Google has agreed to pay $391.5 million to 40 states to settle privacy violations regarding its location-tracking practices. (Photo by Justin Sullivan/Getty Images)

A number of state attorneys general announced Monday the largest consumer privacy settlement in U.S. history as tech giant Google agreed to pay nearly $400 million over its location-tracking practices.

According to the settlement, Google misled users into thinking location tracking was turned off in their account settings when, in fact, it continued to collect user location information. 

The investigation into the Mountain View, California-based internet and technology firm began after a 2018 article by the Associated Press revealed that Google “records your movements even when you explicitly tell it not to.” 

“For years Google has prioritized profit over their users’ privacy,” Oregon Attorney General Rosenblum said in a news release. “They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.”

As part of the $391.5 million settlement, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023. Rosenblum and Nebraska Attorney General Doug Peterson led the settlement, which they said is the largest attorney general-led consumer privacy settlement ever.

A spokesperson for Google said the company has made improvements in its products over recent years, and “we have settled this investigation, which was based on outdated product policies that we changed years ago.”

In addition, the Google spokesperson referred SC Media to a Nov. 14 blog post — the same day as the settlement announcement — discussing additional transparency and tools to help users manage and minimize the data the search giant collects. 

Google violated state consumer protection laws

The attorneys general found that Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Specifically, Google confused its users about the extent to which they could limit Google’s location tracking by adjusting their account and device settings, according to Rosenblum’s release.

As detailed in the Associated Press article, users could turn off location history, but Web and App Activity, which was a separate account setting, was automatically turned “on” when users set up their accounts, including for all users of Google’s Android devices.

News releases by several attorneys general who participated in the lawsuit noted how Google uses personal data through its search engine and apps to target consumers and collect ad revenue.

“Big tech companies should not collect consumers’ data without their awareness or consent,” said Attorney New York General James in a news release. “Google quietly tracked its users to turn a profit and today they are being held accountable. Every individual should be able to make their own decisions about their data and how it is being used. We will continue to hold companies that violate the law accountable and protect consumers from companies that put profits over people.”

Bugcrowd CEO Dave Gerry said consumers want visibility into when and how their data is used and that the settlement shows the level of demand for data privacy regulation. 

“Seeing states begin to take data privacy seriously is something that will benefit all consumers and holding companies accountable will force them to take data privacy seriously,” said Gerry.

Claude Mandy, chief evangelist for data security at Symmetry Systems, said the settlement is another example of how regulators are increasingly focused on privacy choices influenced by user experience and design. 

“All organizations should be using this as the nudge to look at their own practices and proactively simplify any conflicting choices and increase the ease of making privacy enhancing choices for their customers,” said Mandy.

Google to introduce additional transparency and tools regarding privacy, location

Privacy issues surrounding location history were renewed recently when the Supreme Court struck down Roe v. Wade in June. Soon after, Google took a proactive approach by announcing that its systems would delete entries from Location History if it identified sensitive medical facilities like abortion clinics.

Democratic lawmakers in Washington also began calling upon the Federal Trade Commission to use its powers to probe mobile tracking by tech firms such as Google and Apple after the abortion ruling.

As SC Media reported in July, the FTC's acting associate director of its Privacy and Identity Protection Division, vowed to fully enforce the law when it uncovers any illegal misuse of consumer data, including location and health information.

“Companies that make false claims about anonymization can expect to hear from the FTC,” said Kristin Cohen.

Given the amount of revenue tech companies earn from location-based ads and services, consumers disabling location tracking would be a worst-case scenario, said Jason Hicks, field CISO and executive advisor at Coalfire.

"Given the intensely private nature of location data, it’s important for device and software makers to ensure the options provided to consumers to manage the tracking of this data are easy to understand and work as expected," said Hicks, adding that there are many use cases where some individuals will be comfortable allowing location data to be tracked, provided their choices are being respected in regards to opt out.

Hicks also noted that Google addressed the problem with tracking location and said it will not make similar errors in the future.

Indeed, in its blog post addressing the settlement, Google said it has introduced:

  • auto-delete controls by default to give new users the ability to delete data on a rolling basis
  • easy-to-understand settings like Incognito mode in Google Maps, preventing searches or places you navigate to from being saved to a user’s account
  • a “Your Data in Maps and Search” setting, which lets users access key location settings from its core products.

Google said it also plans to provide even more controls and transparency over location data, including:

  • Revamping user information hubs: To help explain how location data improves our services, we’re adding additional disclosures to our Activity controls and Data & Privacy pages. We’re also creating a single, comprehensive information hub that highlights key location settings to help people make informed choices about their data.
  • Simplified deletion of location data: We’ll provide a new control that allows users to easily turn off their Location History and Web & App Activity settings and delete their past data in one simple flow. We’ll also continue deleting Location History data for users who have not recently contributed new Location History data to their account.
  • Updated account set-up: We’ll give users setting up new accounts a more detailed explanation of what Web & App Activity is, what information it includes, and how it helps their Google experience.

In addition to Oregon and Nebraska, the other states assisting in the negotiations of the settlement announced Monday include:  Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee. The settlement is also joined by Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin.