Google, the giant U.S. tech  company, will pay a total of $391.5 million to 40 U.S. states, which is the largest multi-state privacy settlement with state Attorneys General in the U.S. history. The main reason behind the fine is that the online search engine platform has engaged in deceptive and unfair actions in violation of the U.S. Consumer Protection Laws.

The background behind the settlement

The investigation was triggered due to an Associated Press article published in 2018 that revealed that Google continued to track people’s location data even after they opted out of such tracking by disabling a feature the company called “Location History”. The article of 2018 focused on two Google account settings: “Location History” and “Web & App Activity”. Following this article’s information, the Attorneys General of the involved U.S. states opened an investigation and discovered that Google violated users’ privacy by misleading users about collection and tracking practices regarding their location data since at least 2014. Specifically, Google misguided users about the scope of the two settings, and the extent to which users could limit Google’s location tracking by adjusting their account and device settings.

Location data: Collection and use

Location data play a leading role in Google’s online advertising business. How are these data collected? Google collects data about its users from any device that is signed into a Google account. Moreover, to use certain Google products or/and services, users must provide personal information and further consent to Google’s collection of data, including location data. The latter are used to build detailed user profiles and target advertisements on behalf of Google’s advertising customers. It is worth mentioning that location data can expose not only a person’s identity but also a person’s habits or routines and can be used to infer personal details.

Location History setting

The setting “Location History” exists since approximately 2009 and it is linked to the Google account of the user, capturing the location data of a signed-in user. The data collected by this setting derive from the location sensors of a user’s device such as GPS, Wi-Fi or Bluetooth. Through those signals, Google has the possibility to track a user’s precise location outdoors and also inside buildings. Besides that, Google analyzes the location information collected, draws inferences about the user and possibly links these “Location History” data with other user data leading to targeted advertisements from Google towards this specific user.

Web & App Activity setting

The “Web & App Activity” is a different setting linked to the Google account of the user, which also collects and stores location information. “Web & App Activity” collects certain types of location data when a user interacts with particular Google products e.g., Google Maps or Play Store. In fact, this setting is activated by default for all Google accounts and a user is automatically opted-in to location tracking, unless the user chooses to disable it.

Interaction between Location History and Web & App Activity setting

“Location History” and “Web & App Activity” are two different and independent settings. „Location History” is disabled by default unless a user turns on the setting, whereas “Web & App Activity” is enabled by default when a user sets up a Google account.

When a user prevents location tracking by one of these settings mentioned above, Google is able to track and monetize the user’s location through the other setting, if enabled. For example, users believe that by disabling the “Location History” setting the tracking has ceased, but Google keeps tracking them using the other feature “Web & App Activity”.

For many years, Google’s Privacy Policies did not include an indication of the “Web & App Activity” and consequently, did not disclose that this setting authorized the company to store and use location data. Lastly, until recently, Google retained the data stored through these features for an indefinite period of time, unless the user manually decided to delete the data.

Users cannot say “no” to Google’s location tracking

Users are not in a position to deny Google’s tracking. Regardless of whether the user has disabled “Web & App Activity” or “Location History”, Google collects, stores, and uses location data when certain Google products are in use.

A differentiation between users signed in to a Google account and users without a Google account is significant. In both scenarios location tracking is unavoidable. For users signed in to a Google account, the company associates location information with the user’s account even if the user has not enabled the two settings. Additionally, it is crucial to mention that Google collects certain types of location data also from users that are not signed in with a Google account when they use Google products. This is feasible by simply associating the location information of signed-out users with a unique “pseudonymous” identifier. Thus, signed-out users cannot prevent this data collection. Until May 2018, Google omitted to disclose that the company collects certain types of location data from users when they use Google products and at the same time are not signed in with a Google account.

The outcome of the settlement

The settlement requires Google to be more transparent about its practices and it has been seen as a big win for the rights of consumers. Specifically due to the “Assurance of Voluntary Compliance” Google is obliged to show general compliance towards users by not making misrepresentations regarding their location information and by taking the following specific actions:

  • Google should issue a pop-up notification on their webpage to inform users about location tracking.
  • Google should maintain a user-friendly webpage that discloses in detail and in a transparent manner all policies and practices concerning the types of location data collected, their retention period, etc.
  • Google must use specific and clear language on their “Data & Privacy Page” to help users identify location-related setting controls.
  • Google should give control to users as per their account settings having clear and accessible instructions on how to enable and also disable the two location-related settings.
  • Lastly, Google should refrain from sharing location information about users with third-party advertisers without the users’ consent.