless it is "legally required to retain log data for longer". If you really want Google to retain a non-anonymised log about you for longer, you can do this through the new search history service.
  • Cookies. Cookies to have an automatically renewing lifetime of 2 years, rather than expiring in 2038. This means that the cookies of active Google users will be keep being automatically renewed to have an expiry date of 2 years, but once someone stops using Google, the cookie will expire at the end of the 2 year period.

Are the policy changes likely to satisfy the EU data protection authorities?

  • Server logs. The policy of retaining logs for 18 - 24 months was already in place when the Article 29 Working Group started investigating Google. In the now-public Article 29 Working Group letter to Google, the Group asks Google to justify "why this long storage period was chosen". Going further, the Group wanted justification for Google keeping server logs at all.  In conclusion, Google is going to have to make further change to its server log policy before the authorities are happy.
  • Cookies. The Group's view is that, to comply with data protection law, Google can only retain cookies for as long as strictly necessary to provide its services. Given that the Group thinks retaining server logs for 18-24 months is too long, I cannot see that it is going to be delighted with cookies that last for 2 years after they were last used. Maybe a month or two would more a more sensible period? Google has pointed out that internet browsers allow users to delete cookies. However, most users don't know how to do this, and simple deletion on an ad-hoc basis doesn't really amount to a user managing their privacy in an informed manner.

As an aside, I'm not saying that all websites need to retain cookies for a very short period (although this will often be all that's necessary). With Google, such things are considered to be important by the data protection authorities because Google holds data on so many people.

  • General. The Group thought that Google's announcement of 'more anonymous data' was positive but wanted clarification as to what this means in practice. The Google blog post announcing the change in the cookies policy didn't provide any clarification, so the Group will still be asking for this.

In conclusion, on the facts I suspect that the Group's view to Google's new policies is likely to be "good start but much room for improvement".

What can Google do?
Once way of resolving the Article 29 Working Group's concerns would be for Google to simply tighten up its policies. Drastically cut down the time it keeps cookies and server logs and provide full details of how it is making its data more anonymous, with this "more anonymity" being sufficiently "more" to comply with EU data protection legislation.

There may, however, be a more creative solution. The Google search history service, if implemented properly, could give users the ability to make an informed choice about what data Google stores about them, how long for, how it's use and when it is anonymised. To satisfy the data protection authorities, by default the storage of cookies and server logs would have to give a high-level of privacy, with users able to reduce the level if they want to enable Google to provide a more personalised service. At present, the service is hidden away, doesn't offer this level of choice, and so isn't currently the solution.

Posted at 09:45 AM |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c948553ef00e39820f15a8833

Listed below are links to weblogs that reference Google's new cookie & server log policies: will they satisfy the data protection authorities?:

Comments

The comments to this entry are closed.

About IMPACT

Contact IMPACT

  • Feel free to email the IMPACT team with any suggestions for new content, or if you'd like us to assist you with any legal issues.

Search


  • search the web
    search IMPACT

The legal bit

  • The news and articles on IMPACT are not legal advice and you shouldn't rely on them as if they were. Please don't act on any of the information on this blog without getting professional advice on the subject. Like most free general information blogs, we don't accept any liability in connection with your use of the information on the site.

    If you do need specific legal advice, the team behind IMPACT would be delighted to help.

    Creative Commons License

    We post the information on this blog under a Creative Commons Attribution NonCommercial ShareAlike 2.0 Licence (English law). You provide any comments and materials that you make on the same Creative Commons licence terms.

    Find out why we use a Creative Commons licence.

    We've registered our brands as trade marks. The following links will take you to the registrations for IMPACT, Freeth Cartwright and FC.

Accessibility

  • We take accessibility very seriously. We want everyone to be able to access the stuff we've put on the blog. If you've got any comments or suggestions for how to make the blog more accessible, please email the team.

    To learn more about accessibility and why it's important see our article Making websites open to all. There are more accessibility posts in the Accessibility section of IMPACT.