Google's Global Privacy Counsel Peter Fleischer answered some of the questions on Thursday, and again reminded CNIL that Google had asked on several occasions to meet to discuss privacy matters. He repeated that Google was not willing to halt the policy's introduction because the request came after a lengthy campaign informing users about the changes, and delaying introduction of the new rules would have confused users.
While Google said it rolled out the largest information campaign in its history to inform users about the policy changes, the company failed to provide the CNIL with figures about the effect of the campaign. Google was not able to provide unique visitor statistics for the dedicated privacy main site and its localised versions. Fleischer pointed out that the Google privacy site is only one of many different mechanisms Google uses to disseminate privacy information. Google was not able to explain why it could not provide statistics for the privacy landing page, since its London office is closed for the Easter holiday.
Retention of data backups not clear
Google also failed to provide details of its data backup regime. The company was asked to explain why its policy says that it may not remove information from backup systems when the user asks for its deletion. While the company said it would delete users' personal information upon request, it said Google's backup and retention policies are set to take into account users' interest in security and business continuity.
When asked if this means that Google will actually delete data from all backups upon request after an additional period of time, Google responded: "Google has documented policies and processes covering deletion of user data from back-up tapes." It is impossible to provide an upper bound to the additional retention period needed to delete data from all backups, because that time varies from case to case, the company added.
Google also failed to specify the maximum additional retention period for data deleted by authenticated users, although it did say that its unspecified backup and retention policies "would, for example, enable us to restore a maliciously deleted user account."
PREF and DoubleClick cookies
The privacy regulators are particularly interested in the so-called "PREF" cookie and in the DoubleClick cookie, used for serving ads. Google explained in the first batch of answers that the PREF cookie is used to store user preferences and other information such as preferred language, how many search results users wish to have shown per page and whether the SafeSearch filter should be switched on.
CNIL has started a legal and technical analysis of Google's answers, its communications officer Elsa Trochet-Macé said in an email on Friday.
"We first needed to send our questionnaire and receive written answers before meeting Google," she said, adding that there could be a discussion with Google and the Article 29 Working Party later.