Wednesday, March 14, 2007

Taking steps to further improve our privacy practices



When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)—but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months.

Just as we continuously work to improve our products, we also work toward having the best privacy practices for our users. This includes designing privacy protections into our products (like Google Talk's “off the record” feature or Google Desktop’s “pause” and “lock search” controls). This also means providing clear, easy to understand privacy policies that help you make informed decisions about using our services.

After talking with leading privacy stakeholders in Europe and the U.S., we're pleased to be taking this important step toward protecting your privacy. By anonymizing our server logs after 18-24 months, we think we’re striking the right balance between two goals: continuing to improve Google’s services for you, while providing more transparency and certainty about our retention practices. In the future, it's possible that data retention laws will obligate us to retain logs for longer periods. Of course, you can always choose to have us retain this data for more personalized services like Search History. But that's up to you.

Our engineers are already busy working out the technical details, and we hope to implement this new data policy over the coming months (and within a year's time). We’ll communicate more as we work out these details, but for now, we wanted you to know that we’re working on this additional step to strengthen your privacy.

If you want to know more, read the log retention FAQ (PDF).

Update (April 2008:) After the explanation above concerning our decision to anonymize our server logs after 18-24 months, we subsequently decided on 18 months, which we explain here.

No comments:

Post a Comment