Privacy Differences between Consumer Gmail and G Suite for Education

Updated on 12/19/2017 based on feedback and corrections from Kim Nilsson

This is a question that comes  up quite frequently. There are significant differences between the consumer Google accounts that are familiar to many parents, and the G Suite for Education accounts that are used in schools. Two significant differences are in the My Account settings and in Google search results.

Schools may also find it helpful to refer to Google’s suggested Notice template for schools when gathering parent or guardian consent and to this page for the privacy practices for specific Google services

User Data Collection settings in User Dashboard and My Account

The Google Dashboard allows the user to see and manage the data in their Google Account. The “My Account” link under the user profile provides users the ability to review their account settings, and view and manage collected data. There are additional settings and activity views under the more-activity page. There are significant differences in the data collected between consumer Gmail and G Suite for Education accounts. Additionally, G Suite for Education administrators must manually enable non-education Google services. If a service (e.g. Google + or Blogger) is not enabled by the G Suite Admin, the user see will the following message and will be unable to access the service.

The following table compares the differences in the My Account settings between consumer and G Suite accounts.

 

Category Consumer Accounts G Suite for Education Accounts
Services/Tools
Security Checkup Available Available
Privacy Checkup Available Available
Find Your Phone(details) Available Available
Signing in to Google
Sign in with your Phone Available Feature requires the following to be enabled by the G Suite Admin

Web & App Activity

Google Now for iOS and Android
Device Management->
Advanced Settings->
Other Google Services

Also requires the Google app for mobile be installed

Change Password Available/User Editable Available (See Note 1)
2-step verification Available Available (See Note 2)
Account recovery options
Recovery eMail Available/User Editable Available if enabled by Admins  (See Note 1)

Note This feature is  not an option if domain is using  Single Sign-On (SSO) or G Suite Password Sync. It also doesn’t work for users under the age of 18.

Recovery Phone Available/User Editable See above
Security Question Available/User Editable See above
Device Activity & Notifications
Recent security events Available Available
Recently used devices Available Available
Apps with access to your account

these are 3rd party services that the USER has given permission to access their account

Available/User Editable Available/User Editable
Saved passwords Available/User Editable Requires the Chrome Sync service to be enabled by the G Suite Admin for the user(G Suite Core).

more info

Allow less secure apps Available/User Editable This setting is managed by the district Admin.

more info

Personal Info and Privacy
Name Available/User Editable Editable by the G Suite Admin. Typically synced from a directory of student information system. There is a setting in the Admin control panel to allow/disallow users from editing their name
NickName Available/User Editable Editable only if Google + is enabled by the G Suite Admin for the user.
User Photo

Gmail setting

Available/User Editable Available/User Editable

There is a setting in the Admin control panel to allow/disallow users from editing their photo

Phone Available/User Used with Hangouts, Google voice or an android device Present if the user has provided a phone # and is enabled (e.g. when verifying an installed  mobile app)
Birthday Available/User Editable Required for G+ service

There is a setting in the Admin control panel (Directory) to allow/disallow users from editing their birthday.

For Education domains, birthday is never editable by end users except for in the Google+ upgrade flow, where it is always editable.

Birthday is only shown to people the user connects with on Google. Private by default, sharing is controlled in the about me settings

Gender Available/User Editable Required for G+ service

There is a setting in the Admin control panel (Directory) to allow/prevent users from editing their gender

By default, gender isn’t shared with other people who use Google services

About Me Available/User Editable Some information is restricted from editing
Google + Settings Available/User Editable Data and setting is user editable only if G+ is enabled for user by the G Suite Admin. This is not permitted for users under 13

There is an Admin option to automatically create G+ profiles for users

Shared Endorsements Available/User Editable Data and setting not present in G Suite for Education. Google does not use shared endorsements for G Suite accounts. G Suite Users will see a message saying “The setting you are looking for is not available for your account”
Blocked Users Available/User Editable The Blocked Users option appears if ANY of the following services are enabled for the user by the G Suite Admin:

