Google reaches record $392M privacy settlement over location data

Google agreed to pay $391.5 million to 40 states to settle an investigation into its location tracking practices, a coalition of state attorneys general announced Monday.

The investigation had centered on what Oregon Attorney General Ellen Rosenblum (D), one of the state law enforcement officers who led the probe, called misleading and deceptive tactics regarding users’ location data.

“Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers,” she said in a statement.

In January, Texas, Indiana, Washington and the District of Columbia built off Brnovich’s allegations and filed individual lawsuits against Google for the alleged privacy violations. (The four states and D.C. were not part of the group whose settlement was announced Monday.)

The accord was the largest such privacy settlement by state attorneys general in U.S. history, according to the coalition. It also requires Google to “be more transparent about its practices,” the group said. Measures include forbidding Google from hiding “key information about location tracking” and requiring the search giant to “give users detailed information about the types of location data” it collects and how it is used.

In a blog post, Google called the agreement “another step along the path of giving more meaningful choices and minimizing data collection while providing more helpful services.”

Google spokesman José Castañeda said in a statement that the privacy issues had already been addressed. “Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” he said, adding that the settlement was to resolve the investigation and not a lawsuit.

Google has faced legal scrutiny over alleged violations of users’ privacy regarding location data. Last month, the company reached an $85 million settlement with Arizona, whose attorney general, Mark Brnovich (R), had alleged in a 2020 lawsuit that the tech company “engaged in deceptive and unfair practices toward users by tracking their location data even when the company was told to stop.”

The state investigations and lawsuits were sparked by a 2018 Associated Press report that found Google “records your movements even when you explicitly tell it not to.” While Google Maps users have the option to disable tracking of their location history, the company still stored location data when consumers opened the Maps app or searched for something unrelated to location, the AP reported.

Google said at the time that it used customers’ location data in a number of ways “to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services.” It added that consumers could “turn them on or off, and delete their histories at any time.” The AP reported that doing so could be difficult and labor-intensive.

In January, France fined Google more than $150 million for allegedly making it difficult to refuse cookies, which track users’ web browsing.

Location information is often highly sensitive and “in some circumstances, the availability of location information can put an individual’s personal safety in peril,” said Eric Goldman, a law professor at Santa Clara University whose research focuses on the internet and privacy.

After the U.S. Supreme Court overturned Roe v. Wade in June, privacy advocates warned that location data could be used against people seeking clandestine abortions. Google said after the court’s ruling that it would clear the location history of its users whenever they visited sensitive places such as an abortion clinic.

Goldman said that while “it makes sense” for the attorneys general to pursue Google over the alleged privacy violations, recent state laws such as the California Privacy Rights Act, passed by voters in the state in 2020, “will restrict Google’s use of location information more severely than this settlement does.”

The CPRA built on an earlier law, the California Consumer Privacy Act, which went into effect in 2020 and allowed consumers to instruct companies to stop storing or selling their data. The CCPA was widely seen as setting a new national standard for data privacy; the CPRA added more protections and established a state agency to enforce the law.