Google Enters Largest Attorney General Multistate Privacy Settlement in History
Google has agreed to pay nearly $392 million in a settlement with 40 states over allegations that the company tracked people through their devices after location tracking had been turned off. According to the states’ attorneys general (AGs), since at least 2014 Google had violated consumer protection laws by misleading users about when the company recorded users’ movements. More specifically, the state governments contend that Google collected and stored users’ location data even if the user selected a privacy setting that stated it would prevent Google from doing so. According to the state AGs, Google then exploited the secretly culled data for digital marketers to sell advertisements, the source of nearly all of Google’s revenue. The settlement marks the largest-ever multistate privacy settlement.
AP Article Kickstart to AG Investigation
The multistate AG inquiry began after the AGs were alerted to Google’s deceptive practices by an Associated Press (AP) investigation in 2018. The AP investigation focused on two Google account settings: Location History and Web & App Activity. Location History is “off” unless a user turns on the setting, but the separate account setting, Web & App Activity is automatic “on” when users set up a Google account.
At the time, Google allowed users to “pause” a setting named Location History, which Google represented would prevent the company from remembering where users had been. The support page stated, “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.” The AP investigation found that this was not true. In fact, even with Location History paused, Google still automatically stored time-stamped location data in various Google apps without asking. For example, Google stored a snapshot of a user’s location when the user opened the Google Maps app and pinpointed rough location data through weather updates. This was also true for other apps that do not relate in any way to location – if a user searched “‘chocolate chip cookies,’” on the company’s search engine Google would then pinpoint the user’s precise longitude and latitude to the square foot and save it to their Google account.
In response to the AP investigation, a Google spokesperson provided a statement to the AP that “[t]here are a number of different ways that Google may use location to improve people’s experience, including Location History, Web & App Activity, and through device-level Location Services” and that the company provided “clear descriptions of these tools and robust controls” so that users could elect to turn them on or off and delete their data at any time.
The AP investigation found that was not the case.
According to the AP, to prevent Google from saving location markers, Google represented that users could turn off the Web & App Activity Setting. The AP investigation highlighted the misleading nature of this practice given that the Web & App Activity setting makes no specific reference to location information. The AP investigation stressed consumer privacy consumers with this practice as the setting is enabled by default. As reported in the investigation, “pausing” the setting prevented Google from saving activity on any device to a user’s account. However, the AP investigation discovered that leaving Web & App Activity on and turning Location History off merely prevented Google from adding a user’s location data to a “timeline” – Google’s sequential map of all the places a user has been. Critically, it did not prevent Google from collecting other location markers. And while users could delete those markers by hand, the AP described the process as “painstaking” since the markers had to be selected individually and were also scattered under different headers, many of which did not relate to location.
Storing users’ real-time travel data carries significant privacy risks in that it contains some of the most sensitive personal data. Pennsylvania Office of Attorney General highlighted the privacy risks in collecting this sensitive data stating, “[e]ven a limited amount of location data can expose a person’s identity and routines and can be used to infer numerous personal details” about an individual. Historically, the data has also been used by police to determine the location of suspects. To this end, the AP investigation highlighted that Raleigh, North Carolina police had served multiple warrants on Google in 2017 to demand data from Google accounts from any mobile device that trended too close to scene of the crime. In those circumstances, the warrant was not limited to actual suspects of the underlying crimes.
Settlement Terms
The AGs findings follow and build upon much of what the AP reported in its 2018 investigation. Based upon such findings, the AGs asserted Google had engaged in deceptive and unfair actions and practices in violation of the state’s consumer protection acts.
Under the terms of the settlement agreement, Google agreed to several measures that the state AGs contend is designed to give consumers more transparency into Google’s practices. Such measures include requiring Google to show additional information to users whenever they turn an account setting “on” or “off;” making key information about location tracking unavoidable for users; limiting Google’s use and storage of certain types of location information; and requiring Google account controls to be more user-friendly.
