Is Google Play-ing with Your Personal Information?

Did you know that Google Play, the company's app store for Android users, sends sensitive information to app developers every time you purchase an app? News reports have recently revealed that Google sends your name, email addresses, city and ZIP Code to the app developer each time you buy an app – but you wouldn't know that from reading the company's privacy policy or the policy for its payment service, Google Wallet. Tell Google that it needs to be clear about exactly how it shares about you, including what information it shares and who it shares that information with.

It's still not clear whether Google believes that this practice of sharing information is even consistent with its own published policies. By reading Google's main privacy policy, you learn that "[Google] will share personal information with companies...outside of Google when we have your consent to do so." And if you read the Google Wallet policy, it tells you that it shares information "necessary to process your transaction." The policy says Google may use the information to "protect you from fraud," a common practice, but it does not clearly state that this involves sharing information with every purchase even without any suggestion of fraud. So, when have customers given consent for the sharing of their personal information such as email or home address? And since app developers usually don't need personal information to complete the purchase (in fact, many developers were also surprised to get this information), how can sharing this information be "necessary?"

Google is not alone in sharing information with third parties in ways users may not have realized. Facebook was investigated by the FTC and the Canadian Information Privacy Commissioner for sharing more information than necessary with apps – even those ran by friends. Following these incidents, the California Attorney General has emphasized the need for app developers and platforms to "minimize surprises to users from unexpected privacy practices" by "avoid collecting personally identifiable data from users that are not needed for an app's basic functionality," echoing recent reports by the Federal Trade Commission and the White House's Consumer Privacy Bill of Rights.

You should be able to find out how your personal information is shared with third parties, including third party app developers. This doesn't just give you a tool to personally control your information – it also exposes corporate sharing practices to broader scrutiny, encouraging them to think twice before making a decision that reveals a user's personal secret to others or hands information over to a bad actor. So please tell Google to make clear exactly what information it shares with third parties.

Matthew Cagle is a Volunteer Attorney for Technology and Civil Liberties with the ACLU of Northern California.