Google: New privacy policy to have little impact on enterprise

The company says it will not share data between its enterprise apps and personal Google accounts

Google's plan to share user data across its online services will have little effect on users of the company's enterprise, government and education application suites, the company said.

The rewrite of Google's privacy policies, scheduled to roll out March 1, will not change Google Apps for business, government and education because those applications suites already link services such as email and calendars, Google spokesmen said. If a user of one of those suites logs into a separate personal Google account, such as YouTube or Google+, those services will not share the user's personal information with the enterprise suites, they said.

Google will not establish relationships between users' work accounts and personal accounts, a spokesman said.

Businesses, government agencies and schools using the apps suites have contracts with Google that generally specify how the vendor will handle their users' data, Google said.

"As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," Google said in a statement. "The new privacy policy does not change our contractual agreements, which have always superseded Google's privacy policy for enterprise customers."

IT research and consulting firm Gartner is advising private-sector enterprise clients that use Google Apps to review their contract with Google to make sure it contains language that shields their organization from potentially negative effects of this new privacy policy.

"If they signed the standard Google Apps contract or didn't insert specific language about privacy and the like, then these Google privacy policy changes will impact them," said John Pescatore, a Gartner vice president and research fellow.

Google Apps administrators should also make it clear to their employees that they need to have a separate, individual Google account for nonwork Google tasks and applications, especially personal use of the Google+ social networking site, he said.

"In many cases, especially in smaller businesses, that's not the case. The user has the Google account and that's what's being used for doing work email and personal email and Google+ and search," Pescatore said.

Another reason why existing Apps customers need to review their contracts is the recent controversy over how Google allegedly bypassed privacy settings in browsers, including Safari and Internet Explorer, he said.

It's an example of why enterprises need to be specific about what privacy settings and policies they want respected, independent of the changes Google may make to its own privacy policies and practices, he said.

"The only real protection enterprises have is in what contractual language they have with Google," he said.

From Google's part, the company could be more "friendly" to enterprises, in the same way that it has agreed to certain requirements in order to win Google Apps business from U.S. federal government agencies, he said.

Ultimately, IT decision makers need to understand that Google makes most of its revenue from selling online ads via its consumer online services, and that its strategy decisions are made mostly with this business in mind, he said.

"Google isn't an enterprise IT provider. It's a consumer-grade advertising provider," he said. "Enterprises have to be very careful when they enter into contracts for Google services that they make sure they're getting all the liability protections and agreements that they'd seek if they were looking at Microsoft, Oracle, IBM or anybody else," he said.

Several privacy groups protesting the changes have focused more on the effect on consumer users of Google products, and not on enterprise users. But attorneys general from 37 U.S. states and territories, in a letter sent to Google this week, included concerns about business and government users among the issues they are focused on.

"For users who rely on Google products for their business -- a use that Google has actively promoted -- avoiding this information sharing may mean moving their entire business over to different platforms, reprinting any business cards or letterhead that contained Gmail addresses, re-training employees on web-based sharing and calendar services, and more," the letter said.

"The problem is compounded for the many federal, state, and local government agencies that have transitioned to Google Apps for Government at the encouragement of your company, and that now will need to spend taxpayer dollars determining how this change affects the security of their information and whether they need to switch to different platforms," the letter said.

But Google will not share user data between separate accounts, even for consumer users of its products, a Google spokesman said. For example, if a Google user has separate log-ins for YouTube, Google Reader and Google+, those applications will not share personal information with each other.

The changes are intended to offer users of multiple Google services a seamless experience. If a YouTube user views several videos on car engines, Google's search may emphasize information about the Jaguar car brand and not the animal.

Privacy groups have complained that the changes will allow Google to better track users and collect personal information.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

More about GartnerGoogleIBM AustraliaIBM AustraliaIDGJaguarMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross and Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place