-Core: Hangouts

-Non-Core: Google+, Photos, Maps, YouTube

See here for details

Location Sharing Available/User Editable OFF by default

Requires Location History service. This is a non-core service which is off by default and must be enabled by the district Admin

Search Settings Available/User Editable OFF by default

Editable, but SafeSearch is frequently managed by district DNS settings, chromebook policies, content filters or other means and not editable in those cases

Additionally, Google does not display ads or collect search data from Google searches from users that are signed in to a G Suite for Education account

Manage your Google activity
Activity controls
Web & App Activity Available/User Editable

OFF by default

Web & App Activity stores your searches and other things you do on Search, Maps and other Google services, including your location and other associated data.
When Web & App Activity is on, this data may be saved from any of your signed-in devices.

OFF by default

Requires the Web and App activity service (including Chrome browsing history) This is a non-core service which is off by default and must be enabled by the district Admin

The screen has a setting: “Include Chrome browsing history and activity from websites and apps that use Google services”

This additional setting cannot be enabled in G Suite for Education domains as indicated by the message

“Based on your organization, this setting is disabled.”

Note this is not the same as the LOCAL browser history that may be stored on a user’s computer

 YouTube Search History  Available/User Editable

ON by default

Requires YouTube service which must be enabled by the Admin

This is enable ON by default if YouTube is enable and the user creates an account

 YouTube Watch History  Available/User Editable

ON by default

Requires YouTube service which must be enabled by the Admin

This is enable ON by default if YouTube is enable and the user creates an account

Device Information

Device Information privately stores your contacts, calendars, alarms, apps, music, movies, books, and other content. It also stores the status of your devices – for instance, whether the screen is on, the battery level, the quality and duration of network connections like Wi-Fi and Bluetooth, touchscreen and sensor readings, and crash reports. Information is visible only to the user

more info 

Available/User Editable

OFF by default

When this setting is on, information may be saved from any device that uses your Google Account

User can review and delete information

Available/User Editable

OFF by default

When this setting is on, information may be saved from any device that uses your Google Account

User can review and delete information

Location History

 

Available/User Editable OFF by default

Requires Location History service which must be enabled by the Admin

Can be enabled by the user. User can review and delete data

Voice & Audio Activity

Activity from “OK Google”

Available/User Editable

OFFby default

OFF by default

Can be enabled by the user. User can review and delete recordings

Review activity
My Activity Available

My Activity show all activity collected based on the user’s settings for the following

-Web & App Activity
-Device Information
-Voice & Audio Activity
-YouTube Search History
-YouTube Watch History
-Location History
-Google Play Sound Search History
-YouTube “Not interested” feedback
-YouTube survey answers
-Google Place answers

 

 

Available data is YouTube watch and search data and depends on the non-core  YouTube service which must be enabled by the Admin
Timelines in Google Maps Available/User Editable Requires the non-core location history service which is disabled by default in G Suite for Education and must be enabled by the Admin
Google Dashboard Available/User Editable Available

Allows view, manage, export and delete data for many google services

Ads Settings
Ads Settings Available/User Editable Disabled and not possible to enable for G Suite for Education accounts. The user will see the following message when going to the settings page

“Ads Personalization is turned off for this Google Account – The option to personalize ads in Ads Settings is turned off for this account. That means that Google doesn’t use any information associated with this Google Account to target ads while you’re signed in to this account.”

Control your content
Download Your Data Available Requires the non-core Google Takeout service to be enabled by the G Suite Admin
Transfer your content Available Requires Google Takeout service , as well as an additional Takeout checkbox setting and requires external sharing to be enabled by the G Suite Admin in the settings for Google Drive
more info 
Assign an account trustee Available Not available for G Suite for Education accounts
Account Preferences
Payments
Payment Center Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Subscriptions Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Payment Methods Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Language & Input Tools
Language Available/User Editable Available/User Editable
Input Tools Available/User Editable Available/User Editable
Accessibility
Screen Reader Available/User Editable Available/User Editable
High Contrast Colors Available/User Editable Available/User Editable
Your Google Drive storage

