On November 11, 2022, Google entered into a $391.5 million settlement with 40 state attorneys general—the largest ever attorney-general led consumer privacy settlement.
The investigation, led by attorneys general in Oregon and Nevada, began after a 2018 Associated Press article reported that Google tracks consumers’ location, even when the settings, including on Google’s Android operating systems and certain Google iPhone apps, appear to prevent such tracking.
The Settlement
The settlement alleged Google engaged in deceptive and unfair acts and practices in relation to various settings, including the “Location History” and “Web and App Activity” settings, by (1) making statements or omitting information that caused confusion about whether location information was being collected, and (2) only providing relevant information after requiring the consumer to click multiple links like “more options” and “learn more.” Specifically, the settlement alleged Google’s disclosures around the Location History setting led the consumer believe it was the only setting that controlled location information and that no location information would be collected and retained unless the consumer turned “on” the setting. Despite this, the settlement alleged Google could still track location information through various settings and products, including through the Web and App Activity setting, use of the Google Play Store, Music, Search, and Maps, which was not made clear or was otherwise buried. The settlement also alleged that Google misled consumer into thinking the Ad Personalization setting would prevent Google from using location information to target ads, but it did not.
Among a significant list of requirements, Google will be required to enhance its disclosures and controls around the collection and use of location information, obtain express affirmative consent before sharing precise geolocation with third party advertisers, automatically delete location information after 30 days, and, for the next four years, provide a report detailing compliance with the requirements in the settlement. Interestingly, the settlement did not include a requirement to disgorge all previously collected location information, which has been an increasingly common enforcement remedy used by privacy regulators in recent years.
Takeaways
While this enforcement action is novel for the amount Google was fined and the number of attorneys general that worked together to bring this action, it is particularly notable for the ways in which it is not notable. Regulators have always paid close attention to location information, and it is repeatedly at top of the list for regulatory scrutiny. Likewise, disclosures that are false or that could mislead a consumer, especially when it comes to the collection, use, and sharing of personal information for advertising, have been the bread and butter of privacy enforcement for many years. This action is a strong reminder that these have been, and still are, important issues.
To help mitigate the risk of these types of actions, companies should take steps to encourage a strong partnership between teams like legal, product, UX, and marketing. While it is common from a UX lens to have simple and easy-to-read language up front, a needle must be thread to ensure the most important information is clearly provided to a consumer without creating work for the consumer to find it. If a link is used to provide additional details, those details should prominently appear on the linked page, and not be buried in a wall of text or through further links.
Additionally, despite increasing resource constraints, now is an important time to dedicate resources to data governance. Companies should have a robust data map and ensure there is a clear understanding of what personal information is collected and from where, whether there are settings that provide consumers control (and if not, whether there should be), and ensure careful thought is given to the functionality of, and the language around, those settings.
Of course, such efforts take planning and resources. So, it is important to prioritize and to identify short-term and longer-term initiatives. For example, companies may want to focus first on (1) personal information legally defined or commonly thought of as sensitive, such as precise location information and, (2) gaining a clear understanding of the use of personal information for advertising and marketing.
Taylor Widawski is a Senior Associate at Hintze Law with rich experience as in-house and outside counsel providing strategic advice on privacy programs as well as privacy product counseling across a variety of industries and topics.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.