On 13 December, Google extended the applicability of its Cloud Data Processing Addendum (Customers) (CDPA) to NotebookLM users, covering both free and paid accounts. This addendum, a standard set of terms widely used across Google’s cloud products, has undergone regular updates to ensure relevance and compliance.
By applying these terms to NotebookLM, Google provides a clear and consistent framework for understanding data retention and deletion policies. This ensures transparency, security, and alignment with global privacy standards, particularly the General Data Protection Regulation (GDPR), which prioritises user empowerment and data protection.
This guide is presented in three parts:
- Part I: Focuses on Google’s data retention and deletion practices, including timelines and user responsibilities.
- Part II: Explains what constitutes data retained by Google, including its definitions and industry practices, helping users understand the full scope of their data’s lifecycle.
- Part III: Explains the Data Retention practices of Google regarding other users’ NotebookLM data.
Table of Contents
Part I: Retention and Deletion Practices
1. Data Deletion by Customers
Google allows users to delete their data during the service term using the application’s functionality. Once data is deleted, it becomes irrecoverable by the customer and is treated as an instruction for Google to delete the data from its systems. Google commits to completing this deletion process promptly, with a maximum period of 180 days, unless retention is required under European Data Protection Law or other Applicable Privacy Laws.
Relevant CDPA Section
Section 6.1 specifies that customers can delete data during the service term using Google’s functionality. Google treats this deletion as a directive to delete the data across all systems within 180 days.
What It Is About
This provision ensures that users have the ability to permanently remove their data from the service, complying with data minimisation principles in privacy laws like GDPR.
Why It Matters to the User
Users gain full control over their data, enabling them to reduce privacy risks and align with regulatory requirements when managing sensitive or outdated information.
2. End-of-Term Data Handling
At the end of a service term, customers can request the return of their data. If no request is made, Google will delete all remaining data after a 30-day recovery period, completing the process within a maximum of 180 days, unless retention is required by specific laws like GDPR.
Relevant CDPA Section
Section 6.2 governs the handling of customer data at the end of the service term, allowing for a 30-day recovery period before initiating deletion, which is completed within 180 days.
What It Is About
This standard practice ensures that users are given sufficient time to recover their data before it is securely deleted.
Why It Matters to the User
Users can retrieve important data at the end of the service, avoiding unexpected loss, while also ensuring compliance with privacy standards that prevent indefinite data retention.
3. Deferred Deletion Instruction
If user data is linked to multiple active agreements, deletion will only occur after all related agreements expire. Until that point, the data remains subject to the terms of the CDPA.
Relevant CDPA Section
Section 6.3 explains how data deletion is deferred when multiple agreements exist, ensuring that deletion occurs only after all agreements have expired.
What It Is About
This provision protects users from premature deletion of data associated with ongoing agreements.
Why It Matters to the User
It prevents data loss when users are managing multiple services or contracts, ensuring that deletion only happens when all obligations are resolved.
4. Deleting Data in NotebookLM
Deleting Notebooks
Open the notebook and use the delete option to remove it. This action ensures that outdated or unnecessary information is permanently deleted from the application. For German-speaking users, this process mirrors the “löschen” key metaphor, symbolising the precision of manual data deletion.
Deleting Individual Sources
Navigate to the source list within a notebook and delete specific files you no longer need. This allows users to manage their content with fine-grained control, meeting privacy or organisational requirements.
Relevant CDPA Reference
These functionalities align with the general retention and deletion framework under Sections 6.1-6.3.
5. Data Retention Practices
The CDPA guarantees that Google will retain customer data only as long as necessary to fulfil its obligations or as required under applicable privacy laws. Once the retention period ends, data is securely deleted in line with the agreed procedures.
Relevant CDPA Section
Section 3 highlights that data retention policies align with applicable laws and business requirements.
What It Is About
Retention policies define how long data is kept and the process for its secure deletion once it is no longer needed.
Why It Matters to the User
Users can rest assured that their data will not be stored indefinitely, minimising privacy risks and ensuring compliance with global standards such as GDPR.
6. Access and Export Rights
Google provides users with tools to access, rectify, restrict processing, or export their data at any time. These tools ensure users can manage the accuracy of their information and remove any outdated or irrelevant data.
Relevant CDPA Section
Section 9.1 explicitly grants customers access, portability, and rectification rights under GDPR and other frameworks.
What It Is About
These rights are foundational in global privacy laws, allowing users to maintain control over their data and move it between platforms if needed.
Why It Matters to the User
Users gain flexibility to manage their data as they see fit, ensuring compliance with personal or business data management policies.