Informational only, total storage in account

Available Available (Note that G Suite for Education accounts have unlimited storage)
Delete your account or services
Delete Products Available to delete Gmail, YouTube, Google +

Provides link to download data

Deleting Gmail is not an end-user option. Accounts can only be deleted or suspended by G Suite admin. User can delete profile data for YouTube, Google +. Deleted data is removed from Google systems-more detail is here

Provides link to download data

Google Search Advertising and Tracking

Another key difference between consumer Google accounts and G Suite for Education accounts is the data collection and use in Google Search for signed in users. The screenshot below shows a consumer account’s search results for the term “Lego”. The page shows two ads shown before the actual search results and a sidebar of results from Google’s shopping service.

By contrast, the following screenshot shows a G Suite for Education account’s search results for the term “Lego”. The results show no ads and the sidebar includes only the “info box” for the Lego company and no results from Google’s shopping service

 

 

Notes

1-Admins can enable this password recovery option see this. If the district is syncing passwords via GAPS or using SAML, the user may have similar capabilities

2-Users can opt-in to 2 step verification.  Admin can also require 2 step verification for specific accounts see here for details.

 

Methodology

G Suite Accounts: Testing was conducted using a 4 newly created accounts from a non-production G Suite for Education domain (each account had a variety of services enabled from only minimal Core G Suite services, not including hangouts or groups to an account with all core and non core services enabled and

Gmail Accounts: Testing was conducted with two accounts one newly created and one in active use for several years.

 

Google Notifies K12 Admins of Upcoming Changes to enabled “Additional Google Services”

I have previously written about gSuite for Education and the number of non-core services that are enabled by default when a school sets up their domain. I have not had a chance to retest what services are still enabled by default when creating a new domain, but I did want to acknowledge that Google recently notified existing K12 admins that unless they opt out, Google will change their settings and turn off approximately 1/2 of the non-core services on August 1st, 2017. Admins can re-enable the services manually.

The list of services to be turned off appears to correspond with the list I noted in Jan. 2017 and is good partial step to helping K12 admins tighten down their domains for apps outside the core set of gSuite tools and it provides a end of school year reminder that schools need to be getting permission, and I would also add,  going back to parents to get permission for services that were turned on by default.

*************************************************************************************

YOUR ACTION NEEDED

Services settings changing for G Suite for Education on Aug 1, 2017

In addition to our core G Suite productivity tools like Gmail, Docs, and Classroom, Google makes some of our Additional consumer services available to our G Suite for Education users. These services are used by our G Suite for Education customers to support their educational missions. We want to ensure that other Google services that are not designed for students, such as advertising management services, are not accessible to these users without careful consideration from administrators and parents. You can read more about our commitment to privacy and security here.

To keep G Suite for Education focused on the right services for most schools, we will disable the set of Additional services below on <your domain’s> G Suite for Education account on Aug 1, 2017, unless you choose to control your users’ access to these services yourself below.

Note that you are receiving this message because you are either a K-12 school in our system or your domain has no school type in our system. In order to receive better-targeted communications in the future, please set your school type here. Learn more

Here are the services that will be disabled for your domain:

2017-06-06_14-39-40

Note that some of these services may already be disabled for your users. See your configuration.

If you choose to control services yourself and opt-out of having these services disabled automatically, your institution must ensure, for each of these services you choose to keep on, that:

  • you are enabling the service for educational purposes;
  • you are not enabling the service for any user under the age of 13 (learn more about using managing access for different users in our Help Center);
  • your organization has obtained parental consent for any users between 13 and 18 years old to use the service. Our Help Center has more information and resources for Getting consent for G Suite for Education.

Note that there might be other requirements in countries and communities around the world. Learn more.

You may choose to keep these services enabled for specific organizational unit, and disable them for others, depending on your needs. For new services that are added by Google in the future, please see the ‘New Products’ setting on the Company Profile page. Learn more

Choose what is right for you:

2017-06-06_14-25-41