Verdict

EXHIBIT A

Google.

"we built the index. you're in it."

Google's policy says it doesn't "sell" your data §10.2 — because under California's narrow definition, running the world's largest ad auction on your behalf isn't technically a sale. They link your Search, Gmail, YouTube, Maps, Chrome, and Android activity into one cross-device profile §3.1, pull in your activity from over 2 million non-Google sites via ads and analytics §5.2, train Gemini on "publicly available" web data including, plausibly, you §6.1, and keep some data for "legitimate business purposes" — undefined, indefinite §8.1. Incognito mode does not stop the partner-site pipeline §5.3. Your school or employer's domain admin can read your mail and lock you out of your own privacy settings §7.2.

Search / Ads / Apps / Android

Analyzed: 2026-05-23

§2 · The short version

TL;DR — 8 answers.

The eight things you actually want to know, at a glance.

TL;DR — 8 answers F

~ Do they sell your data?

YES Are they tracking you on other sites?

YES Can your data train their AI?

~ Who can see what you do?

~ Can you delete everything?

NO Do they honor your opt-out?

~ Special handling for minors?

YES Been fined for this before?

§3 · The details

The questions, answered.

No legalese. Every answer the way your most cynical friend would put it.

COND.

§10.2

Do they sell your data?

Google's policy literally says "Google does not sell your personal information." That's true under California's narrow definition. They still run the largest behavioral ad auction on Earth using your profile.

YES

§5.2

Are they tracking you on other sites?

Over 2 million non-Google sites embed Google ads or Analytics. Your activity there flows back. Incognito doesn't stop it.

YES

§6.1

Can your data train their AI?

"Publicly available information" feeds Translate, Gemini Apps, and Cloud AI. "Publicly available" is doing a lot of work in that sentence.

COND.

§7.1

Who can see what you do?

Google employees with "need" · service providers · ad/measurement partners · governments on request · your school or employer's domain admin (who can also lock your privacy settings).

COND.

§8.1

Can you delete everything?

You can delete account content. Some data is retained for "legitimate business or legal purposes" — undefined — and backup copies persist after deletion.

§9.1

Do they honor your opt-out?

Global Privacy Control is not mentioned in the policy. Opting out of personalized ads in My Ad Center does not stop data collection — only ad targeting.

COND.

§7.2

Special handling for minors?

Under-13 accounts go through Family Link. Teens get a Teen Privacy Guide. School-account students get a domain admin who can read everything and lock controls.

YES

§11.1

Been fined for this before?

€50M GDPR fine (CNIL, 2019), $391.5M U.S. multi-state location-tracking settlement (2022), $700M Play Store antitrust settlement (2023), €4.34B EU Android antitrust fine — among others. The policy says none of this.

§3 · The privacy card

At a glance, honestly.

Eight signals, color-coded. Like a model card for a machine — except the machine is reading your data.

Privacy Card · Google · Analyzed 2026-05-23

Data sold / shared YES MIXED

Cross-site tracking YES BAD

AI training YES opt-out: limited

Deletion right AVAIL. GOOD

GPC honored NO BAD

Keeps forever? YES BAD

Child protections COND. MIXED

Automated decisions YES human review: no

Collects

Identifiers, Location, Browsing & Search History, Communications & Content, Voice & Audio +4 more

Shares with

Affiliates (YouTube, Android, Fitbit, etc.), Service providers, Advertising & measurement partners, Domain administrators +1 more

§5 · The label they should have shown you

The Privacy Label, honestly.

An Apple-style label for what's collected and a Cranor-style back-of-pack for what they do with it. Every cell links to the exact line in their policy.

GOOGLE — DATA COLLECTED

PER APPLE PRIVACY-LABEL TAXONOMY ↗

● USED TO TRACK YOU

Data shared with third parties for cross-property tracking.

