Earlier today, Attorneys General from D.C., Texas, Washington, and Indiana announced lawsuits against Google over alleged unfair and deceptive practices regarding consumer location data. The lawsuits (a copy of the D.C. complaint is available here) focus on what the Attorneys General describe as a systematic deception by Google of consumers regarding how their location data may be used and how they may control what information Google collects. Specifically, the lawsuits allege Google harmed consumers as follows:
- Google misled consumers regarding their ability to exercise choice through their Google account settings: The complaints allege that Google informed consumers that they could disable collection of location data by managing their Google account settings, but Google continued to collect location data even after consumers adjusted their account settings. The complaints further allege that Google offered multiple locations where users could adjust their account settings, including through “Location History,” “Web & App Activity,” and “Google Ad Personalization,” but none of these locations allowed consumers to completely opt-out of the collection of location data and the disclosures were confusing to consumers.
- Google misled Android users regarding their ability to exercise choice through their device settings: The complaints allege that Google informed Android users that they could disable collection of location data through their Android device settings, but Google continued to collect location data even after users adjusted their device settings, including through Wifi, Bluetooth, cellular, and IP address technologies. The complaints further allege that Google informed users about various device level controls, including master-level controls and app-specific controls in device settings, but none of these controls adequately allowed users to disable the collection of their location data.
- Google misled consumers regarding Google’s need for location data: The complaints allege that Google used language to imply that certain of Google’s products could not function without collecting location data, when, in fact, the products could function without such data.
- Google used “dark patterns” to undermine user choice: The complaints allege that Google used “deceptive design choices” to stop users from exercising choice, including by making location data controls difficult to find and prompting users who previously exercised choice to re-enable collection of location data.
Although the lawsuits were filed today, the allegations follow an investigative story by the Associated Press from 2018 alleging that Google’s privacy settings do not actually prevent Google from tracking its customers’ locations. As of this writing, Google has disputed the lawsuits stating that they are “based on inaccurate claims and outdated assertions about [Google’s] settings” and that Google has “always built privacy features into” products as well as “provided robust controls for location data.”
These lawsuits have some important takeaways for companies as we continue through 2022:
- Notice and choice are still key. At their core, these lawsuits are about an alleged failure by a company to provide accurate notice of its data practices and alleged failure to provide users with choice regarding their data. Notice and choice are still low hanging fruit for regulators.
- Describe opt-out limitations. According to the complaints, while Google provided users with many ways to opt-out of location data collection, none were fully comprehensive and Google failed to describe the limitations around the opt-outs. When providing opt-outs, companies need to accurately describe how they work and any limitations.
- Location data, yet again. These lawsuits are yet another example of regulators taking action relating to use of location data. However, while most actions relate to the use of “precise location data” (more on that term below), the Attorneys General here used a broader definition of location data, which includes location derived from IP addresses. Deriving location from an IP address is common practice, and used by many (if not most) businesses. The Attorney’s General definition suggests that they believe Google’s disclosures and opt-outs should have extended to non-precise location data, not just precise location. While that position may make sense for non-precise location data used for targeted advertising, it arguably goes beyond the requirements of privacy law. One possible interpretation for this position is that the Attorneys General weren’t concerned about the need to provide an opt-out for non-precise location data, but rather were concerned that Google didn’t adequately explain to its users that the opt-out didn’t apply to collection of non-precise location data (see the bullet point directly above).
- Precise location data is even more sensitive. The D.C., Texas, Washington, and Indiana Attorneys General brought these complaints under their respective general consumer protection acts. Expect to see more complaints involving precise location data since California and Virginia have codified specific obligations regarding precise location data into their new comprehensive state privacy laws. Both CPRA and VCDPA, effective January 2023, include definitions and obligations specific to precise location data (which is a sensitive category of information). Historically, precise location data has generally meant lat./long. location, but under CPRA and VCDPA precise location data will be more broadly defined to include location within a specific radius.
- Avoid dark patterns. Dark patterns seems to be the new hot topic for privacy. The FTC hosted a workshop in 2021 and issued an enforcement policy statement regarding dark patterns, the California Attorney General added dark pattern prohibitions to the final CCPA Regulations last March, and the upcoming CPRA and CPA (Colorado’s comprehensive privacy regulation) include restrictions around dark patterns. Companies need to carefully and thoughtfully design their disclosures and user flows so as not to unfairly or deceptively trick consumers into consenting to their products or services.