US: Google to pay $29.5 million to Indiana and District of Columbia to settle location privacy suits

The following day, then-DC Attorney General Karl Racine announced a similar settlement agreement. In the two settlements, Google agreed to pay Indiana and the District of Columbia $29.5 million, collectively ($20 million and $9.5 million, respectively). These settlements follow similar settlements last year with 40 US state attorneys general and with Australian regulators.

The settlements highlight government expectations that companies obtain proper consents, including robust disclosures of data practices, for sensitive personal information such as location information.

Regulatory and litigation history

Google provides several apps and platforms that collect user location information, particularly from mobile devices, such as through Google Search and Google Maps. Google has used this information to support its business operations in several ways, including by disclosing user location information to other businesses, e.g., to learn how digital advertising can encourage people to visit brick-and-mortar stores. Following news reports in 2018, state attorneys general, including Attorneys General Rokita and Racine, alleged that Google collected location information from users without their consent, including by misleading users to falsely believe that certain settings limited location data collection.

These allegations included:

  • Deceiving consumers regarding their ability to protect their privacy through Google Account Settings
  • Misrepresenting and omitting material facts regarding the Location History and Web & App Activity Settings
  • Misrepresenting and/or omitting material facts regarding consumers’ ability to control their privacy through Google Account Settings
  • Misrepresenting and omitting material facts regarding the Google Ad Personalization Setting
  • Deceiving consumers regarding their ability to protect their privacy through device settings and
  • Deploying deceptive practices that undermine consumers’ ability to make informed choices about their data, including dark patterns.

Key takeaways

Pursuant to the settlements, in addition to the payments, the company must make prominent disclosures about its data practices prior to obtaining consent to collect location information, provide users with additional account controls, and introduce limits to its data use and retention practices. Certain aspects of the settlements deserve particular attention:

  • The settlement requires Google to issue notices to users who allow certain location tracking settings through Google services or devices, including via pop up notifications and email, that disclose whether their location information is being collected and provide instructions on how to limit collection and delete collected location information. Google is also required to notify users via email of any material changes in its privacy policy about the collection, use, and retention of user location information.
  • Google must establish and maintain a “location technologies” webpage that discloses Google’s location data policies and practices as well as how users can limit collection of, and delete collected, location information. Google must also provide a hyperlink to this webpage, in its privacy policy, in the account creation flow, and whenever users enable or are prompted to enable a location-related account setting while using a Google product.
  • The settlement requires Google to implement more specific language in a few places:
    • Settings webpage, about location information: “Location info is saved and used based on your settings. Learn more.”
    • Location technologies webpage, about ads: That users cannot prevent the use of location information in personalized ads across services and devices, based on user activity on Google services, including Google Search, YouTube, and websites and apps that partner with Google to show ads.
  • Google may only share a user’s precise location information with a third-party advertiser with that user’s express affirmative consent for use and sharing by that third party.
  • Google must conduct internal privacy impact assessments before implementing any material changes of how certain settings pages impact precise location information or how Google shares users’ precise location information related to such settings.

While there are many notable aspects to these settlements, it is also notable that this occurred as many states are beginning to implement new privacy laws and regulations, which include increased business obligations for the collection, use, and disclosure of sensitive personal information, such as location information.

See the Indiana AG and District of Columbia AG press releases here (IN) and here (DC).  Find out more about the implications of these developments by contacting either of the authors.