Worth reading before you agree.
High confidence
Google collects a massive amount of data about you — your location, searches, emails, voice recordings, browsing history, and activity across millions of third-party websites. They use it to personalize ads, train AI models, and share with partners. You have some controls, but the defaults are set to collect everything.
Moderate risk: notable concerns around data sharing, limited user controls, or vague language. Original assessment: Grade adjusted to E: 3 critical findings.
3 critical findings
This document contains terms that could seriously affect you. Read the watch-outs below before you agree.
You get free access to Google's services (Search, Gmail, Maps, YouTube, Drive, etc.) in exchange for your data. Google collects your personal information, search history, location, voice recordings, emails, photos, documents, browsing activity, and interactions with AI. They use this to personalize ads, improve services, train AI models, and share with partners. You can delete your data and account, but the defaults are set to collect everything.
You can delete your data through My Activity, Google Dashboard, or by deleting your entire Google Account at any time
You can export your data using Google Takeout for backup or to use with other services
You can opt out of personalized ads in My Ad Center and turn off ad personalization
Google does not show personalized ads based on sensitive categories like race, religion, sexual orientation, or health
Google does not use content from Drive, Gmail, or Photos for personalized ads
Google provides encryption in transit and security features like Safe Browsing and 2-Step Verification
EEA consumers have a 14-day right to withdraw from the contract with full reimbursement
Google publishes a Transparency Report about government data requests
You can set up Inactive Account Manager to give someone access to your account if you're unable to use it
Google Cloud does not use customer data for advertising and does not sell customer data to third parties
Google uses your interactions with AI products like Gemini Apps to train and improve their machine learning models. Your conversations, search queries, and content may be used to make Google's AI smarter, with no opt-out available.
Google tracks your location through GPS, Wi-Fi access points, cell towers, Bluetooth devices, and your IP address — creating a detailed picture of where you are and where you've been, even when you're not actively using Google services.
Google tracks what you do on millions of websites and apps that use Google services like Google Analytics and Google Ads. This activity is linked to your profile, building a comprehensive picture of your behavior across the internet.
When you upload content to Google, you grant them a worldwide, royalty-free, sublicensable license to use, modify, and share that content for as long as it's protected by intellectual property rights — which can be 70+ years after your death. This license survives account closure.
Google may save audio recordings of your voice interactions with Google Search, Assistant, Maps, and Gboard to improve their voice recognition technology. These recordings can reveal personal information about you.
Google will hand over your data to governments and courts when they receive valid legal requests. In the US, National Security Letters require no judicial approval. You may never be notified if your data is disclosed.
If a third party or government sues over your use of Google services or your violation of their terms, you must pay for Google's legal defense and any damages — unless Google was at fault.
Google can update their terms at any time for almost any reason. They'll give advance notice for material changes, but not for new features or urgent situations. If you keep using the service, you accept the new terms.
For certain services like Google Cloud Starter Tier, you give up the right to join a class-action lawsuit or have a jury trial in disputes with Google.
To provide location-based services, personalized search results, local ads, and to improve Google Maps and other products
To develop and improve Google's audio recognition technologies
To provide personalized search results, recommendations, and ads
To provide Google services and to train AI models
To create and manage your Google Account, authenticate you, process payments, and verify your age
To provide services, ensure compatibility, protect against abuse, and improve products
To provide personalized recommendations and ads
To help you share and communicate with people across Google services like Gmail, Photos, and Assistant
To authenticate you, provide services, track activity, and for advertising and measurement by partner websites
To train AI models and build products like Google Translate, Gemini Apps, and Cloud AI capabilities
Your data is shared across multiple Google entities, potentially in different countries with different privacy laws
While Google says it doesn't share your name or email with advertisers without consent, it does share activity data and allows advertisers to target you based on your behavior across Google services and partner sites
Aggregated data about how people use Google services is shared publicly and with partners
Google will hand over your data to governments when they receive valid legal requests. National Security Letters in the US require no judicial approval. You may not be notified if your data is disclosed.
Other companies process your data on Google's behalf, expanding who has access to your information
Your activity on millions of websites and apps is tracked and linked to your Google profile, building a comprehensive picture of your online behavior
Google shares data with partners for security purposes and to display business information
Specific data retention periods
Google says data is kept for 'different periods of time' but doesn't specify exact durations for most data types. You can't know how long your data is actually stored.
