In May 2023, Google agreed to pay a whopping $39.9 million to settle a lawsuit with the State of Washington over deceptive location tracking practices. The settlement also requires Google to increase transparency over its location tracking practices.
The lawsuit and settlement stemmed from the allegation that Google deceived customers that they had control over whether their location would be tracked when, in reality, tracking would take place regardless of user choice.
In this article, we will discuss how this lawsuit was unique and how businesses can apply the lessons learned to avoid similar lawsuits in the future.
Lesson 1: Privacy laws are not necessary for lawsuits over privacy violations
Since this lawsuit stems from a deceptive collection of location data, one may assume that a violation of a privacy law forms the basis of the case. However, the lawsuit actually alleged a violation of Washington’s Consumer Protection Act, which prohibits unfair and deceptive conduct relating to consumers.
The Act applies to Google as the company sells and provides devices, products, and services in the State, receives advertising revenue based on the location data of consumers in Washington, and engages in commerce in the State.
The Court found that Google engaged in unfair and deceptive practices related to the collection of location data and thus was in violation of the Washington Consumer Protection Act.
While many states such as California, Utah, Colorado, Iowa, Indiana, Nevada, and more have specific privacy laws that protect the personal data of consumers, many other states do not, leading some businesses to assume that personal data can be collected, used, shared or sold with impunity.
However, this lawsuit demonstrates that State Attorney Generals can bring privacy-related lawsuits under different laws, with successful results, even if a specific privacy law does not exist or apply.
Lesson 2: Make privacy controls easy to find
The lawsuit alleged that to control the collection of location data, consumers had to navigate to three different Google Account settings – location history, web and app activity, and Google Ad personalization.
In addition, users must navigate to additional location-related device settings on the user’s device to turn off location tracking. Settings can apply to the user’s device and account, making it very difficult to turn off all location tracking.
The lawsuit alleged that “misrepresentations and omissions regarding certain settings increased the potential for consumer confusion regarding what data was being shared and whether consumers had opted out of sharing data across all devices and settings.”
The lesson here is that privacy controls and settings should all be in one place and easy to find. For example, if there was a “master switch” to turn off all location tracking on the Google account and all devices, confusion would be prevented.
Lesson 3: Do not make misrepresentations about privacy settings
The lawsuit found that Google has repeatedly made misrepresentations over whether certain information, such as location data, would be tracked.
For example, Google’s Location History page stated that “you can turn off Location History at any time. With Location History off, the places you go are no longer stored.” However, this statement was deceptive as Google continued to collect and store location data even when Location History was turned off.
In addition, this statement was deceptive because Google continued to track location when using Google products when web and app activity was turned on, even if Location History was turned off. Google also concealed the fact that web and app activity settings captured location data.
In fact, Google stated in its policies that it does not track individuals after they have signed out of their Google account, even though this is not the case.
Such practices were considered unfair and deceptive, leading to a large settlement. The lesson learned here is that the information provided within Privacy Policies and Privacy Settings should be accurate and should not misrepresent what is actually happening.
Lesson 3: Respect user choices
The lawsuit alleges that Google did not respect user choices when they attempted to opt out of location tracking. For example, a setting in Google Accounts to opt out of personalized ads by Google should, upon the disablement of the setting, stop tracking the user’s location and activity for the purpose of ads.
However, when a user opts out of this tracking, Google continues to target ads based on the user’s location, effectively negating that user’s choice. When users make a choice to opt out of certain features such as cookies or location tracking, that choice should be respected.
Lesson 4: Avoid dark patterns
The lawsuit alleges that Google used dark patterns, including nudging, pressure tactics, and deceptive descriptions of features and settings to cause users to provide more location data. For example, Google enables the web and app activity feature by default and does not disclose the existence of this setting to users, meaning that users have their location tracked by default and without their knowledge.
In addition, Google informed customers that certain products, such as Google Maps and Google Now, need location tracking to function, but that is not the case as these products continue to function even if the user disabled their location history.
Furthermore, Google prompted users to share their location history with an “all or nothing” opt-in and did not present them with an easy way to opt out of location sharing, meaning that they did not actually gather proper consent for collecting geolocation information.
In addition, after a user turned off location tracking, they were constantly prompted to turn it back on, essentially annoying users with multiple notifications to enable location tracking.
The avoidance of dark patterns is very relevant to website features such as cookie consent banners. While many cookie consent banners just provide an option to “agree” or “click ok”, it is important to note that these options are not compliant as they do not actually gather consent from the user.
Consent can be properly gathered only when an “accept” AND a “deny” option is presented to users.
The Washington Attorney General’s lawsuit against Google demonstrates how a company repeatedly, through unfair and deceptive acts, caused the collection of location data from thousands of individuals without their consent in the pursuit of profit.
However, the lawsuit also demonstrates that there are real-world consequences for the violation of privacy, even if those consequences come in the form of a settlement under a consumer protection statute and not a privacy law.
Hopefully, these lessons learned have helped you determine whether your website uses deceptive practices to collect personal data and to correct such practices.