Identifiers §2.1

Name · Email · Phone number · Google Account ID · Advertising ID · Device IDs · Browser cookies · IMEI / UUID

Location §2.3

GPS · IP address · Wi-Fi access points · Cell towers · Bluetooth beacons · Labeled places (home, work)

Browsing & Search History §2.2

Search terms · YouTube watch history · Chrome browsing history (when synced) · Activity on third-party sites via Ads + Analytics

◐ LINKED TO YOU

Tied to your identity and stored against your account.

Communications & Content §2.2

Emails (Gmail) · Docs, Sheets, Photos · YouTube comments · Call & message metadata via Voice / Fi / Meet

Voice & Audio §2.2

"Hey Google" recordings · Audio samples retained for model improvement

Device & Network §2.1

IP address · Crash reports · System activity · Carrier name · Installed apps · Referrer URLs

Commercial / Purchase §10.1

Payment methods · Purchase history across Google services

Health & Biometric §10.1

Heart rate, sleep, steps via Fitbit / Pixel Watch / Google Fit · Optional fingerprints in product studies

Inferences §10.1

Ads interest categories · "People who matter most to you online" · Demographic guesses

○ NOT LINKED TO YOU

Aggregated, supposedly anonymous.

Other Data

— none claimed —

↓ BACK OF LABEL · WHAT THEY DO WITH IT (CRANOR FRAMEWORK)

Purposes

Personalized advertising, Cross-product / cross-device profiling, Analytics & measurement, AI / Gemini model training, Safety, fraud & abuse detection, Legal & government requests. §4.1

6+ stated purposes. The interesting ones are buried in §7.

Sold or shared?

Yes. Affiliates (YouTube, Android, Fitbit, etc.), Service providers, Advertising & measurement partners, Domain administrators, Government & law enforcement. §7.1

"We don't sell data" is technically true and substantively false.

Retention

Indefinite, with caveats. §8.1

Mixed: user-deletable content vs. "legitimate business or legal purposes" retained for undefined longer periods. Deletion is not instant — copies persist in active and backup systems.

User controls

Deletion: Available · Opt-out: Limited §9.1

Delete works. Opting out of inference does not exist.

Honors GPC?

No. §9.1

Global Privacy Control browser signal: ignored.

Automated decisions

Yes. No human review. §4.5

Ad targeting via My Ad Center topics · Search & YouTube ranking · Abuse / spam detection that can disable accounts · Account-takeover risk scoring. All algorithmic.

AI training on your data

Yes. EU opt-out only. §6.1

Your public posts/photos train commercial models.

Children's data

Under 13 blocked · 13–17 limited §8

Ad targeting paused for teens, but content profile still kept.

Breach disclosure

"As required by law." §15.3

Translation: the bare minimum legal window in your jurisdiction.

§5 · The receipts

The receipts, translated.

Five of the worst clauses, lifted verbatim. Strikethroughs are theirs. Marginalia is ours.

GOOGLE PRIVACY POLICY · INFORMATION GOOGLE COLLECTS — cross-product use §3.1

We may use the information we collect across our services and across your devices for the purposes described above. For example, depending on your available settings, if you watch videos of guitar players on YouTube, you might see an ad for guitar lessons on a site that uses our ad products. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.

ONE PROFILE TO RULE THEM ALL

GOOGLE PRIVACY POLICY · WHY GOOGLE COLLECTS DATA — measurement §4.3

When you visit sites or use apps that use Google’s ad or analytics services, those services may link information about your activity from that site or app with activity from other sites or apps that use our services.

PIXELS EVERYWHERE

GOOGLE PRIVACY POLICY · BUSINESS PURPOSES — research & development §6.1

Research and development: Google uses information to improve our services and to develop new products, features and technologies that benefit our users and the public. For example, we use publicly available information to help train Google’s AI models and build products and features like Google Translate, Gemini Apps, and Cloud AI capabilities.

AI BUFFET

GOOGLE PRIVACY POLICY · U.S. STATE LAW REQUIREMENTS §10.2

We explain when Google may disclose information in Sharing your information. Google does not sell your personal information. Google also does not “share” your personal information as that term is defined in the California Consumer Privacy Act (CCPA).

