Back to all posts Back

How Google Puts Your Customers at Risk (And What You Can Do To Prevent It)

With customers becoming more savvy about how valuable their personal information is, any breach of trust can have a direct, negative impact on your company. Understanding how Google leverages customer data is an important step in preventing privacy issues. The more you learn about the potential liability of third-party data management, the easier it will be to make smarter decisions for your company.

Topics covered:

  • How Google collects customer data
  • The business impact of this data being compromised
  • How Taplytics will never misuse your customer data

How Google Collects Your Customers’ Data

Google’s reach extends to almost every corner of the internet—which makes it difficult to visualize the extent to which personal information is tracked and monetized. Every search query, ad click, app engagement, page visit, and login is tracked and logged on their servers. When you use Google’s platform, you’re contributing to their ever-increasing cache of customer data. And while Google does use some of this data to provide helpful context about how visitors interact with your site, it comes with a tradeoff.

Google is just the tip of the iceberg as well. When you take a step back and look at Alphabet, Google’s parent company, it’s clear that they have access to a staggering amount of data.


Map of Alphabet Inc.’s various subsidiaries via Business Insider.

Here is a quick breakdown of the type of information Google currently tracks:

  • Web & App Activity: The interactions customers have with a Google app or service you use are tracked. This includes everything from internet searches to online purchases and voice recordings through Google Home.
  • Ad Preferences: This tracks how users engage with the Google Ads Network—a platform that spans millions of websites, apps, and services around the world.
  • Location History: Whenever anyone uses Gmail or Google Maps, it will automatically log the users’ physical location. Any app built using Firebase, Google’s app development platform, tracks location as well.
  • Device and Browser Activity: Anyone using an Android-enabled mobile device or the Chrome web browser is sending their activity directly to Google, whether or not it’s integrated with your service.
  • Analytics: If you use Google Analytics, the most popular and widely used analytics tool on the market, Google has access to traffic and engagement data from every one of your users.

This kind of ubiquitous data collection is what drives Google’s monetization strategy. When you track a user through Google Analytics, upload a keyword list to Google’s Keyword Planner, or release an app for Android devices, you’re providing direct access to customer data for Google to use. The more Google knows about your customers, the better it will be able to serve ads, search results, or product recommendations that convert.

By deciding to use Google’s platform, you open up your company to potential issues down the line. Whether you’re making the decision to use their service due to limited resources or a lack of viable alternatives, it’s important to understand the risks. While breaches aren’t a common occurrence for Google, connecting your company with their service still requires serious consideration before moving forward.

The Impact of Google Compromising Your Customer Data

With so much information flowing through Google on a daily basis, any case of compromised data on their platform can have very public and potentially disastrous effects. As a result, using their services without proper oversight can end up costing your business a lot. If your customers’ personal data is impacted, you’ll likely lose their trust in your company. And, it opens you up for potential third-party liability in some cases.

These issues are outlined in a recent class-action lawsuit levied against Google ­­­by the law firm Boies Schiller Flexner. The lawsuit states that data is being collected through Firebase, Google’s software development kit (SDK), even when users have that feature disabled in their accounts. According to Reuters:

“Even when consumers follow Google’s own instructions and turn off ‘Web & App Activity’ tracking on their ‘Privacy Controls,’ Google nevertheless continues to intercept consumers’ app usage and app browsing communications and personal information.” Reuters.

If the lawsuit finds that Google is actually collecting this information without users’ express permission, any business using Firebase is potentially liable pursuant to third-party liability clauses in privacy regulations like GDPR and CCPA.

To put it simply, your company isn’t just responsible for its own actions. It could also liable for the misuse of customer data by a third party like Google that your company allowed to access customer data .

The Accountability Principle of Privacy Law

In privacy law terms, third-party liability resulting from a processor or service provider (as Google would be in this example) is governed by the accountability principle. Specifically, the accountability principle states that “an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing.”