7. Customer Responsibilities
Customers are responsible for managing their data outside of Google’s systems, including securing backups, protecting account credentials, and using Google’s tools to delete unnecessary data.
Relevant CDPA Section
Section 7.3.1 outlines the shared responsibility model for data security.
What It Is About
The shared responsibility model ensures that while Google provides robust tools and services, users are accountable for certain aspects of their data security.
Why It Matters to the User
This empowers users to take charge of their data management practices, preventing data loss or unauthorised access.
8. Google’s Privacy Measures
Google has implemented several privacy measures to protect user data:
Data Minimisation
Auto-deletion settings ensure data is only kept for as long as needed unless users adjust retention timelines.
Transparency
Users can view detailed breakdowns of how their data is collected, processed, and stored through the Google Account Dashboard.
Differential Privacy
Aggregated data is anonymised to maintain confidentiality.
Federated Learning
Processing is performed locally on devices, ensuring sensitive information stays private.
Relevant CDPA Section
Privacy measures span the entire addendum, reflecting commitments under Sections 1-3.
Why It Matters to the User
These measures offer a combination of security and transparency, ensuring user data is protected from misuse or breaches while complying with international standards like GDPR.
9. Compliance with Privacy Laws
NotebookLM adheres to several global privacy frameworks, including:
- GDPR: Provides users with rights like the “right to be forgotten” and enforces strict data minimisation principles.
- CCPA: Grants users the ability to request data deletion and prevents the sale of personal data without consent.
- COPPA: Restricts access for users under 18 to ensure compliance with child protection regulations.
Relevant CDPA Section
Appendix 3 details specific privacy laws governing Google’s compliance.
Why It Matters to the User
By adhering to these frameworks, NotebookLM ensures users’ data is handled ethically and securely, with transparency about their rights and responsibilities.
Part II: What Constitutes Data Retained by Google?
1. How Google Defines Customer Data
Google broadly defines Customer Data and related terms as follows:
Customer Data
Data submitted, stored, sent, or received by customers or end users via Google services. Examples include:
- Files and documents uploaded to Google Drive or created in Google services like NotebookLM.
- Emails, chats, or other communication content generated in Gmail, Google Chat, or similar services.
- Data ingested or linked via APIs or integrations (e.g., importing external files into Google platforms).
Customer Personal Data
Personal data within Customer Data that includes identifiable or sensitive information about an individual. Examples include:
- Names, addresses, phone numbers, or email addresses submitted by users.
- Financial details (e.g., billing information) or sensitive categories of personal data protected under GDPR.
- Employee or customer data uploaded by businesses for processing.
Derived Data
Data generated or inferred through user interaction with Google services, such as:
- Activity Logs: Records of user actions like logging in, file downloads, or edits.
- Metadata: Information about files or actions, such as file creation timestamps, file sizes, or access histories.
- Usage Analytics: Aggregated trends showing how users interact with services (e.g., time spent on specific features).
Residual Data
Even after users delete content, some non-personal metadata may be retained for limited operational purposes. Examples include:
- Timestamps for file deletions or anonymised system logs for troubleshooting.
- Backups containing snapshots of deleted data for disaster recovery, stored temporarily as part of operational processes.
2. Why It Matters to Users
Understanding what constitutes retained data is critical for several reasons:
Transparency
Users can make informed decisions about what they upload or store on Google platforms, knowing exactly what data may be processed or retained.
Compliance
For businesses handling sensitive or regulated data, clear definitions help ensure alignment with privacy laws like GDPR or CCPA.
Control
Awareness empowers users to actively manage their data, reducing risks of unintended exposure or privacy violations.
3. Data Retention and Deletion Details
Retention Periods
Data may persist for up to 180 days in backup systems even after deletion, to accommodate disaster recovery and secure erasure processes.
Deletion Scope
Google’s deletion process covers primary data, metadata, and backup copies within the specified timeframe, ensuring compliance with global data protection standards.
Residual Metadata
Anonymised metadata may still be retained for troubleshooting or enhancing services but is stripped of personal identifiers to ensure privacy.
4. Recommendations for Users
Audit Content Regularly
Review and delete unnecessary files, emails, and metadata to ensure compliance with privacy laws.
Understand Metadata
Metadata might not be as visible as uploaded content but can reveal activity patterns. Use Google’s transparency tools to manage it effectively.
Plan for Retention Timelines
If handling regulated data (e.g., healthcare or finance), account for Google’s 180-day deletion window in compliance planning.
Export Data as Needed
Use Google’s data export tools to maintain independent backups and ensure access to your content if transitioning services.