DEFINITIONAL JIU-JITSU

GOOGLE PRIVACY POLICY · ADDITIONAL CONTEXT — third-party sites §5.3

This information is shared regardless of which browser or browser mode you use. For example, although Incognito mode in Chrome can help keep your browsing private from other people who use your device, third party sites and apps that integrate our services still share information with Google when you visit them.

INCOGNITO ≠ PRIVATE

§6 · The deceptive design

Dark patterns spotted.

Tricks the policy and surrounding UX use to make you "consent" without really consenting.

Definition laundering

§10.2

Claim "we don't sell your data" while running the largest behavioral ad auction in history — by hiding behind California's narrow statutory definition of "sell" and "share."

"Google does not sell your personal information. Google also does not “share” your personal information as that term is defined in the California Consumer Privacy Act (CCPA).

Cross-product profile bundling

§3.1

Using Search, YouTube, Maps, Gmail, Chrome, or Android signs you into one merged profile. There is no in-product setting to opt out of cross-product linkage as a whole.

"We may use the information we collect across our services and across your devices for the purposes described above.

Ambient third-party tracking

§5.3

Embedded ads, Analytics, YouTube players, reCAPTCHA, and Fonts on millions of unrelated sites send data to Google whether you have an account or not. Incognito mode does not stop it.

"although Incognito mode in Chrome can help keep your browsing private from other people who use your device, third party sites and apps that integrate our services still share information with Google when you visit them.

AI training by default

§6.1

Calling the web "publicly available information" lets Google scrape it into Gemini training data without per-person consent. No global, plain-language AI opt-out is offered to consumer users.

"we use publicly available information to help train Google’s AI models and build products and features like Google Translate, Gemini Apps, and Cloud AI capabilities.

Indefinite retention via undefined exceptions

§8.1

"Legitimate business or legal purposes" is left undefined and acts as a retention escape hatch. Deletion also doesn't guarantee removal — backup copies persist.

"And some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping.

Domain administrator override

§7.2

If you use Google through a school or employer (Workspace), your domain administrator can read your mail, suspend your account, and explicitly restrict your ability to change your own privacy settings.

"Restrict your ability to delete or edit your information or your privacy settings

§7 · What you can actually do

Your rights, by where you live.

Same company, wildly different rights depending on your jurisdiction. Direct links to the specific opt-out / delete / access flows.

EU (GDPR)

DIFFICULTY: MEDIUM

✓ Right of access
✓ Right to erasure
✓ Right to rectification
✓ Right to data portability (Google Takeout)
✓ Right to object to processing
✓ Right to withdraw consent

REQUEST →

Source: §9.2

California (CCPA / CPRA)

DIFFICULTY: HARD

✓ Right to know what is collected
✓ Right to delete
✓ Right to correct
✓ Right to opt out of "sale/share" — Google claims neither applies
✓ Right to limit use of sensitive personal info
✓ Right to non-discrimination

REQUEST →

Source: §10.2

Default (rest of world)

DIFFICULTY: NIGHTMARE

✓ Account deletion via My Account
✓ Activity deletion via My Activity
✓ Data export via Takeout
✓ Ad personalization toggle in My Ad Center
✓ No statutory right to AI training opt-out
✓ No statutory deletion deadlines

REQUEST →

Source: §9.3

§8 · Receipts

The actual sources.

Every claim above is anchored to a line in the policy we analyzed. Click any section ID to view it in context.

ANALYZED BY: claude (via Claude Code sub-agent) · PROMPT VERSION: honest-policy-v1.4-subagent · ANALYZED AT: 2026-05-23T00:00Z
SOURCE: https://policies.google.com/privacy · POLICY VERSION: 2026-04-02 · SNAPSHOT HASH: auto

§1.1

Preamble / trust statement

"When you use our services, you’re trusting us with your information."

