Legal Policies for Google Tools & Services

These days, it's somewhat difficult to find websites and apps that don't use Google tools and services. While these Google resources are helpful for gaining visibility and sharing your message or brand, they also trigger legal questions.

Google places requirements on its developers in order to protect itself from liability. These requirements also protect you.

Here's an overview of popular Google tools and services and the online agreements you need if you use them.

General Requirements

All Google tools and services are subject to the general Google Terms of Service. While each product may have its own agreements, this one is the basis of your commitments when you use Google products.

When you use any Google tool or service, you must:

• Follow policies specific to services
• Never misuse services or commit illegal acts
• Avoid infringing on intellectual property including brands, logos, or code, whether it belongs to Google or your users, and
• Follow international law

Google will also put you on notice that you may have access to content that does not belong to Google. If that content is useless for your purposes or even offensive, Google cannot be held responsible. That content is the responsibility of the entity or individual providing the content and Google waives any liability associated with it.

When you start using Google tools and services, it's a good idea to review their terms and privacy policies to know what is expected of you as you take advantage of these resources.

Google Analytics

Google Analytics is a collection of tools that provide data on web traffic. Using a code provided by Google, you can track data about metrics like website visits, purchases, and engagement. This information can help you improve your website or confirm that it generates the needed return on investment.

Required Policies

Analytics has its own Terms of Service where it outlines your duties and any policies required on your website.

The Terms of Service from Google is very clear on the Privacy Policies requirement. You are required to have a Privacy Policy if you use the Google Analytics service:

First, your Privacy Policy must comply with laws that affect your operation. That includes describing the data you collect, how you collect it, and what you do with it. You must avoid collecting more personal data than needed for your app or website to function.

Second, you must promise that neither you nor your visitors will use Analytics inappropriately. That would include making it part of information collection without a user's knowledge, especially if that includes names, street addresses, birth dates, and billing information.

Anything that can identify individuals should not be collected unless that practice is described in your Privacy Policy. Using Analytics to collect data without notice will likely result in Google removing you from the service.

Finally, you must reveal whether your site uses cookies to collect data. If you are an E.U. company that collects data from E.U. customers, you are required to have a Cookie Policy that explains this. A Cookie Policy also helps you comply with this requirement by Google.

Examples

Companies that use Google Analytics mention the product directly in their Privacy Policies. This strategy helps with legal compliance as well as meeting the requirements under the Analytics Terms of Service.

TriDef explains to users that it uses Analytics to collect data including how often the app is used:

Sierra Trading Post takes the same approach and explains to users how they can opt out of this tracking:

The content of this notice depends on how extensively you use Google Analytics. If you collect sensitive information on data including age and gender, you may want to take the detailed approach of Sierra Trading--including opt out information.

However, if you are more interested in using Analytics to track app use or website visits, you can make this section a little shorter, like TriDef did in its example.

Google AdSense

AdSense creates targeted advertisements. If you agree to post advertisements on your website as a revenue generator, AdSense automatically analyzes user browser history and posts advertisements that may be of interest to the user.

Companies pay to have their advertisements filter through this service. As an incentive, website owners who join the AdSense program receive revenue when users click on an ad and engage with that company.

Needed Policies

AdSense is an invasive service. This makes privacy protection a high priority. In fact, the Terms of Service require both privacy and cookie policies on websites that use its service:

There is further guidance in AdSense Help. Since user consent is important when it comes to privacy, it adds another safety mechanism called the DoubleClick cookie.

Basically, in order to visit a site advertised on an AdSense ad, a user must click twice. This assures assent and reduces automatic data collection that could be considered a problem. AdSense also gives users the ability to hide ads that block content or are irrelevant to them.

Here is an example of this from Airtable, a spreadsheet and data app. Highlighted in the upper right corner is an arrow and an "x." Users can hit the arrow to change ad choices and indicate an ad is not relevant to them. Or, they can hit the "x" and make the ad disappear:

This process is described in the AdSense Terms of Service:

If you use AdSense, Google wants you to explain its processes in detail. That includes how to opt-out or make the cookie drop the ad.

