Not Sneaky Enough: Google Pays $391.5M Privacy Violation Settlement

Written by: Savannah Liner Avera, Esq.

Connecticut Attorney General William Tong announced a historic settlement with Google regarding its predatory disregard for users’ location tracking preferences. Google will pay $391.5 million to 40 states in a privacy violation settlement for continuing to track users after opting out of a feature called location history.

Background

This location history data was monetized by providing advertisers with store conversion rates, or the number of users who have viewed ads and then visited the advertised store. Google’s ability to track users’ physical locations after they click on digital ads is a unique selling point for its advertising business. It is estimated that 2 billion users of Google products including its Android operating system and the Google Maps app were affected.

Google made misrepresentations to its consumers when it gave them the opportunity to opt-in to a personalized ad experienced based on their Google and Google affiliate activity. Google presented these account decisions as if the user could control which data was collected. Specifically, Location History could be disabled with the assurance this location data would not be stored. In reality, users had no influence over whether Google collected, stored, or used user location information. The Attorneys General concluded Google had engaged in deceptive and unfair acts an practices in violation of the Consumer Protection Acts.

Consequences

Per the Assurance of Voluntary Compliance filed in Pennsylvania, Google must pay the Pennsylvania Attorney General $19.7M and impose the following limits on its data use and retention policies:

• Refrain from sharing users’ precise location with a third-party advertiser absent express affirmative consent for sharing use by that third party.
• Automatically delete location information derived from a device or from IP addresses in Web & App Activity within 30 days of collection of such location information.
• Automatically delete location history for inactive users within 180 days of the user being notified, unless the user takes steps to preserve this data.
• Send deletion notification emails.
• Internally assess the privacy impact of changes to how Google shares its users precise location history.
• Document all such internal assessments.

Google has 180 days from the effective date, December 14, 2022, to comply by drafting an Initial Compliance Report, and must file an Annual Compliance Report with the Pennsylvania Attorney General’s Office starting one year from the effective date. For transparency and accountability purposes, Google must provide the Attorney General with Independent Assessor Reports every two years until 2026 (2020-2022, 2022-2024, 2024-2026).

Conclusion

Looking forward, the structure of this Google privacy violation settlement is the product of a greater trend to empower more state-level enforcement agencies. The California Privacy Rights Act has quickly followed the California Consumer Privacy Act. While the penalties have not changed significantly, the CPRA empowers the Attorney General and creates a California Privacy Protection Agency for enforcement.

The provision will go into effect on January 1, 2023 and have a lookback provision to January 2022. This expansion of manpower means businesses must develop additional vigilance in their privacy practices.