Part III: Data Retention Practices
The CDPA outlines Google’s commitment to retaining customer data only as long as necessary to fulfil contractual obligations or comply with applicable privacy laws, such as GDPR or the California Consumer Privacy Act (CCPA). Once the defined retention period ends, the data is securely deleted. However, despite this assurance, Google’s internal processes allow up to 180 days for data deletion to be completed.
Key Details and Interpretations
Retention Period Defined by Need or Law
Data is stored for as long as required to meet operational requirements (e.g., maintaining the functionality of a product) or legal mandates (e.g., compliance with European or US privacy laws). After this period, data is no longer considered necessary and qualifies for deletion.
180-Day Deletion Window
While the retention policy ensures data is eventually deleted, the actual deletion process might take up to 180 days. This timeline accounts for internal processing delays, system requirements for secure erasure, and technical constraints, such as handling data distributed across multiple servers.
Secure Deletion Process
Once the deletion is initiated, the data is permanently erased using methods designed to ensure irrecoverability, meeting global standards for secure data handling. Google employs technologies like cryptographic erasure to render data unreadable before it is physically removed.
What It Is About
Retention policies define how long data is kept before deletion and the mechanisms used to securely erase it from all systems. These policies ensure that data is not stored indefinitely, reducing the risk of unauthorised access or misuse.
Why It Matters to the User
- Minimising Privacy Risks: By ensuring that data is not stored longer than necessary, these practices reduce the likelihood of data breaches or unauthorised access to outdated or irrelevant information.
- Alignment with Privacy Laws: Compliance with frameworks like GDPR and CCPA ensures that users’ rights are respected, such as the “right to be forgotten.” Users can trust that their data will eventually be erased.
- Transparency: While Google’s retention policy assures data deletion, users should be aware that the process might not be immediate, taking up to 180 days in some cases. Understanding this timeline is important for users managing sensitive or regulated data.
Recommendations for Users
Monitor Data Management
Users should take proactive steps to manage and delete unnecessary data before it becomes outdated. This helps ensure compliance with privacy laws and reduces dependency on Google’s retention timeline.
Consider Regulatory Timelines
Businesses or individuals subject to strict regulatory requirements (e.g., GDPR’s 30-day deletion window for certain requests) should factor in Google’s extended deletion period when planning data management strategies.
By understanding how retention policies work and the potential delay in deletion, users can better align their data practices with their privacy expectations and legal obligations.
Specific Challenges in NotebookLM Data Deletion
NotebookLM currently lacks a direct feature to delete all user data at once. Instead:
- Users must delete individual notebooks and files through the interface.
- These manual processes highlight the need for active data management by users, particularly for those handling sensitive or regulated information.
Privacy Laws and Frameworks
Several frameworks govern data deletion globally, including:
- California Consumer Privacy Act (CCPA): Grants California residents the right to request deletion of personal information collected by businesses, with some exceptions.
- Virginia Consumer Data Protection Act (VCDPA): Allows Virginia residents to access, correct, delete, and obtain copies of their personal data.
- Colorado Privacy Act (CPA): Provides Colorado residents with the right to request deletion of personal data.
- Children’s Online Privacy Protection Act (COPPA): Requires data collected from children under 13 to be deleted upon request by parents. Regarding NotebookLM, Google’s policies restrict access to users aged 18 and above, ensuring compliance with COPPA.
How to Contact NotebookLM for Support?
If you have privacy concerns or need support, you can contact the NotebookLM User Support Team directly via email at notebooklm-user-support@google.com. Making a request to review a problem or providing feedback to Google as a personal user of NotebookLM might result in your data being reviewed and used in a limited capacity for AI training, with your consent.
Conclusion
Managing data in NotebookLM requires a combination of manual control and understanding of Google’s broader privacy measures. The robust compliance with GDPR and other global standards offers users confidence in the security of their data. However, NotebookLM’s evolving feature set necessitates active user involvement, especially for those in regulated environments.
Related Articles
- Google Privacy & Data Security Policies for NotebookLM
- NotebookLM and GDPR: Evaluating Google’s Compliance Measures and Privacy Risks
- Balancing Innovation and Privacy: NotebookLM and Data Protection
- NotebookLM and GDPR: Navigating Data Privacy in the European Landscape
Sources
- Cloud Data Processing Addendum (Customers)
- Google Privacy & Terms
- Google Account Dashboard
- Federated Learning Overview
- Google Privacy Controls
Unlocking NotebookLM is not affiliated with Google. We invite readers to share their views and concerns in the comments section to help us build a more comprehensive understanding of user experiences and address questions or issues that matter most to the community. Your feedback also allows us to explore diverse perspectives and refine our content to better serve NotebookLM users.