Whether Google sells personal data
The evidence doesn't clearly state whether Google sells personal data to third parties. Google says it doesn't share personally identifiable information with advertisers without consent, but the line between 'sharing' and 'selling' is unclear.
International data transfer safeguards
Google says data may be processed on servers outside your country, but doesn't specify the legal mechanisms used to protect your data during international transfers.
Breach notification timelines
Google says it will notify users about security risks, but doesn't specify how quickly it will notify you if your data is breached.
Specific security certifications
Google mentions security measures but doesn't specify certifications like SOC 2 or ISO 27001 that would help you evaluate their security posture.
Assume the worst case: Google can use your data to train AI, but you can't use Google's AI output to train your own models
Assume the worst case: Google may share data with partners in ways that could be considered a sale of data, even if they don't call it that
Mixed
Grade A–EGoogle Meet itself has strong security (encryption in transit and at rest) and meaningful protections against advertising use and data sale. However, the broader Google ecosystem collects extremely wide-ranging data — including precise GPS, browsing history, voice recordings, and activity on third-party sites — for ad personalization and AI training, with only partial user controls. The perpetual content license, broad AI training on user data, and extensive third-party sharing across Google's ad ecosystem significantly offset the product-level protections.
Status
Legacy risk index: 8/10
Google Meet encrypts all meeting data in transit and at rest, does not use customer data for advertising, and does not sell customer data to third parties.
Google Meet encrypts all meeting data in transit and at rest by default, and does not use Meet customer data for advertising or sell it to third parties.
Google's broader ecosystem collects extensive personal data including precise GPS location, browsing history, search terms, voice recordings, contacts, emails, documents, and activity on third-party sites using Google services.
Google uses user interactions with AI models (including Gemini Apps) and publicly available information to train machine learning models, with no opt-out available for this training.
Does not sell your data
Tracks across sites
Self-service deletion
Data is retained for varying periods: some can be deleted anytime, some auto-deleted after a set period, some kept until account deletion, and some retained longer for legitimate business or legal purposes. Meet recordings are stored only when activated and kept for a limited time. Specific retention periods are not defined for most data types.
Mixed approach
How clearly they explain their practices
Google provides detailed explanations of data practices in its main privacy policy, including specific data types and purposes. However, many documents (Chrome terms, Assistant terms, Maps terms) are silent on data practices, and key details like retention periods, transfer safeguards, and subprocessor identities are vague or missing.
How much data they collect
Google collects an extremely wide range of data across its ecosystem: precise GPS, IP address, browsing history, search terms, voice/audio recordings, contacts, emails, documents, device identifiers, crash reports, activity on third-party sites, and more. Meet itself collects less, but the account-level data collection is sweeping.
How much control you have over your data
Google provides extensive self-service tools including My Activity, Google Dashboard, My Ad Center, Privacy Checkup, Google Takeout for data export, and full account deletion. Users can delete specific items, set auto-delete periods, pause history collection, and opt out of ad personalization. However, there is no opt-out for the core content license or AI training on user content.
How widely they share your data
Google shares data with advertisers, service providers, publishers, developers, rights holders, and allows partners to collect information via their own cookies. Activity on third-party sites using Google services is tracked and linked to user profiles. While Meet-specific data is not shared for advertising, the broader ecosystem involves extensive third-party data flows.
15 data vectors mapped
“Personalized advertising and ad measurement”
“Service provision, operation, and improvement across the Google ecosystem”
“External processing on Google's behalf under confidentiality agreements”
“Processing transactions, provisioning paid services, account communications”
“Analytics and trends”
“Service integration and advertising”
“Legal compliance with subpoenas, court orders, search warrants, NSLs, FISA orders”
“Security and abuse prevention”
“Display on Google's services”
“Research on Internet users' rights and content removal transparency”
“Audience analytics”
Google's Privacy Policy provides detailed explanations of what data is collected, purposes of processing, and third-party recipients, with specific examples — supporting transparency obligations under Articles 13–14.
Users are offered extensive self-service controls including My Activity, Google Dashboard, My Ad Center, Privacy Checkup, Activity Controls, data export via Google Takeout, and full account deletion — supporting rights of access, erasure, portability, and objection (Articles 15–21).
