3 min read

Google is going to delete your data forever, if you haven't logged into your account for two years

Graham CLULEY

May 17, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Google is going to delete your data forever, if you haven't logged into your account for two years

A new blog post by Google describes their new policy on dealing with inactive accounts - and it's an important read for anyone who doesn't regularly login.

Google argues that overlooked accounts often don't have two-factor authentication enabled, or use old or reused passwords that may have been compromised by cybercriminals.

In fact, Google claims that its own research has found that abandoned accounts are "at least 10x less likely than active accounts to have 2-step-verification set up."

The concern? If an account isn't sufficiently secured then it might be used to send spam, commit identity theft, or spread malicious content.

Should you panic that your Google account is going to be zapped? Not just yet. Google says that although the policy takes effect from now, the very earliest it will begin to delete accounts is December 2023 - and even then it will begin with accounts that were created and never used again.

Furthermore, Google says that in the months running-up to deleting an account it will send multiple notifications to the email address (and recovery address, if one exists) warning that the account's days are numbered unless action is taken.

So, how do you convince Google that your account is still active?  The simplest method is to login to your account at least once every two years.

Alternatively, if you perform any of the following actions while logged into the account Google will consider you "active":

  • Reading or sending an email
  • Using Google Drive
  • Watching a YouTube video
  • Downloading an app on the Google Play Store
  • Using Google Search
  • Using Sign in with Google to sign in to a third-party app or service

I have to be honest, I'm not necessarily comfortable with this way of measuring if a Google account is active or not.

For instance, a long time ago I set up a Google Mail account, with the sole purpose of using it to forward to a different email address.

I never log into that Gmail account (because I don't need to, the emails are automatically forwarded to me). I certainly don't use the account for Google Calendar, to watch videos, or anything else.

So I wouldn't be surprised if Google thinks the account is inactive, and might line it up for deletion at some future point. I guess that in time a warning from Google might be automatically forwarded to me and that will be my cue to log into an account that I never have a reason to log into.

But what if I'd created a Google account purely with the intention of using it to distribute some files to friends and family via Google Drive. Maybe I don't use that Google account ever for email, and I placed priceless photos of a family wedding or a movie of the first steps of my son when he was a toddler.

Would I realise that time was ticking down until the irreplaceable digital memories could be wiped by Google?

Of course you should backup your most precious data. Of course when creating additional Google accounts you should tell it a recovery email address that you are likely to check, and where you would see warning emails from Google.

But we know people often don't follow best practices.

And another thing, what if the account belongs to a deceased person? Family members may get comfort from being able to access - say - files left on a deceased relative's Google Drive. Will this be deleted by Google when the dead person doesn't log in for two years?  If their family hasn't managed to wrestle control of their relative's email accounts, it's easy to imagine that the warning emails will never be read by anybody.

My advice? Consider now what Google accounts you use now, and might have created in the past. Log into them, ensure that they are protected with strong unique passwords (a password manager can help you remember them), set a recovery email address if you haven't already done so, and enable two-step authentication.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader