Google has announced an update to its policies for inactive accounts, urging users to log in and review their old Google accounts at least once every 24 months. Previously, Google had a policy that data stored in accounts untouched for two years might be wiped, but now they may be deleted entirely.
Google will start deleting inactive accounts in December 2023 (at the earliest) and take a “phased approach,” starting with “accounts that were created and never used again.” The company says it is “going to roll this out slowly and carefully.”
Before deleting an account, we will send multiple notifications over the months leading up to deletion, to both the account email address and the recovery email (if one has been provided).
Meanwhile, this only applies to free Google Accounts and not those managed by a business or school.
What keeps an account active
Besides signing in periodically, being logged in and performing basic actions counts as activity:
- Reading or sending an email (like viewing an inactivity alert)
- Using Google Drive
- Watching a YouTube video
- Downloading an app on the Google Play Store
- Using Google Search
- Using Sign in with Google to sign in to a third-party app or service
Additionally, Google tells us that using a signed-in Android device is considered activity.
Google Photos already has a separate two-year sign-in and usage policy to be considered active. Meanwhile, accounts with active Play Store subscriptions, like Google One or third-party apps, are considered active.
Today, Google recommends users assign a recovery email, and the company points users toward the Inactive Account Manager to decide “what happens to their account and data when it becomes inactive for a period of up to 18 months.” Options include sending files to trusted contacts, setting a Gmail autoresponder, or account deletion.
Why Google is deleting accounts
In making this change, Google cites security, as inactive accounts — often with “old or re-used passwords that may have been compromised” — are more likely to be compromised.
Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up. Meaning, these accounts are often vulnerable, and once an account is compromised, it can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam.
This also “limits the amount of time Google retains your unused personal information,” with this time frame considered to be an industry standard. Unlike other services with different security/privacy implications, Google will not free up Gmail addresses to reclaim with deletions.