This means that liability falls on the company that allows the transfer of data to the contracted organization. It holds the company to a “comparable level of protection while the information is being processed by a third-party.” Basically, if you are working with a third-party provider to track and store customer data, your company is responsible for ensuring the customer data remains secure.

Say, for example, a bank uses Firebase on its mobile app, and Google illegally uses or distributes data collected from the app. The bank’s liability depends on how well it ensured the continuity of the protection of the data. This comes down to a few questions for the bank:

  • Did it exercise due diligence in choosing Google as a service provider?
  • Did it agree to Google’s contractual clauses that preclude Google from using the transferred data for any other purposes than the purposes for which they were collected?
  • Did it monitor data compliance by Google during and after the transfer?

As you can see, there’s a lot of scrutiny related to how the relationship between our example bank and Google played out. If it turns out that the bank’s business is liable, that has a direct impact on the bank’s relationship with customers.

How Privacy Issues Damage Trust

When you lose the trust of your customers, it’s very difficult to get it back—especially when it comes to privacy issues. The backlash from a data breach is far more than a knock to your credibility as a brand. Companies involved in data privacy scandals are always made public. That makes your customers—and prospects—aware of the issues, doing irreparable damage to your current relationships. 

If you’re not diligent in vetting your third-party tools—whether they’re Google or not—you’re putting your company at a higher privacy risk. This exposure can have a long-term impact on your ability to do business.

Taplytics Will Never Misuse Your Customer Data

Choosing Taplytics over Google makes privacy compliance easier and, given its lower profile, can reduce the risk of regulatory inquiry. “While Google provides data processing agreements that would allow companies to comply with the GDPR and CCPA, those agreements can be difficult to implement correctly because they require marketing and web development/user experience teams to be on the same page,” says Eric DiIulio, a privacy expert at Goodwin Procter LLP.

Unlike Google, Taplytics is a service agreement-based company. Revenue is built on ongoing customer relationships.

The benefit of this business model is twofold:

  1. Taplytics monetizes through paid plans as opposed to paid advertising and selling customer data. Our company has no vested interest in monetizing customer data. Everything you capture through our service is there for the benefit of your team and your business.
  2. Taplytics negotiates agreements to match customer needs instead of resorting to a blanket contractual agreement like Google. The latter makes it easy to run into issues due to a lack of oversight and makes you liable for any privacy issues.

Taplytics protects your customer data by providing both single-tenant and private cloud hosting. This makes maintaining control over customer data easier with Taplytics as well, especially for enterprise companies in highly regulated markets. Instead of relying on the Google Cloud, every piece of customer data you have will be stored only on your system.

And as a Canadian company, Taplytics comes under the jurisdiction of Canadian law, which makes for greater compliance assurance. In fact, Canada is one of the few countries recognized by EU regulators as providing an adequate level of protection for personal information. We follow all compliance required by PIPEDA (the Canadian privacy law) regarding the use of personal information by Taplytics. Specifically, we follow The Accountability Principle, established at Clause 4.1. of Schedule 1 of PIPEDA.

Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. Organizations must use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party. – via PIPEDA.

This means when you use a third-party service provider, you are responsible for a “comparable level of protection” of customer data. And while it may be the third party is who processes the personal information, the simple fact that you transfer it to them could cause liability issues down the line.

Sometimes it feels like Google is inescapable. Their search engine processes billions of searches every day, their ad network stretches across millions of websites, and their analytics tool is used by almost every online business. With Google having so much access to personal information, you need to be careful how you implement the company’s products for your customers.

And yet, using Google to track website traffic and customer engagement is table stakes for modern SaaS and technology companies. But is it the right choice? Google doesn’t charge for their analytics or search platform, so they rely on cloud computing and ad revenue to sustain their business. That means they have an incentive to monetize all the data they collect on you and your customers.

As customers become more privacy-conscious and start acting on their ability to control personal information, companies need to make smarter decisions about how they manage that information. Failing to maintain proper data privacy and security measures puts your company at risk of high-profile breaches that damage customers’ trust in your brand and open your company up to potential legal liability.

Interested in learning more about Taplytics? Let’s chat