Google announced today they are changing the expiration date of their cookie from 2038 (the latest possible date) to a rolling 2 year period. Once put into action, users who visit Google today, for example, will receive a cookie that expires on July 16, 2009. If that user never visits a Google website again, that cookie will disappear after those 24 months.
Of course, if that user visits Google again tomorrow, the cookie will renew for a new 2-year period. So, users who visit Google daily (like many), will continue to receive cookies with a rolling 24-month expiration. In practice, then, regular users of Google will not really benefit from this policy change.
This sounds like a great policy shift in order to protect user privacy, but my hunch is that Google is willing to allow this change because they see little value in having cookies linking data beyond a 2 year window. Google uses cookies to help track individual users’ search & related activities in order to understand who that person is and provide personalized results (and, of course, advertisements). If a user searches for “Paris Hilton,” having tracking cookies helps Google know whether to provide results about hotels in the French capital or video clips of the celebrity debutante. Google can analyze previous searches associated with that cookie to predict what the user really wants to see. My hunch is that the brilliant data-mining minds at Google recognize that if someone hasn’t searched on Google in two years, their past history probably isn’t a good indicator of their current needs. So, if linking to two-year-old data isn’t all that valuable, they might as well just dump the cookie altogether. It doesn’t harm their data-mining needs — and it’s good PR.
Peter ongoing plan to continue innovating in the area of privacy to protect our users.” This is a good first step, but far from a complete solution. An easy way to take this announcement a step further would be for Google to announce that not only will the cookie on my computer expire after 24 months of non-use, but that they will also remove any record associated with that cookie from their internal databases. Such a policy would have a much greater impact on user privacy, since even if my cookie vanishes after 24-months, a record of all my activity remains on the servers in Mountain View.
(Thanks to Fred Stutzman — sitting in front of me — for pointing this out to me before Bloglines did)
MichaelZimmer.org 
“An easy way to take this announcement a step further would be for Google to announce that not only will the cookie on my computer expire after 24 months of non-use, but that they will also remove any record associated with that cookie from their internal databases”
Um they already do, they anonymize after 18 months,6 months earlier than you asked!
Ash: Yes, they’ve announced that they will “anonymize” the IP address and cookies after 18 months. But they haven’t released precisely how they will actually do that (“Our engineers are already busy working out the technical details”), or when it will be implemented. Regardless, attempts to anonymize the data is not the same as removing the records altogether. The latter is the stronger move to make, and the move I am calling for.
Of course, the truly privacy-protective course for Google to take would be to only store search records for users that had explicitly opted for that to happen.
I do hope that Google’s idea of “anonymising” records after 18 months isn’t to replace IP addresses with other “random” identifiers in their logs. AOL already demonstrated the futility of that course of action.
Ian – I agree. Giving users control over their information would be the best course of action. I’m willing to give up the promise of personalized results & advertisements in order to keep my personal information from being routinely captured by my search engine provider, but Google doesn’t give me that option…
A key question here, from Google’s perspective, is whether users might be willing to pay for such privacy protection, since Google would – presumably – loose revenue if the ads are as uniquely tailored to the individual user…