How to Manage Your Google Privacy Settings
But this stuff can and will change to suit Google, or to suit new laws and regulations Google has to follow. For example, in the European Union and elsewhere on May 25, 2018, Google and others will have to deal with the General Data Protection Regulation, or GDPR, which completely changes how big companies can handle your, or anyone's, data. Even though it's an E.U. regulation, it impacts any company with personally identifiable info (PII) on customers there. That's definitely Google.
It'll probably help those of us in the U.S., though there isn't a law here codifying that, except in some states like New York. Until there is, there are ways to take control of what Google has on you. That means mastering the Google My Account dashboard.
Controlling your Google privacy
Google revamped its My Account page in 2015; it's meant to be a one-stop spot to take control of your privacy and security when it comes to letting this monolithic company know all about you. Rather than visiting settings for every individual Google service -- Gmail, Google Drive, Android phones, YouTube and a hundred others -- you change global settings here. Mostly.
Before you do anything, visit privacy.google.com -- it spells out exactly what data Google is collecting and what it does with that data, plus its advertising policies. Read this and you'll be a bit more informed about what settings to change. Google says it collects things you do, things you create and things that make you "you" -- namely, your personal info like name, email, birthday, gender, phone number and location.
If you want the scary version of what Google collects on you, read this Guardian article, which spells out that Google knows where you've been, what you've searched, all your apps and extensions, your YouTube history, and more. None of which should really come as a surprise.
Once you're clear on the deets, visit My Account, which takes you to a dashboard with sections for Sign-in & Security, Personal info & Privacy and Account Preferences.
You want to perform two actions right away: a Security Checkup and a Privacy Checkup.
First, if you have multiple Google accounts -- like say, one for work and one you use personally -- choose the one you want to check from the menu at the upper right of the desktop screen. (Using a different avatar photo for each account can help you better distinguish between them.)
When you click Security Checkup, a pop-up will show the following info:
- Your devices
- Third-party access
- Recent security activity
- 2-Step Verification (whether it's on or not).
Any items marked with a yellow warning exclamation circle should get a once over. For example, if you see devices you no longer use listed under Your Devices, nix them. Third-party access will list apps and services that have access to your Google data -- some of which could be problematic.
If you haven't already activated 2-step verification, read this and skip down to the section specific to Google. With two-factor authentication (2FA) on, you can't sign into your Google account with a password alone; you'll need a secondary method of authentication. It adds an extra step, but if someone steals your password, it's not enough to sign into your account.
To authenticate, you can use a code that's sent via voice or text message or displayed inside an authenticator app. Or you can select the Google "prompt" feature, which displays a notification on your phone asking if you're trying to sign into your Google account. If you are, just tap yes.
If you do have it on, this is a good place to set up extras like entering backup phone numbers or killing options you no longer use. You can also get backup keys for those times when you can't use the phone, or set up a hardware security key. And best of all, scroll down to Devices you trust and revoke all if you want to force a full 2FA login on all future devices.
Next, go back to My Account and under Sign-in & security page, click "Signing into Google," where you can change your password. Google will tell you how long it's been since you last changed it. If it's been over a year, consider yourself thoroughly disgraced in the eyes of the tech gods.
If you've created any App passwords -- unique passwords for specific services that don't use traditional Gmail logins, like on game consoles -- revoke them as needed. This is also where you come to generate new app passwords, but with most modern hardware, they're a thing of the past.
Then, make sure you have filled in the Account recovery options with a recovery email and phone number not necessarily related to Google.
Further down the page, check Apps with access to your account -- it's a review of the apps, websites and devices connected via your Google account. It could be something as obscure as a Google Chrome extension that works with Gmail that you don't remember installing. Remove any you know you're not using anymore. If you get rid of something you need, you can always give it permission again later.
Next, check the list of saved passwords, which is saved via Google Smart Lock, a feature of the Android OS and the Google Chrome browser that stores passwords for just about everything. It makes it very, very convenient for logging into services and sites, but can also be a security nightmare.
Delete any sites you don't recognize and get rid of any duplicates. Click the eye icon if you're not sure which dupe to delete -- it'll show the password you used for each save; delete the old, out-of-date password entries. If you've been surfing long enough with Chrome, you'll see sites you don't even recall, and that probably no longer exist.
Here, you can turn Smart Lock off so you're never asked if you want to store passwords. You can also turn off the Auto sign-in option; this stores passwords still requires you to enter them, which seems pretty dumb.
At the bottom, the list displays sites you've told Google to never save passwords for -- delete them if you want to store a password for the site in the future.
(Prepare for frustration -- the more time you spend on the Saved Passwords page, the more often you'll be asked to re-enter your Google password. But it's for security, so don't get too upset.)
Now skip back to the My Account page to get into the Privacy Checkup, a multi-step process that lets you review how Google uses your data.
Step one lets you manage what you share on YouTube; the videos you like and save, the channels to which you subscribe, and what shows up on your YouTube activity feed. You can also use this page to limit what happens on connected accounts like Twitter, and manage the privacy of videos you upload (public, private, or unlisted).
Google Photos privacy is next. The options are limited to turning off the ability for better face matching, and the far more important option: removing geo-location on items shared by a link. That means if you share a photo of yourself, a stalker type can't look at the metadata on the image and pinpoint your location. Not that it only applies to content shared via a link. (Here's how to turn off all Google Location History.)
