Close up of Google sign on building showing location tracking lawsuit settlement

Google Agrees to $391 Million Payment To Settle Multi-State Location Tracking Lawsuit

Google has agreed to a settlement in a lawsuit brought by the majority of US state attorneys general, and is slated to pay penalties of $391.5 million plus improve its consumer-facing transparency about how and when it engages in location tracking.

Initiated by Oregon and Nebraska, the suit ultimately included 40 states and focused on means by which the company keeps location tracking enabled for individual apps even after Android users have opted out in their global settings. The company recently settled a very similar suit brought in Arizona, in which it agreed to a separate $85 million payment.

Google’s location tracking practices continue to draw financial penalties at the state level

Android provides OS-level settings that purport to allow users to opt out of all location tracking while using devices, but a series of lawsuits has revealed that certain apps and functions continue to log and track users even when these settings are engaged.

In addition to the settlement amount, Google will now be required to set up a special web page that informs users of the different situations in which it collects location tracking data even when privacy settings are enabled. It was also required to make an assortment of OS and in-app transparency improvements for the end user, documented in a recent blog post. These include additional disclosures added to activity controls, the creation of a central “information hub,” an easier means by which to delete stored location data (including automatic deletion of data after a preset time), and more detailed explanations about location tracking during new account set-up. Google says that these location tracking improvements will be rolling out over the “coming months.”

The case began with a probe opened by an assortment of state attorneys general in 2018 in response to consumer complaints. The investigation found that Google had been misleading about its use of location tracking dating back to at least 2014 and was in violation of consumer protection laws. Location tracking has once again become a sensitive topic of interest in the US with the overturn of Roe v. Wade, raising widespread fears that states in which abortions are banned will use records from Google and similar services to prosecute cases. Google has already stated that it intends to automatically delete records of visits to particularly sensitive locations, such as abortion clinics.

Jason Hicks, Field CISO and Executive Advisor at Coalfire, notes that a major issue presented in this case is that privacy options are often obfuscated rather than simply not present: “Given the intensely private nature of location data, it’s important for device and software makers to ensure the options provided to consumers to manage the tracking of this data are easy to understand and work as expected. If consumers as a group start to doubt their ability to opt in and out of location tracking by app or service, it’s likely many will just choose to disable it completely. This would be a worst-case scenario for tech company’s given the amount of revenue they earn from location-based ads. There are many use cases where some individuals will be comfortable allowing location data to be tracked, provided their choices are being respected in regards to opt out. It’s also important to note that Google has fixed the problem and expressed they will not make a similar error in the future.”

The states will be dividing the proceeds of the suit, with the largest cuts going to Oregon ($14.8 million) and Nebraska ($11.8 million) for their lead roles in developing the case. The proceeds are usually directed to state “general funds” used for assorted programs.

Certain Google apps, features persisted in location tracking despite privacy settings

One of the features named in the lawsuit is the “Web & App Activity” component of Google accounts and Android devices, found in the settings menu. Disabling this setting is supposed to stop Google from collecting any new location tracking data, but the investigation found that it continued to collect certain information even after being turned off. This was used to inform its targeted advertising program.

The state lawsuits also note investigations that have found that certain apps would always log time-stamped user location information, even with Android privacy settings enabled. In some cases, such as with the Google Maps Timeline feature, it is possible to disable this logging from within the app but at the cost of certain functionality (such as use of ride share apps).

In addition to facing the assortment of location tracking lawsuits from most of the states, the House Committee on Energy and Commerce has previously queried both Apple and Google parent Alphabet about how they are protecting user privacy. A 16-month investigation that wrapped up in late 2020 found that these companies, along with other tech giants such as Facebook, had leveraged the reams of personal data that they gather up to create monopolies, though this finding has yet to translate into meaningful action. Other tech giants have also been hit with lawsuits involving surreptitious privacy invasion, with Facebook recently settling a California case for $37.5 million that involved its app continuing to track users even when it was supposed to be restricted by OS settings.

Location tracking trouble for tech giants is also far from restricted to US borders; similar issues were the basis for a case that Google lost in Australia’s Federal Court in 2021, and it has fielded an assortment of privacy complaints in the EU under the strict data privacy laws there (and was the first of the tech giants to be hit with a major privacy penalty). However, with over $1 billion in annual advertising revenue, Alphabet may have simply decided that the occasional court decision of this type is an acceptable cost of doing business.

Chris McLellan, director of Operations at the non-profit Data Collaboration Alliance, thinks that it will take much stronger legal action before users can expect these apps to completely respect their privacy: “Large fines like this set the bar very low and create a cat and mouse game where the consumer is always the loser. We’ve seen to date that large fines haven’t changed anything. And these companies can afford to absorb fines as a cost of doing business.”

“Fines aren’t the answer. We need to look towards encouraging the use of new technologies, standards, and methodologies that help address the root causes of data chaos in the first place – silos and copies. How data rights and data ownership evolve will determine the winners and losers in our future economy. We are now witnessing a fight to own the future by owning data,” added McLellan.

Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, notes that companies that do not have the deep pockets that Google has should also take notice of these decisions: “This settlement is yet another example of regulators being increasingly focused not only on checking a compliance box, but more on how privacy choices are influenced by the user experience and design. All organizations should be using this as the nudge to look at their own practices and proactively simplify any conflicting choices and increase the ease of making privacy enhancing choices for their customers. Once these aspects are in place, organizations can therefore ensure data is being handled securely in accordance with their customers’ privacy choices.”