The problem is that at the time they added a lot of "vague language" that maybe allowed them to do this, or didn't. But because Google may not be doing a certain collection of data then, it means journalists can't really attack Google for it, because everyone would point out that "it's just vague like that for legal reasons, but Google wouldn't actually do that." So whoever suggests they would do it gets shut down pretty quickly because he or she has no proof Google is doing that right then.
But then a couple of years later they turn on that data collection without anyone realizing, and it may take a few years before some do.
This happened with Microsoft do. When it was suggested that Microsoft can collect every key stroke because that's what their privacy policy says, most said "but that's crazy! Microsoft wouldn't actually do that" (even if that's what the policy says it can do). But the reality this we'd have no idea if Microsoft does indeed do that, maybe not for advertising purposes, but for law enforcement purposes (especially since half of the requests come with gag orders now, as Microsoft recently said when it launched the lawsuit against DoJ).
The default understanding of a privacy policy should be "if the policy allows something, then we should assume the company is doing exactly that." No other understand makes sense in practice.
But then a couple of years later they turn on that data collection without anyone realizing, and it may take a few years before some do.
This happened with Microsoft do. When it was suggested that Microsoft can collect every key stroke because that's what their privacy policy says, most said "but that's crazy! Microsoft wouldn't actually do that" (even if that's what the policy says it can do). But the reality this we'd have no idea if Microsoft does indeed do that, maybe not for advertising purposes, but for law enforcement purposes (especially since half of the requests come with gag orders now, as Microsoft recently said when it launched the lawsuit against DoJ).
The default understanding of a privacy policy should be "if the policy allows something, then we should assume the company is doing exactly that." No other understand makes sense in practice.