Google Is Updating Its Inactive Account Policies

Google’s VP, Product Management, Ruth Kricheli, posted on The Keyword about “Updating our inactive account policies” From the post:

People want the products and services they use online to be safe and secure. Which is why we have invested in technology and tools to protect our users from security threats, like spam, phishing scams, and account hijacking.

Even with these protections, if an account hasn’t been used for an extended period of time, it is more likely to be compromised. This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven’t had two factor authentication set up, and receive fewer security checks by the user.

Our internal analysis shows abandoned accounts are 10x less likely than active accounts to have 2-step-verification set up. Meaning, these accounts are often vulnerable, and once an account is compromised, it can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam.

To reduce this risk we are updating our inactivity policy for Google Accounts to 2 years across our products. Starting later this year, if a Google Account has not been used or signed into for at least 2 years, we may delete the account and its contents – including content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar), YouTube and Google Photos.

The policy only applies to personal Google Accounts, and will not effect accounts for organizations like schools or businesses. This update aligns with our policy with industry standards around retention and account deletion and also limits the amount of time Google retains your unused personal information.

The blog post provided the following information:

While the policy takes effect today, it will not immediately impact users with an inactive account – the earliest we will begin deleting accounts is December 2023.

We will take a phased approach, starting with accounts that were created and never used again.

Before deleting an account, we will send multiple notifications over the months leading up to deletion, to both the account email address and the recovery email (if one has been provided).

Google says the simplest way to keep a Google Account active is to sign-in at least once every 2 years. If you have signed into your Google Account or any of our services recently, your account is considered active and will not be deleted.

Things you can do to keep your account active include: Reading or sending an email; Using Google Drive; Watching a YouTube video; Downloading an app on the Google Play Store; Using Google Search; Using Sign in with Google to sign in to a third-party app or service.

Personally, I put two-factor authentication on everything I can. It makes it much harder for some random person to hack into your accounts and take them over.

As far as I can tell, the post on Google’s Keyword blog is the only place where this information has been placed. I think there will be people who never look at The Keyword, and who may be unfortunately surprised when Google decides to delete their account (in December of 2023).