Examples

Welcome Home Blog is a site of videos for military homecomings. It has a large national presence in the U.S., with many regular viewers. AdSense is one of its revenue generators.

The site maintains a separate AdSense Privacy Policy, likely because the service is a major component for financing the site. As you can imagine, this policy is not only specific to AdSense but is very detailed and informative. It actually exceeds the requirements in the AdSense Terms of Service.

This policy starts by describing log files which track a user's website visits and history. AdSense will also gather general demographic information but it falls short on data that can identify individuals:

Welcome Home Blog also describes cookies in general:

DoubleClick Cookies have their own section. It uses the same language as the Terms of Service when describing them. The blog includes an explanation on opting out as well:

If you are an E.U. company that already has a separate Cookie Policy, you will not require an AdSense Policy to that extent. However, you will want to ensure you have a notice banner so users can access that policy easily.

A good example of this banner is provided by BBC:

If in doubt, err on the side of over-explaining AdSense and DoubleClick Cookies in your Privacy Policy and Cookie Policy. Since this service can be considered intrusive, you want to give your users as much notice as possible regarding its operation.

AdMob

AdMob is basically AdSense for mobile devices. It works the same way as AdSense and also may be considered invasive by many users.

Needed Policies

AdMob requires a Privacy Policy and Cookie Policy, just like AdSense. They must contain the same content too, except you would refer to AdMob rather than AdSense.

If you use both services, mention them in your Privacy Policy and Cookie Policy.

Examples

The drafting requirements for your policies are the same as if you were using AdSense. If you already have provisions that address AdSense, you only need to add a reference to AdMob.

Bravolol, a foreign language teaching app, uses AdMob as a revenue generator. Its Privacy Policy contains several sections addressing third party websites and advertisements.

It starts by stating that third parties will post ads and they will have their own Privacy Policies regarding the information collected from users:

Like the earlier examples for AdSense, the Privacy Policy continues by alerting users that these third parties may use cookies:

While Bravolol mentions Google AdSense in the following section, there is no mention of AdMob - although Google uses Bravolol as a successful example in one of its case studies:

Etermax is another Google AdMob success story. However, its Privacy Policy does not mention Google or its products directly when it discusses ads:

There does not seem to be a consistent pattern with how apps handle AdMob in their Privacy Policies. Since it's typically better to give too many details rather than not enough, mention AdMob specifically in yours when you address third parties and advertising. That way there is no question about whether you disclosed the use of AdMob to your users.

Google AdWords

AdWords is the Google advertising system. It allows you to create graphic display ads and then bid on your location within Google search results. The service helps you promote your products and services through display, video, search, and app ads.

This strategy is called remarketing because it targets previous visitors to your website in an attempt to market your product to them one more time. The process often involves storing personal data for a longer period of time than usually expected -- and that is why you must update your Privacy Policy accordingly.

Needed Policies

Adwords Help is clear in the requirement for a Privacy Policy. The section addressing privacy also states what needs to be in it:

• Description of how you use remarketing or similar strategies to advertise online
• How third-party vendors, like Google, display your ads
• How third-party vendors, including Google, use cookies to serve ads based on past website visits
• How visitors can opt out of Google's practices, and
• A link to the Network Advertising Initiative opt-out page

Fortunately, if you draft a Privacy Policy that addresses third party advertisers in detail, you will likely meet these requirements.

Examples

If you draft a Privacy Policy that complies with the requirements for Google Analytics, you will likely have a policy appropriate for AdWords. If you're considering whether you need to update an existing Privacy Policy or create a new one from scratch, looking at Privacy Policies for services that help businesses make the most efficient use of AdWords can help.

AdRoll is a service that helps companies use AdWords. It also uses AdWords itself.

Since the company has such a good understanding of this tool, its Privacy Policy is an excellent example.