Explicit consent is required before sharing sensitive personal information, and users can withdraw consent at any time — supporting Article 7 and Article 9 requirements for special category data.
Google states it reviews each government request for legal compliance before disclosing data, and publishes aggregate statistics in its Transparency Report — supporting accountability and transparency under Articles 5(2) and 30.
Encryption in transit is implemented, security features like Safe Browsing and 2-Step Verification are offered, and employee access is restricted with confidentiality obligations — supporting Article 32 security requirements.
Google Ireland Limited is identified as the data controller for EEA/Switzerland services, with GDPR explicitly referenced as applicable law for those regions — supporting Article 3 territorial scope and Article 27 representation requirements.
Children's data protections are referenced including Family Link for accounts of children under 13, age verification mechanisms, and parental consent requirements — supporting Article 8.
Data Processing Addendum (DPA) is referenced in Google Cloud Starter Tier terms, indicating processor obligations are contractually addressed — supporting Article 28.
International transfers are acknowledged with reference to appropriate safeguards and cooperation with data protection authorities — supporting Chapter V transfer requirements.
Specific retention periods are not provided for most data types — only general categories (e.g., 'until you delete,' 'set period,' 'longer for legal purposes') — failing the Article 5(1)(e) storage limitation principle's requirement for defined, limited retention periods.
International transfer mechanisms (Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules) are not explicitly named in the main privacy policy — creating uncertainty about lawful transfer mechanisms under Articles 44–49.
The policy does not specify exact timelines for responding to data subject rights requests, as required by Article 12(3) (without undue delay, within one month).
Details about automated decision-making and profiling logic are limited — the policy mentions personalization and ads but does not provide meaningful information about the logic involved or significance of processing, as required by Article 22 and Recital 71.
User interactions with AI models (Gemini Apps) are used for training without a clear opt-out mechanism — raising questions about whether this processing is covered by original consent and whether a separate lawful basis is established under Article 6.
Publicly available information is scraped to train AI models without explicit consent from the data subject — the lawful basis for this processing under Article 6 is not clearly articulated.
Cross-site and cross-app tracking via Google Analytics and third-party cookies is extensive, and while browser-level opt-outs are mentioned, the policy does not clearly explain how consent is obtained for non-essential tracking under the ePrivacy Directive as implemented in EU member states.
The broad, perpetual content license granted to Google in the Terms of Service (for operating, improving, and promoting services and developing new technologies) may conflict with the purpose limitation principle under Article 5(1)(b) when applied to user-generated content.
Google's government requests policy describes NSLs and FISA orders that bypass judicial oversight — these US surveillance mechanisms may conflict with GDPR's requirements for lawful processing and adequate protection of EU data subjects' rights.
The policy does not clearly distinguish between data controller and data processor roles across all services, particularly for Google Cloud and Workspace products where customers may be controllers.
Google states it does not sell personal information in the traditional sense and does not share personally identifiable information with advertisers without user consent — addressing CCPA 'sale' concerns.
Users can opt out of ad personalization through My Ad Center and Ad Settings — supporting the right to opt out of sale/sharing under CCPA §1798.120.
Google provides a 'Do Not Sell or Share My Personal Information' mechanism through privacy settings — supporting CCPA/CPRA requirements.
Users can delete their data through My Activity, service-specific deletion, or full account deletion — supporting the right to delete under CCPA §1798.105.
Data export via Google Takeout supports the right to know and data portability under CCPA §1798.100 and §1798.130.
Google publishes a Transparency Report on government data requests — supporting accountability and the right to know.
Google allows specific partners to collect information from users' browsers or devices for advertising and measurement purposes using their own cookies — this may constitute 'sharing' under CPRA §1798.140(ah) for cross-context behavioral advertising, and the opt-out mechanism may not cover all such sharing.
The policy does not clearly categorize data as 'sold' vs. 'shared' vs. 'disclosed for business purposes' as required by CCPA/CPRA disclosure obligations.
Sensitive personal information (precise geolocation, biometric audio data, government ID for age verification) is collected, but the policy does not clearly explain the right to limit use and disclosure of sensitive personal information as required by CPRA §1798.121.
