The notice states that users in applicable jurisdictions may have rights including access, correction, deletion, data portability, and objection to processing, with the availability of these rights depending on the user's location.
This analysis describes what Google Gemini's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision discloses jurisdiction-specific data subject rights and routes their exercise through Google's privacy tools, establishing the procedural framework for rights requests under GDPR, UK GDPR, CCPA, and equivalent frameworks. The rights are conditional on jurisdiction, and the notice does not enumerate specific response timelines.
Interpretive note: The specific rights available and applicable response timelines depend on the user's jurisdiction and the applicable law, which the notice does not enumerate in detail.
The updated notice adds new disclosure sections explaining how data flows when using Gemini Spark (remote browser and computer access), how avatar creation collects and processes information, and clarifies that Google collects information about AI reasoning steps during task execution. The notice also refines language around subscription information to specify 'Google AI plan' rather than just generic 'paid subscription.' These changes do not establish new obligations but rather expand the transparency disclosures provided to users about existing and new features.
View change record →The updated notice now explicitly identifies Memory as a feature that operates on the basis of user consent, alongside Voice Match. The revised language removes prior geographic restrictions on personalization, meaning Gemini can now reference chat history to generate personalized insights for all users globally, not just those outside the EEA, Switzerland, and the UK. The removal of the statement 'Keep Activity must be on to use this feature' simplifies the operational requirement but does not establish a new obligation. You can learn how to turn the Memory feature on or off through the updated privacy notice.
View change record →The updated privacy notice now discloses that Gemini can use data from connected Google apps and imported memory or chats from other AI platforms to personalize your experience and to improve services, including training generative AI models. This data is treated similarly to other Gemini activity. You can manage or delete your imported activity anytime through the Activity controls.
View change record →This addition acknowledges jurisdiction-specific privacy regulations (likely GDPR, CCPA, and similar laws) and informs users of their rights to access, correct, delete, and export personal data.
View full change record →Under this clause, users in qualifying jurisdictions may submit requests to access, correct, delete, export, or restrict processing of their personal data through Google's privacy tools. The availability and scope of these rights depend on the user's location and applicable law.
How other platforms handle this
If you are a California resident, you may have the right to: Know what personal information we collect, use, disclose, sell, or share. Correct inaccurate personal information. Delete your personal information. Opt out of the sale or sharing of your personal information. Limit the use and disclosure ...
Depending on where you live, you may have certain rights with respect to your personal information, such as the right to request access, correction, or deletion of your personal information, or to opt out of the sale or sharing of your personal information. If you are a California resident, you have...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Google Gemini has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on where you live, you may have certain rights related to your personal information, such as the right to access your personal information, update or correct it, delete it, export a copy of your data, or object to how it is processed.— Excerpt from Google Gemini's Gemini Apps Privacy Notice
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 15-22 (data subject rights), UK GDPR equivalents, CCPA rights provisions, and comparable US state privacy law frameworks. Response timeline obligations under GDPR (one month, extendable to three months) and CCPA (45 days, extendable by 45 days) apply. Enforcement authorities include national DPAs for EU users, the UK ICO, and state attorneys general for US users. 2) GOVERNANCE EXPOSURE: Medium. The provision routes all rights requests through Google's centralized privacy tools, which is standard practice. However, the interaction between deletion rights and the three-year reviewer retention period (addressed in a separate provision) creates a potential tension that may require regulatory clarification. 3) JURISDICTION FLAGS: EEA and UK users have the most comprehensive rights under applicable law. California, Colorado, Virginia, Connecticut, and other US state residents have growing statutory rights under enacted privacy laws. Compliance teams in these jurisdictions should verify that rights request response procedures satisfy applicable statutory timelines and completeness requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise data processing agreements should specify how rights requests from end users of enterprise-deployed Gemini instances are routed and fulfilled, and whether the enterprise or Google bears primary responsibility for response. 5) COMPLIANCE CONSIDERATIONS: Legal teams should verify that rights request intake, logging, and response procedures are consistent with applicable law in all jurisdictions where Gemini is deployed. The interaction between deletion requests and the reviewer retention period should be addressed in response templates and regulatory correspondence.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision discloses jurisdiction-specific data subject rights and routes their exercise through Google's privacy tools, establishing the procedural framework for rights requests under GDPR, UK GDPR, CCPA, and equivalent frameworks. The rights are conditional on jurisdiction, and the notice does not enumerate specific response timelines.
Under this clause, users in qualifying jurisdictions may submit requests to access, correct, delete, export, or restrict processing of their personal data through Google's privacy tools. The availability and scope of these rights depend on the user's location and applicable law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Google Gemini.