Google has agreed to give users more control over their personal data following objections raised by Germany’s competition authority. The Federal Anti-Cartel Office (FCO) in Germany confirmed that Google will now require user permission to combine personal data from various sources and use it across its services.
Reversal of Privacy-Invasive Policy
This decision forces Google to reverse its privacy-invading policy from January 2012, which consolidated over 60 separate privacy notices into a single, comprehensive policy. Google’s initial argument was that this consolidation would simplify the user experience, but it also enabled the company to collect more personal data, enhancing user profiling and targeted advertising.
Clear User Consent
The FCO stated that Google must offer users “free, specific, informed, and unambiguous consent” options for data processing across its services. Importantly, the design of these consent dialogs should not manipulate users.
Regulatory Scrutiny
The FCO began examining Google’s data practices in May 2021 and intensified its investigation in 2022. The regulator believes that Google’s extensive data aggregation capabilities could provide an unfair advantage in the market, which goes against German anti-competition law.
EU Digital Markets Act Impact
The recent implementation of the EU Digital Markets Act (DMA) introduced restrictions on data aggregation without user consent at the pan-European level. Google, classified as a gatekeeper under the DMA, has until March 2024 to comply. However, the FCO’s requirements will apply to Google services not covered by the DMA, including Gmail, Google News, Assistant, Contacts, and Google TV.
Next Steps for Google
Google is expected to present an implementation plan for the new consent requirements within the next three months. This plan will clarify what “free, specific, informed, and unambiguous consent” means in practice.
Not all users are pleased with such strict regulations, as some found cross-profiling beneficial for seamless use of Meta services, notes NIXSOLUTIONS. Meanwhile, Meta is adjusting its approach to data processing in the EU, potentially opting for subscription-based services to avoid GDPR requirements.