The Help People Connect with you option is about hiding your registered phone numbers on Google, so they can't be used by others to find you for things like a video chat. If you have a Google Voice account, it will also appear here. Uncheck all the boxes to make them private.
Google+? That's still around? Indeed, the remnants of this so-called social network permeate much of Google's infrastructure, enough so that you still have option here to prevent sharing photos, videos, your "+1"s (the equivalent of a Facebook "Like") and reviews you've written. Be sure to check the link for "Edit Your Shared Endorsement Settings" if you don't want your reviews of products/services on Google going out to the general populace.
The Personalize your Google experience section is the beginning of the nitty-gritty of preventing your data and Google usage from being used -- even though Google says this data is only used to help your future activities. It's essentially how Google learns about you and makes things easier in the future as you use its products, like how Google Maps or Google Assistant seem to know what you want before you even ask.
A checkmark appears next to all the items where data is being collected. Click the down arrow to the right and you can toggle off the options. Each section includes a link that reads "Manage Activity" with different options for each. Under Location History > Manage Activity, for example, you'll see what's called the Google Maps Timeline: a map displaying locations where you also logged into Google. Mine showed trips to Florida from years past, my time in the Mediterranean last year, and of course all stops around my home state. There's even route info if you used Google Maps to get somewhere. Limit it all if you don't think it's helping you. Or if you think Google is selling it to others, despite their claims.
Consider limiting your location services so Google (and Apple, Microsoft, Facebook etc.) stop tracking your physical presence via your phones.
Remember, Google makes the majority of its billions by showing you ads in search results and on Gmail, YouTube and Google Maps (plus elsewhere across the internet). You're not going to turn them off here -- for that, you need an ad-blocker program like Adblock Plus -- all you can do here is limit how much you are targeted. Of course, this section is last, because Google hopes you give up before arriving here, since having all this info to create targeted ads helps Google and its customers sell you stuff.
You can click the Manage Your Ad Settings link to see the list of topics you (supposedly) like. Click the icon next to any topics that you don't like. Or hit the toggle up top to turn off any personalization, though Google will pop up a warning of why it will make ads you see "less useful." You can set your gender (which you can customize!) and age. Click Visit AdChoices and you'll get options to opt out of personalized Google Ads on non-Google sites.
If you're interested in seeing all your activity in one place, not just separated by service, you can check it all at myactivity.google.com, which shows you everything you've done that's remotely Google-related. The amount of data is pretty staggering.
Want to delete a day's or date range's worth of data? Want to erase all your data by Google product (so you lose YouTube activity, for example, but nothing else)? You can even pick a keyword to search and delete the related activity. Do all of it by clicking Delete activity by in the left navigation.
Takeout your data
Wondering exactly what Google has on you in all ways? Download all the data and check it out via Google Takeout. To be clear -- this doesn't remove any data from Google servers. It just shows you what Google has stored. Even if you delete your account, it's unlikely it gets deleted entirely.
Maybe someday there will be more stringent laws in the U.S. that force Google to allow that -- like the GDPR in the EU -- but for now, go to takeout.google.com. You'll see the giant list of products Alphabet (Google's parent company) offers, and of which you are probably a customer.
Untoggle any that you don't care about, and click Next at the bottom of the page. You'll be offered an archive file in ZIP or TGZ format; you can set a max size for the archive, up to 50GB. If you have more than that stored in Google, you'll have to download multiple files. You have the option to get a link emailed to you, or to have the files sent directly to Google Drive, Dropbox or Microsoft OneDrive.
I created a Takeout archive of 30 Google products on my work account since I've been using it the shortest amount of time, at around 4:13 p.m. The warning told me it could take a long time -- "hours or possibly days" to create. The email arrived almost exactly 12 hours later at 4:12 a.m. Size: 7.38GB.
Most of it was an archive of Gmail messages, which is not something you can use instantly. That's because the email archive comes in one big MBOX format file. The easiest way to access all those old messages is to get a free desktop email client with native MBOX support, like Mozilla Thunderbird, available for Windows, Mac or Linux in almost any language.
Google Drive documents were, however, instantly usable -- they all come converted into their Microsoft Office format equivalents. (Doing a Takeout of this data is a must if you're leaving a company that uses G Suite.)
What I had was mostly messages; now imagine you've uploaded or created years' worth of YouTube videos, Google+ and Hangouts chats, documents in Drive, images on Google Photos and more. It gets big, fast. And all of that data is on servers to help Google make a perfect profile of you.
Facebook offers a similar data dump that is also useful, if not outright surprising, in gauging what it has on you.
Other tips for privacy
Remember, almost every browser has a privacy mode -- Google Chrome calls it Incognito -- where you can surf without cookies or anything else tracking you. Even the mobile browsers on smarpthones support it.
You can always just delete your entire Google account and walk away. But that's a bit drastic, especially since there are literally hundreds of sites and services that use your Google credentials for logins.
Whatever your feelings about privacy, it behooves you to take a glance through the settings above. You're bound to find something Google's doing that doesn't sit right. Be thankful it gives us as much control over the privacy as it does (or maybe thank the regulators that force Google's hand). It's still not enough for the truly security/privacy obsessed, but it helps with a balance of feeling good while getting the most out of the otherwise excellent services the company tends to offer.