Google to pay California $93 million for allegedly lying to users about location data practices
Google has agreed to a $93 million settlement with the California Attorney General’s Office after a multi-year investigation found the company allegedly lied to users by telling them their location data was not collected or stored for targeted advertising.
The company allegedly violated California consumer protection laws for several years by telling users that if they turned off the “Location History” setting then Google would not store their geolocation data. However, according to the complaint Google continued to track those users and store the data. The California complaint also alleges the tech giant tricked consumers about whether they could opt out of advertisements using their location.
Google “made its promise explicit in clear language on the help page for Location History that left no room for ambiguity,” the complaint said, citing a box on Google’s website which told users they could “turn off Location History at any point.”
“With Location History off, the places you go are no longer stored,” the Google website said, according to the complaint.
“This statement was clear and direct, and it was also false,” the complaint said.
The majority of Google’s revenue comes from advertising, and a critical component of its model relies on geo-targeted, or location-based, data.
Google’s parent company Alphabet Inc. generated more than $280 billion of revenue in 2022, with $220 billion coming from advertising, according to the complaint.
When users set up an account, they are told the Location History function defaults to off, but the complaint alleges that from 2014 until 2018 Google showed users “deceptive prompts” which were misleading and caused users to enable Location History without realizing they were doing so.
A Google spokesperson said the company stopped these practices long ago.
“Consistent with improvements we've made in recent years, we have settled this matter, which was based on outdated product policies that we changed years ago,” the spokesperson said via email.
While praising the Attorney General’s office for holding Google accountable for allegedly misleading users, Nathalie Maréchal, the co-director of the Privacy and Data Project at the Center for Democracy and Technology, said that more robust privacy protections are needed nationwide.
“Privacy violations aren’t OK just because they’re disclosed in the small print,” Maréchal said.. “While many useful tools rely on geolocation data to work, this is extraordinarily sensitive data, and its misuse can put people in real danger.”
She called on Congress to enact privacy protections for all Americans by passing “comprehensive, rights-based federal legislation.”
Web & App Activity
The complaint also alleged that even when a user disabled location history, Google relied on other methods to gather and store location data, including through a user’s “Web & App Activity,” which “has been (and continues to be) defaulted to on when a user creates a Google account.”
Web & App Activity records and stores users’ activities, including a time-stamped location, not only when they use Google Maps or weather settings, for example, but “even when they searched for items that had nothing at all to do with their location, like ‘chocolate chip cookies,’” the complaint said.
Between about 2015 until 2019, the Web & App Activity function collected and stored location data so granular that it provided “exact latitude and longitude coordinates,” the complaint said.
According to the complaint, most users have Web & App Activity turned on even today because for years the company did not give users the option of disabling it. More recently, the complaint says, Google’s account creation process has turned on the function automatically.
In addition to paying the $93 million, Google has agreed to significant changes in how they inform users of their privacy practices.
Those terms include requiring Google to offer users more details when they turn on location-related settings; to give users more information about how the location data it gathers is used by creating a “Location Technologies” webpage; and to inform users before their location data is used for targeted advertising.
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.