Additionally, Google will be required to provide certain disclosures from users. For example, Google is required to notify users who have Location History or Web and Activity App enabled at the time of the notification to disclose whether these settings collect location information and instruct users how to disable each setting, delete the data collected, and set data retention limits. Additionally, Google must maintain a dedicated webpage – a “Location Technologies” page – linked via its Privacy Policy that discloses Google’s practices and policies concerning:
- Types of location information collected by Google
- Sources of location information collected by Google
- Whether, and under what circumstances, is location information collected and/or retained by Google is precise location information
- How enabling each location-related account setting impacts the collection, retention, and/or use of location information by Google, including the precision and frequency of data collected and whether each setting applies across devices linked to the same account
- How, and to what extent, users are able to limit in Google accounts the location information Google collects, retains, or uses when location-related account settings are disabled or paused
- How users can find information about the states of their location-related account settings and disable such settings
- Purposes for which Google collects or obtains location information, including how location information is used for advertising, research, purposes, trends, and creating user profiles
- How, and to what extent, users can limit Google’s uses of location information, including the fact that users cannot prevent the use of location information in advertising by ads personalization
- Google’s default retention period for each type of location information and the reasons Google retains the location information
- How users can set auto-retention and deletion periods in Google accounts for their location information, including a link to the controls
- How, and to what extent, location information can be deleted by users, deleted by user request, or automatically deleted by Google
- Whether, and what types of, location information are collected from users signed out of their accounts, how that location information is retained and/or used, and whether and how signed-out users can limit the collection or delete the location information
- User ability to reset any pseudonymous IDs or obfuscated IDs that use location information
- Hyperlinks to Google webpages describing the extent to which location information collected or stored by any location-related account setting is pseudonymized, anonymized, or de-identified when deleted by a user
Google must also obtain express affirmative consent from users to share a user’s precise location information with a third-party advertiser prior to engaging in such conduct. Relatedly, the terms of the settlement agreement require Google to delete location history derived from a device or IP address within thirty (30) days of collection and abide by certain deletion requirements for information collected from inactive users.
Finally, Google must abide by several assessments and reporting obligations. Such measures include an initial compliance report detailing Google’s compliance with the terms of the settlement agreement; subsequent annual reports pertaining to the same over the next four (4) years; and independent assessor reports, which are the Independent Assessor’s Transmittal Letter and Examination Report on Google’s Privacy Program transmitted on a biennial basis and prepared by a qualified, objective, independent third-party professional, who utilizes standards and procedures generally accepted in the professional pursuant to FTC Order No. C-4336.
In a blog post following the settlement, Google states that the settlement was reached based upon “outdated product policies that we changed years ago.” Additionally, Google noted that it had agreed to make updates in 2023 to provide greater controls and transparency over location data, including the following:
- Adding additional disclosures to its “Activity controls” and “Data and Privacy” pages
- Creating a single, comprehensive information hub that highlights key location settings
- Simplifying the process to turn off Location History and Web & App Activity settings and delete historical data via a single, new control
- Updating account set-up settings to provide more detailed explanations of Web and App Activity
Conclusion
Google settled a similar lawsuit with Arizona last month and currently faces additional location tracking lawsuits in Washington, D.C., Indiana, Texas, and Washington state. Washington D.C. AG Karl Racine (Racine) has contended that such lawsuits differ in part because they additionally include a focus on “dark patterns,” design choices websites use to steer users toward a certain decision. The lawsuits also specifically seek to require Google to off-load any algorithms created with such data as well as any resulting monetary profits.
The multistate settlement and similar state-level proceedings mirror other state-level efforts to protect citizens’ privacy rights while comprehensive privacy bills continue to stall on the federal government level. Presently, five states – California, Colorado, Connecticut, Utah, and Virginia – have enacted individual comprehensive consumer data privacy laws.
Contact Our Attorneys Today
The data protection and privacy lawyers at Kendall PC provide national and international privacy and security-related legal services for companies of all sizes. We can help your business ensure consumer privacy and security protections in every stage of your company’s product and program development.
To learn how our attorneys can help your company, contact Kendall PC today online or at (484) 414-4093. Our firm proudly serves small, midsized, and emerging businesses throughout the United States and across the globe.