Google’s handling of user data has long been a concern for data privacy enthusiasts. While the tech giant has undergone relatively few data breaches in recent history, its control over the Android platform allows them to collect an unprecedented amount of data.

Now Google is taking additional steps to ensure that user data is collected on non-mobile devices as well. A network user recently discovered that Google has changed its domain structure to include all of its services in one parent domain. This means that any permissions granted by a user for one Google service, such as Google Maps, apply to all Google services in the domain.

To understand why this is a serious privacy issue for users, we must first look at how domains work. There are two types of web directory management systems: subdomains and subdirectories .
Subdomains are treated as children of the parent domain, but they exist outside the main domain in a separate section. On the other hand, subdirectories are considered part of the main domain because they are nothing more than a page of the domain.

For example, Google previously used a subdomain for Google Maps, as evidenced by its “maps.google.com” URL.
Now they’ve switched to using a sub-domain with a URL change to “google.com/maps.”
This means that the permission pop-up that appears when a website tries to access a user’s camera, microphone, or location only needs to be accepted once in a wide range of Google services. Google can then use these permissions for all of its services without asking users again.

As shown below, a user’s microphone can be accessed from the Google search page, and camera permissions are granted by Google Meet. Location can be accessed through Google Maps, and this would likely allow the search engine to track a user’s location even if they have not specifically given permission or other applications to do so.
This goes beyond legality when it comes to important data protection rules such as GDPR and the American Privacy and Data Protection Act.
The GDPR states that the provider’s privacy policy clearly states that the company must request consent for access to the camera and microphone. In addition, the company must also provide an explanation of its purpose for requesting access to the camera. On the other hand, India’s new privacy policy is not enforceable with respect to the company’s use of location data. Google’s privacy policy is not clear on these issues.
In addition, location data is considered personal data under the GDPR, and much of the regulation applies to it. The Google Chrome Privacy Policy has a section on how Google determines users’ locations and what it uses them for. However, while they indicate that they do not allow the site to access users’ locations without permission, they also state that they send data to Google location services to determine a user’s location. This data consists of information about the nearest Wi-Fi routers, cell tower IDs near the user, and the user’s IP address.
Any user wishing to use Google Maps for shortcut navigation will now be asked to grant Google permission to access their location. By granting this permission, Google can access this data at any time because of their new domain structure, which allows them to geo-track the user anytime they have a Google website open.