It starts by describing targeted advertising and making it clear that it uses this tool. This leaves users with few doubts and provides notice:

When it describes the data collected and how it is used, most descriptions include references to advertisers:

The section on cookies explains them and identifies the specific one used by AdRoll:

Finally, there is a large section on opting out which includes a link to the Network Advertising Initiative:

While your Privacy Policy may not have to be quite as detailed as the one for AdRoll, these examples offer solid drafting tips. You want to be detailed about any personal information collected and how it is collected. Add a section on cookies, and provide a link to the NAI.

Google reCAPTCHA

reCAPTCHA defends websites against spam-producing bots. It is widely recognized by its dialog box where users must confirm they are human before moving forward:

reCAPTCHA is also part of an effort to digitize text, annotate images, and support machine learning. As the service continues to develop, Google anticipates better processes for developing AI when it comes to book preservation and maps.

Needed Policies

Since reCAPTCHA presents only a checkbox, many developers assume it does not collect private information. However, that is not the case.

reCAPTCHA checks for Google cookies and will take a snapshot of the user's browser at the time of access. While doing this, it logs cookies for the past six months and the number of visits to sites.

These actions are enough to trigger the California Online Privacy Protection Act (CalOPPA). Since it's practically impossible to transact web business in the U.S. without interacting with California residents, it's safe to assume you need a Privacy Policy if you use reCAPTCHA.

reCAPTCHA also indicates this when you sign up for the service and accept its Terms of Service:

Even if you do not directly collect personal information through account creation or log-in, you must have a Privacy Policy if you use this product.

Examples

You do not need to add unique provisions to a Privacy Policy just because you use reCAPTCHA. Using a good template generator or following general drafting guidelines for a compliant Privacy Policy will suffice for any data collection performed by reCAPTCHA.

Google Play Store

Google Play Store is the distribution platform for Android Apps. If you use it, you are bound by its Developer Distribution Agreement which places specific requirements on developers.

Needed Policies

A Privacy Policy is one of the requirements for developers using Google Play.

Here's where the Developer Distribution Agreement notes that you must have a Privacy Policy:

This applies to any app that requires usernames, passwords or other personal information. Apps requiring access to cameras or microphones also need a Privacy Policy even if the user never submits their name, email or other personal information directly.

You must also refrain from collecting more personal information than is necessary for the functioning of your app.

The Privacy Policy must be legally compliant and provide adequate protection to users. If you do not have a Privacy Policy or if the one you posted is deficient, Google informs you of this via email and gives a deadline for you to fix the issues.

A Terms and Conditions is not required, but it would be useful to be provided for your mobile app. A Terms and Conditions is also known as a Terms of Use or Terms of Service. The EULA agreement is also an alternative for mobile apps.

Examples

Google offers guidance for drafting a clear Privacy Policy that meets its requirements.

Generally, all developers using Google Play include the following in this agreement:

• A notice that you intend to collect personal information
• Why you require it
• How you collect it
• The use of the information, and
• Any information you share with third parties

Mixesoft is a developer that regularly uses Google Play and the Chrome Web Store. It offers a straightforward Privacy Policy that is easy for users to access and read.

In its section on information collected and how it's accessed, Mixesoft indicates they request names and email addresses. They also explain that they find the data through forms, registration processes, and cookies:

A separate section explains why they require this information:

There is a more detailed section on cookies since Mixesoft uses other Google products:

Plarium is another company that has a strong presence on Google Play. It also offers a detailed and easily comprehended Privacy Policy.

This is the section on information collected starts by listing the data provided by users during registration:

A separate section discusses information from third parties:

It also refers to information collected automatically and refers users to the section regarding cookies:

The section on the use of information is clear using plain language and italic headers:

The policy makes it clear that data is kept for a limited time, as required by the Google developer agreement:

There are two sections on security and data protection:

If you collect a larger amount of personal data, you want a thorough and accessible Privacy Policy like the one drafted by Plarium. Apps that do not require as much data can rely on less extensive Privacy Policies, like the one by Mixesoft.

In either case, you want the Privacy Policy to be accessible and easy to read. That will help your users but also make it easier if you need to prove compliance with Google policies.

Google tools and services can revolutionize the efficiency of your apps and website. However, you must comply with their requirements and protect your users. Google offers considerable resources to assist you and it is a good idea to take advantage them.