Google to pay $29.5 million to Indiana and District of Columbia to settle location privacy suits
On December 29, 2022, Indiana Attorney General Todd Rokita announced a settlement agreement with Google to resolve allegations that Google misrepresented how it collected and processed user location information. The settlement requires Google to update its location information practices to provide users more information and better allow users to make informed decisions about how they interact with Google’s location technologies, including by limiting or ending collection and retention.
The following day, then-DC Attorney General Karl Racine announced a similar settlement agreement. In the two settlements, Google agreed to pay Indiana and the District of Columbia $29.5 million, collectively ($20 million and $9.5 million, respectively). These settlements follow similar settlements last year with 40 US state attorneys general and with Australian regulators.
The settlements highlight government expectations that companies obtain proper consents, including robust disclosures of data practices, for sensitive personal information such as location information.
Regulatory and litigation history
Google provides several apps and platforms that collect user location information, particularly from mobile devices, such as through Google Search and Google Maps. Google has used this information to support its business operations in several ways, including by disclosing user location information to other businesses, e.g., to learn how digital advertising can encourage people to visit brick-and-mortar stores. Following news reports in 2018, state attorneys general, including Attorneys General Rokita and Racine, alleged that Google collected location information from users without their consent, including by misleading users to falsely believe that certain settings limited location data collection.
These allegations included:
- Deceiving consumers regarding their ability to protect their privacy through Google Account Settings
- Misrepresenting and omitting material facts regarding the Location History and Web & App Activity Settings
- Misrepresenting and/or omitting material facts regarding consumers’ ability to control their privacy through Google Account Settings
- Misrepresenting and omitting material facts regarding the Google Ad Personalization Setting
- Deceiving consumers regarding their ability to protect their privacy through device settings and
- Deploying deceptive practices that undermine consumers’ ability to make informed choices about their data, including dark patterns.
Pursuant to the settlements, in addition to the payments, the company must make prominent disclosures about its data practices prior to obtaining consent to collect location information, provide users with additional account controls, and introduce limits to its data use and retention practices. Certain aspects of the settlements deserve particular attention:
- The settlement requires Google to implement more specific language in a few places:
- Settings webpage, about location information: “Location info is saved and used based on your settings. Learn more.”
- Location technologies webpage, about ads: That users cannot prevent the use of location information in personalized ads across services and devices, based on user activity on Google services, including Google Search, YouTube, and websites and apps that partner with Google to show ads.
- Google may only share a user’s precise location information with a third-party advertiser with that user’s express affirmative consent for use and sharing by that third party.
- Google must conduct internal privacy impact assessments before implementing any material changes of how certain settings pages impact precise location information or how Google shares users’ precise location information related to such settings.
While there are many notable aspects to these settlements, it is also notable that this occurred as many states are beginning to implement new privacy laws and regulations, which include increased business obligations for the collection, use, and disclosure of sensitive personal information, such as location information.
See the Indiana AG and District of Columbia AG press releases here (IN) and here (DC). Find out more about the implications of these developments by contacting either of the authors.
OCR releases important guidance regarding HIPAA and the use of tracking technologies
15 December 2022 .8 minute read
SEC proposes sweeping new public company cybersecurity disclosure and governance rules
16 March 2022 .20 minute read