Inactive Account Policy: Don’t Let New Google Rules Lock You Out of Your Site

Google has announced a new Inactive Account Policy that every business owner needs to understand. From their update:

Starting later this year, if a Google Account has not been used or signed into for at least 2 years, we may delete the account and its contents – including content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos.

The policy only applies to personal Google Accounts, and will not affect accounts for organizations like schools or businesses.

The new inactive account policy is a good idea, but it may come with some significant hidden risks for your website, domain, security certificates and online presence.

How could the Inactive Account Policy harm my business?

As nearly anyone who has worked at an IT firm, digital agency or cyber security business can tell you, some businesses lose their security certificates, hosting or websites because they do not respond to renewal emails. The problem typically begins with a business owner setting up a website using a personal account as the email address, buying services for several years, then forgetting that those services need to be renewed. This happens more frequently than most business owners realize, and it can be devastating if a site host wipes out a business website, or if a business loses access to its domain.

Think about every piece of collateral with your website on it: business cards, letterhead, advertising, online links. Now imagine that all of it is lost because you failed to renew your web address on time. While many online service providers have built recovery options into their renewal processes, those processes may not work if you do not have access to the email used to register the service. At a minimum, you can expect to spend a lot of time on the phone with the provider attempting to resolve the problem. If you lose your web domain, your business email will stop working. These are not problems to take lightly.

How can I stop a lost email address from shutting down my business?

The first step in protecting your online assets is to know what you pay to access to keep your site online. This will always include the following:

• Domain Name: This is the URL of your business, such as https://protectnowllc.com. Domains are not owned; businesses purchase access to them for a set period of time from a domain name registrar, such as GoDaddy or Google Domains. Most businesses opt for 2- or 3-year domain registrations, though you can register a domain for longer or for as little as a year.
  • Losing access to your domain is the worst case scenario for any business. Sites and email will no longer function.
• Site Hosting: Unless you run your own server, someone provides a service to keep your website online. This could be an all-in-one site builder and hosting provider provider, such as Squarespace; a company that specializes in a particular site platform, such as WP Engine, or companies like SiteGround and HostGator that provide server space and allow you to build your site any way you like.
  • Most hosting providers have a grace period for renewal. Your site will go offline and your email may stop working, depending on whether your host provides your email as well as your website. Contacting their customer service and updating your agreement with the provider will typically get your site back online quickly. In the worst case scenario, all of your data and site content could be deleted.
• Security Certificates: Your site should have some sort of SSL certificate. Sites that lack them will not be indexed by search engines and may be blocked by web browsers and smart phones.
  • These certificates must be renewed annually. You may find it very difficult to access your website if the security certificate expires, but your email will work.
• Third-Party Services: Many things fall into this category, such as image hosts, data feed providers and some website widgets or modules.
  • Only specific functions or parts of your website will stop working if one of these services is interrupted.

Make a list of the services you use and the companies that provide them. At a minimum, the list should include your domain name provider, your email provider, your web host and your security certificate provider. If you have trouble identifying any of these providers, look through old emails or review old bank statements and look for one-time charges for companies that may provide these services. You should keep the list of services and providers in a spreadsheet. Do not include passwords in this spreadsheet, as this creates a security risk.

Once you have services and providers listed, log in to each provider and note the date when your service must be renewed. As you attempt to do this, you may discover that a service was registered with a personal email you can no longer access. This is the time to contact the company directly and update your account information. Do not wait until services go down and you are potentially losing business.

Make sure that the email used for each service is active; it can be a personal email, as long as you use that personal email account at least a few times a month. Preferably, it should be a business email associated with a business owner or a company’s IT department. Remember that the new Google Inactive Account Policy will only apply to personal accounts, not Google Workspace or business accounts.

Add the email used to register each service to your spreadsheet. Check the spreadsheet on a regular basis; if you see a renewal date coming up, be sure to check the email associated with that service, including spam folders. Service providers will typically send renewal notices 60 days, 30 days and 14 days before a service is suspended for nonrenewal.

Following these steps will ensure that you do not suffer any service interruptions. In larger organizations, it is a good idea to task someone with service monitoring and renewal so that notices do not slip through the cracks or get overlooked in spam folders. If you contract IT services or have an in-house IT department, make sure that your service providers are whitelisted so that emails can get through.

Why is Google changing its Inactive Account Policy?

Unused email accounts can be used by cyber criminals to carry out attacks, including fake ad attacks that direct users to malware sites. Cyber criminals may also mine unused accounts for personal contacts that can be used in phishing attacks, which is why it is a good idea to be wary of unexpected contacts from people you  have not heard from in a long time. An abandoned account may have been compromised, and you could be talking to a criminal.

By suspending these unused accounts, which may have passwords for sale on the Dark Web, Google eliminates an avenue for cyber crime. This is a welcome step for everyone who is concerned with cyber security. Take inventory of your services and the accounts used to access them, and it will have no impact on your business.