Original → Snapshot →
§2.1

Information collected — apps, browsers & devices

"including IP address, crash reports, system activity, and the date, time, and referrer URL of your request."

Original → Snapshot →
§2.2

Information collected — your activity

"we may collect call and message log information like your phone number, calling-party number, receiving-party number, forwarding numbers, sender and recipient email address, time and date of calls and messages, duration of calls, routing information, and types and volumes of calls and messages."

Original → Snapshot →
§2.3

Information collected — your location

"GPS and other sensor data from your device"

Original → Snapshot →
§3.1

Why Google collects data — cross-product, cross-device

"We may use the information we collect across our services and across your devices for the purposes described above."

Original → Snapshot →
§4.1

Why Google collects data — personalized ads

"we may also show you personalized ads based on your interests and activity across Google services."

Original → Snapshot →
§4.2

Why Google collects data — Drive/Gmail/Photos carve-out

"We don’t show you personalized ads based on your content from Drive, Gmail, or Photos."

Original → Snapshot →
§4.3

Why Google collects data — measure performance

"When you visit sites or use apps that use Google’s ad or analytics services, those services may link information about your activity from that site or app with activity from other sites or apps that use our services."

Original → Snapshot →
§4.4

Why Google collects data — protect Google, users, public

"We use information to help improve the safety and reliability of our services."

Original → Snapshot →
§4.5

Why Google collects data — automated processing

"We use automated systems that analyze your content to provide you with things like customized search results, personalized ads, or other features tailored to how you use our services."

Original → Snapshot →
§5.2

Third-party partner ecosystem scale

"There are over 2 million non-Google websites and apps that partner with Google to show ads."

Original → Snapshot →
§5.3

Activity on third-party sites and apps (incl. Incognito)

"although Incognito mode in Chrome can help keep your browsing private from other people who use your device, third party sites and apps that integrate our services still share information with Google when you visit them."

Original → Snapshot →
§6.1

Business purposes — research and development / AI

"we use publicly available information to help train Google’s AI models and build products and features like Google Translate, Gemini Apps, and Cloud AI capabilities."

Original → Snapshot →
§7.1

Sharing your information — when Google shares

"We do not share your personal information with companies, organizations, or individuals outside of Google except in the following cases:"

Original → Snapshot →
§7.2

Sharing — domain administrators

"Restrict your ability to delete or edit your information or your privacy settings"

Original → Snapshot →
§7.3

Sharing — partner cookies for ads & measurement

"We also allow specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies."

Original → Snapshot →
§7.4

Sharing — legal reasons & government requests

"Respond to any applicable law, regulation,legal process, or enforceable governmental request."

Original → Snapshot →
§8.1

Retaining your information

"And some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping."

Original → Snapshot →
§8.2

Deletion lag / backup persistence

"there may be delays between when you delete something and when copies are deleted from our active and backup systems."

Original → Snapshot →
§9.1

Your privacy controls / policy change rights

"We change this Privacy Policy from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent."

Original → Snapshot →
§9.2

EU users — service linking choices

"If you’re a user in the EU, the decisions you make on linking services will affect how certain Google services can use the data across our services."

Original → Snapshot →
§9.3

International data transfers

"We maintain servers around the world and your information may be processed on servers located outside of the country where you live."

Original → Snapshot →
§10.1

U.S. state law — categories of information collected

"Inferences drawn from the above, like your ads interest categories."

Original → Snapshot →
§10.2

U.S. state law — "does not sell or share" claim

"Google does not sell your personal information. Google also does not “share” your personal information as that term is defined in the California Consumer Privacy Act (CCPA)."

Original → Snapshot →
§11.1

Scope — applies to all Google services & affiliates

"This Privacy Policy applies to all of the services offered by Google LLC and its affiliates, including YouTube, Android, and services offered on third-party sites, such as advertising services."

Original → Snapshot →
§12.1

Policy version / effective date

"Effective April 2, 2026"

Original → Snapshot →