On March 16, the French Data Protection Authority (the “CNIL”) sent a letter to Google in which it requests responses to 69 questions regarding Google’s recently launched revised privacy policy that took effect on March 1.
The questions, which the CNIL drafted with the help of other EU data protection authorities, come after Google’s rejection of two prior requests from the CNIL to suspend the changes to Google’s privacy policy until the CNIL could conduct a review to determine whether the changes comply with EU data protection rules. In a February 27 letter, the CNIL informed Google of its preliminary conclusion that the privacy policy changes do not comply with EU data protection rules and warned that if Google did not suspend the changes, the CNIL would issue a detailed list of questions regarding Google’s privacy practices.
The CNIL’s questions are particularly focused on Google’s sharing of user data across Google’s various services, whether such combination of data will always occur, whether users can ever opt out of such sharing, and whether such sharing activities can be understood by average users reading the revised privacy policy. The letter also seeks clarification regarding whether Google’s policies for mobile devices running on its Android operating system and information collected using cookie technologies violate EU privacy laws. The letter further asks Google about how it currently respects user’s browser privacy settings, and whether Google believes it is legitimate to circumvent third-party browser-enabled cookie blocking options. Other questions raised in the letter are, among others, when Google collects sensitive data and for what purposes; the specific tailored content that Google presents to users based on their information; the situations in which Google would seek explicit consent from users before making additional changes to Google’s privacy practices; whether Google’s definition of “non personal information” includes full IP addresses; and how Google’s broad license provision in its terms of service applies to personal information it collects from users.
The CNIL requests a response to all of its questions by April 5.
