Google’s New AI Reads Your Email 24/7. It Has No Privacy Policy.
For anyone with a Google account: what Gemini Spark commits to in writing, and the August 2 deadline Google has not addressed.
Gemini Spark launched globally on May 19, 2026.
Its technical documentation went live the same day.
A search of that documentation for the phrase “privacy policy” returned no result specific to Spark. A search for “data sharing” returned a single sentence, three sections deep in the agent configuration guide. Spark may share sensitive user data with third parties when completing tasks.
Sundar Pichai had announced Spark to a live audience at Shoreline Amphitheatre 48 hours earlier. The press cycle had already moved on. But the documentation had not.
$100 a Month for Server-Side Access to Your Account
Gemini Spark is not a chatbot upgrade. Google describes it as a “24/7 personal AI agent.” But that phrase obscures the architecture.
Spark runs on dedicated virtual machines inside Google’s cloud infrastructure. Not on your phone. Not on your laptop. On Google’s servers. Once activated, the system keeps running after you close your browser. After you lock your screen. After you sleep. Google’s own product description says it works “even when you close your laptop or lock your phone.”
The agent reads your Gmail. It monitors your Calendar. It drafts documents in Google Docs by learning your writing patterns from your email archive.
At I/O 2026, Josh Woodward, vice president of Google Labs, demonstrated Spark scanning his inbox in real time. It drafted an email response in his own phrasing. It compiled a live document tracking who had RSVP’d to an event.
In the next product cycle, Spark gains autonomous purchase authority.
Beta access requires Google AI Ultra. That subscription costs $100 a month.
Judge Mehta’s Ruling Is Two Years Old. Spark Is Two Days Old.
Google announced 900 million monthly active Gemini users at I/O 2026. That figure came from Google’s own disclosure on the keynote stage.
It sits inside a legal context the keynote did not mention.
Google is the defendant in the most significant antitrust case in American technology since the Department of Justice sued Microsoft in 1998. The core allegation: Google illegally maintained its search monopoly by paying billions to device manufacturers and browser companies to remain the default. In August 2024, U.S. District Judge Amit Mehta ruled that Google had violated antitrust law. The remedy proceedings are still active.
A federal judge found Google abused search dominance. Spark now reads 900 million inboxes.
The same company a federal judge found had abused its position to control how Americans search the internet has built an infrastructure layer. So that layer sits on top of every email those Americans receive. Every appointment they schedule. Every document they write.
The legal record does not address Spark. The case predates the product. But every privacy claim Google now makes about Spark exists in the shadow of one federal court finding. Given market power, Google’s instinct is to protect and expand it.
What I Was Looking For in the Documentation
A note about how this piece got written.
I have spent two years tracking the gap between AI keynote announcements and the legal commitments those companies actually make in writing. The pattern is the same at every major lab. Capability launches first. The press cycle amplifies the headline feature. Then the privacy framework catches up later, updated quietly in language that does not generate coverage.
I sat through the I/O keynote watching for one specific signal. Whether Pichai would name a Spark-specific privacy policy. He did not. Twenty-four hours later, the developer documentation was online. I went looking for what the keynote had left out.
What I expected was a Spark policy section nested inside Google’s general AI privacy framework. But what I found was Spark referenced in the general Gemini Privacy Policy without a sub-policy of its own.
I called a privacy attorney who works on tech-platform compliance to make sure I was reading the documentation correctly. She confirmed it. There is no Spark-specific data governance document. There are also no published commitments about how Spark handles legally privileged material, regulated health information, or financial records subject to compliance review.
That was the moment the story stopped being about a missing page. So I started reporting on what a missing framework actually means.
Three Data Categories With No Spark Documentation
Spark does things general AI assistants do not.
It does not wait for you to ask. It reads incoming messages before you have. It learns from your full email archive. And in the next release cycle, it spends money.
Google acknowledged the third-party exposure directly in its technical documentation. Spark shares sensitive user data with services including Canva, OpenTable, and Instacart when completing tasks. Each of those services operates under its own data governance framework. But when Spark passes your information to them, Google’s privacy framework is no longer the only one that applies.