The broad content license in the Terms of Service and the use of user data for AI training may constitute a 'business purpose' that is not clearly disclosed in a CCPA-compliant manner.
Retention periods are not specified for individual data categories as would be expected under CCPA's right to know requirements.
The policy does not clearly state whether Google uses personal information for inferencing about consumers or creates consumer profiles beyond what is described — a CPRA requirement.
Google identifies purposes for data collection and provides examples — supporting PIPEDA's Principle 2 (identifying purposes).
Consent mechanisms are described including explicit consent for sensitive information and withdrawal of consent — supporting Principle 3.
Users can access, correct, and delete their data through self-service tools — supporting Principle 9 (individual access).
Security measures including encryption, access controls, and breach notifications are described — supporting Principle 7 (safeguards).
Google states it limits collection to what is necessary for stated purposes in some contexts — partially supporting Principle 4 (limiting collection).
The scope of data collection is extremely broad (GPS, voice recordings, browsing history, third-party activity, contacts, etc.) and may exceed what is necessary for the stated purposes — potentially violating Principle 4.
Retention periods are not clearly defined for most data types — failing Principle 5 (limiting use, disclosure, and retention).
Cross-border transfers to the US and other jurisdictions are acknowledged but specific safeguards (comparable protection, contractual measures) are not detailed — raising concerns under Principle 4.1.3 of PIPEDA's accountability principle.
The use of user data for AI training and model improvement is not clearly covered by the original purposes for which data was collected — potentially violating Principle 5's limitation on use.
Meaningful consent for the breadth of data collection and sharing practices may not be achievable given the complexity and length of the policy — raising concerns about whether consent is truly 'informed' under Principle 3.
Google provides a legal basis for processing (consent, legitimate interest, contractual necessity, legal obligation) mapped to specific purposes — supporting LGPD Article 7.
Users can exercise rights including access, correction, deletion, portability, and revocation of consent through self-service tools — supporting LGPD Article 18.
Data protection officer contact information is referenced — supporting LGPD Article 41.
Security measures including encryption and access controls are described — supporting LGPD Article 46.
International transfers are acknowledged — partially addressing LGPD Article 33.
The policy does not clearly identify which legal basis applies to each specific processing activity, as recommended by the ANPD — making it difficult to assess compliance with Article 7.
Retention periods are not defined for most data types — failing LGPD Article 15's requirement that processing be limited to the minimum necessary period.
The use of user data for AI training and model improvement may not be covered by the original legal basis — raising questions about compatibility under Article 6(III) and the purpose limitation principle.
International transfer mechanisms (SCCs, adequacy, BCRs) are not explicitly named — creating uncertainty about compliance with LGPD Article 33.
The policy does not clearly address automated decision-making and profiling as required by LGPD Article 20 (right to review of automated decisions).
Children's data processing references Family Link but does not clearly explain how parental consent is obtained and verified as required by LGPD Article 14.
Google requires users to be at least 13 years old to create a Google Account, with parental consent required for younger users — supporting COPPA's age threshold.
Family Link is provided for managing children's Google Accounts — supporting parental control requirements under COPPA.
Age verification mechanisms are described including date of birth collection and machine learning to determine if user is over 18 — supporting COPPA compliance efforts.
Google states it processes data to ensure users are old enough to use its services — indicating awareness of child protection obligations.
The policy does not clearly describe how verifiable parental consent is obtained before collecting personal information from children under 13 — a core COPPA requirement (16 CFR §312.5).
Google collects extensive data from services that are likely accessed by children (YouTube, Google Assistant, Google Search) without clearly distinguishing between data collected from adults vs. children — raising concerns about COPPA's data minimization requirements for children.
The use of machine learning to determine if a user is 'likely over 18' is not a substitute for verifiable parental consent when the user is actually a child — this approach may not satisfy COPPA's consent requirements.
Google may request government ID or photo for age verification, which involves collecting biometric data from minors — this raises additional COPPA and BIPA concerns.
The policy does not clearly describe what specific data is collected from child-directed services or how parental access, deletion, and refusal rights are implemented as required by 16 CFR §312.6.
We found a compliance score for CCPA, but no evidence-backed assessment notes yet. Re-run analysis to generate a justified grade, or treat this regime as unverified.