Privacy, Data Security, Compliance Management

Senators scrutinize Google’s claim to delete users sensitive location data

Smartphone map and navigation

Google’s policies around the deletion of sensitive location data is again being called into question after a Washington Post report revealed the tech giant stored the precise name and address of healthcare, fertility and Planned Parenthood locations visited by the reporters.

Sens. Amy Klobuchar, D-Minn., Elizabeth Warren, D-Mass., Mazie Hirono, D-Hawaii, Peter Welch, D-Vt., Ron Wyden, D-Ore., Edward Markey, D-Mass., Richard Blumenthal, D-Conn., Dick Durbin, D-Ill., Bernie Sanders, I-Vt., and Patty Murray, D-Wash., issued a letter to Google demanding answers to the issues raised in the report.

The report’s findings drew scrutiny, as the tech giant admitted geolocation data could put the privacy of individuals at risk as it could be tied to visits to sensitive locations such as abortion clinics. In the wake of the upheaval of the Supreme Court overturning Roe v. Wade, the company said it would delete this data.

In July, Google committed to deleting these types of sensitive locations from its location history feature, such as counseling centers, domestic violence shelters, abortion clinics, fertility centers and addiction treatment facilities.

Another report showed the company failed to delete sensitive location data in about 60% of tested cases. As privacy stakeholders have warned, this data could reveal personal healthcare decisions and the creation of user identities by third parties that could allow for highly targeted advertising of sensitive conditions.

“Over 10 months after this announcement, reporters for the Washington Post visited hospitals, fertility clinics, and Planned Parenthood clinics in multiple states and found instances where Google stored the exact name and address of the location visited, e.g. Planned Parenthood — San Francisco Health Center,’" the senators wrote to CEO Sundar Pichai.

“Claiming and publicly announcing that Google will delete sensitive location data, without consistently doing so, could be considered a deceptive practice,” they continued.

The senators are asking Google to share how it identifies whether a user has visited a sensitive location and provide a “complete list of metadata” and other supporting documents used by the company to make the identification. Google is also asked to provide a full list of the types of locations the company considers to be sensitive, “and thus eligible to be automatically deleted.”

The inquiry also questions how long Google waits to delete the deemed sensitive location entry after a visit, as well as insights into its targeted advertising policies, particularly campaigns that could reveal users’ health data.

And as a group of congressional members asked in May 2022, Google is being requested to commit to deleting sensitive location data tied to any type of reproductive care, mental health and addiction treatment within 24 hours of a user’s visit from the device and Google servers. 

Congress and the Federal Trade Commission have zeroed-in on consumer data privacy in recent years. In the last six months, the FTC has issued three enforcement actions for similar cases of sharing sensitive data, including health information, without user consent, in addition to several lawsuits targeting the deceptive practices of data brokers.

As congressional members continue to explore the possibility of a federal data privacy law, Republican lawmakers have raised similar concerns. At a recent hearing, Rep. Cathy McMorris Rodgers, R-Wash., blasted the “stunning amount” of data being collected on Americans, including information on their physical health, mental health and their location.

Senators are giving Pichai until the end of the week to respond to its inquiry and asked that it agree to a third-party audit to verify the company has successfully implemented a protocol to delete users’ location data.

This is the second blow handed to Google this week over privacy. The company reached an agreement with the state of Washington to resolve claims of misleading location tracking practices, which includes a $39.9 million penalty and court-ordered reforms to increase transparency about its location tracking settings.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.