That disclosure was not in the keynote.
Three categories of data are not covered by current Spark documentation. Privileged communications between attorneys and clients. Calendar entries and email threads tied to medical care. Documents and messages containing financial information subject to regulatory requirements.
If your inbox contains any of those three, there is no published commitment about how Spark treats them.
72 Days
The EU AI Act’s consumer-facing AI agent obligations take effect on August 2, 2026. That is 72 days from today.
Among the obligations: transparency requirements covering how AI agents process personal data. Disclosure of what decisions agents make autonomously. Documentation of third-party data-sharing practices. These are not aspirational guidelines. They are legally enforceable requirements with a specific effective date.
Google has published none of this documentation for Spark as of launch.
This creates a binary outcome. A product launched globally on May 19 must either be EU-compliant by August 2 or face restriction in EU markets. Google has not publicly stated which path it is choosing.
$10.5 billion. The AI Act’s maximum penalty. Three percent of Google’s 2025 revenue.
For context on what non-compliance costs. GDPR enforcement against Google has produced fines exceeding seven billion euros since 2019. The AI Act carries a separate penalty structure for transparency violations in general-purpose AI systems. Up to three percent of global annual turnover. Google’s 2025 revenue was approximately $350 billion. Three percent is $10.5 billion.
The clock is running. The compliance documentation is not visible. The deadline does not move.
If you find this kind of reporting useful, follow along. I write about what AI companies announce and what they leave out of the documentation.
Five Questions to Answer Before You Activate
Spark is opt-in. You activate it by choice. And the decision deserves more information than the keynote provided.
These are the five questions worth answering for yourself before you turn it on.
1. Which third-party integrations am I authorizing? Google’s documentation names Canva, OpenTable, and Instacart. Check the current integration list inside the Spark settings panel. Activation grants data-sharing scope to every service on that list. Each has its own retention and resale policy.
2. Does my Gmail contain content I cannot legally share without restriction? Attorney-client communication. HIPAA-covered medical content. Financial information under SOX or similar regulation. Until Google publishes specific handling commitments for those categories, treat Spark as data exposure for any account that contains them.
3. Am I in the EU? If yes, August 2 is the date that matters. Google’s response to the AI Act deadline is the most informative signal you will get. It will reveal how the company has thought through Spark’s compliance architecture.
4. Do I have a separate Google account for sensitive material? A common pattern for journalists, lawyers, and healthcare workers is account segregation. Activating Spark on a consumer account is a different decision than activating it on a professional one.
5. What is my fallback if I want to deactivate? Test the off-switch before you depend on the on-state. Confirm what data Spark has read remains accessible to Google after deactivation. The documentation does not currently clarify this.
Do not rely on the keynote framing to guide this decision. Pichai presented Spark as an efficiency tool. The documentation describes it as something with broader scope.
What this guidance does not solve. None of these questions stops Spark from reading data already in your account if you activate. Deactivation is the only complete protection. Acknowledging that is more useful than pretending the opt-in is granular.
What the Documentation Said That Pichai Did Not
Spark is not search. It is not advertising. It is structurally different from both. A persistent agent with read access to your communications. And in the next release, spend authority. Running continuously on the infrastructure of the world’s largest advertising company. Without a specific privacy policy. Seventy-two days before the law in the world’s third-largest economy requires it to have one.
Google’s pitch is efficiency. The Woodward demo at I/O 2026 showed Spark delivering on that pitch. The pitch is coherent.
The company making the pitch built a $350 billion advertising business on user data that people provided without fully understanding how it would be used. A federal judge ruled that the same company paid billions to ensure it remained the default for how Americans search the internet. The pitch is one document. The court record is another.
Sundar Pichai received applause when he announced it.
The documentation was online twenty-four hours later. The privacy policy is not.
Google’s New AI Reads Your Email 24/7. It Has No Privacy Policy. was originally published in Towards AI on Medium, where people are continuing the conversation by highlighting and responding to this story.
