While millions of companies have been desperately trying to make their website GDPR compliant one of the biggest tech companies of them all has fallen foul of one of the biggest no-nos within the GDPR.

A software vulnerability within Google+ exposed hundreds of thousands of users to a data leak during the period of 2015 and 2018 which is bad enough as it is, but the major issue is that Google chose not to inform those affected by the issue.

This issue likely didn’t fall under the GDPR guidance due to the timing and Google operating internationally but it is a sorry state of affairs when the second largest tech company in the world is so lax with data privacy. Google says it discovered and immediately fixed the issue in March of this year.

The issue was originally reported to the Wall Street Journal. Google+ allows developers to collect profile information when granted access by users, a bug gave developers access to the profile data of friends of those users as well, regardless of whether those friends had chosen to share that information publicly. Google said in a blog post that nearly 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can’t fully confirm who was truly impacted and who was not. The company noted that information like Google+ posts, messages and G Suite content weren’t included in the exposure.

Rather than fix the issue Google has finally admitted that its social media network was a bit of a failure and 90 percent of Google+ user sessions last for less than five seconds. From our experience, Google+ was mainly use by the company to post links to content from blog posts with the assumption that Google+ was an SEO factor.

Google+ will continue as a product for Enterprise users. It’s by far the most popular use of the social network. Therefore, the company has made the decision that Google+ is better suited as an internal social network for companies, rather than a consumer product.