The Cost of Non-Compliance: A Look into Google’s $391m Settlement in US Privacy Lawsuit

Google is once again in the spotlight as it has agreed to pay a $391.5m settlement (c£329.6m) to 40 US states relating to its historic use of user location data.

Despite users turning off the location tracking feature, Google allegedly continued to store that data without user knowledge or consent.

Privacy concerns

Connecticut Attorney General William Tong said in a statement: ’Location data is among the most sensitive and valuable personal information Google collects, and there are so many reasons why a consumer may opt out of tracking.”

Whilst this relates to a US lawsuit, the privacy issues at the heart of this case are interesting (and concerning) as they relate to alleged practices which fall foul of UK and EU data protection laws. Consumers should be able to trust that their privacy preferences have been applied. Designing and respecting privacy settings help to demonstrate that a business is adopting a ‘data protection by design and default approach which is a requirement under UK and EU laws.

The reason behind location tracking exacerbates the issues in this case. Location data allows advertisers to geo-target and proximity-market to people based on their location which is clearly privacy-intrusive. Google makes billions in making this type of data available to advertisers. With this in mind any failure to obtain consent or otherwise using this data without the user’s knowledge, or in a way they don’t expect, would be directly profiting from non-compliant data collection practices.

Consumer choice and control are key

Google claims this settlement with US states relates to historic settings, and that privacy issues associated with those settings have already been addressed. However, Google’s use of personal data has sparked regulatory action in recent years. Last year the French data protection regulator (CNIL) levied a €100,000,000 (c£87 million) total fine on Google Ireland and Google LLC for breaching the rules on the use of cookies and similar technologies. Essentially the cookie consent mechanism and information given by Google did not meet the standard required under privacy laws, meaning Google had not obtained valid consent from individuals to place cookies on the user’s device.

It will be interesting to see if any enforcement action will follow in the UK/Europe.

Lessons learned

Although this lawsuit focuses on consumer protection laws in the US, the issues shine a light on some of the big privacy issues which come with Big Tech globally.  Despite the bigger fines we have seen levied under GDPR being aimed at Big Tech, there are two clear takeaways for UK businesses:

1. Adopting a ‘data protection by design and default approach when creating services is a regulatory requirement. For those operating online services, designing appropriate privacy settings, making sure all processing activities of the business are documented, and that user choice is respected are important.
2. To use cookies and similar technologies, privacy laws in the UK and EU require affirmative consent. Assumed consent and pre-ticked consent mechanisms do not meet the standard of consent required under relevant laws. Business should review their cookie consent mechanisms and related privacy information to ensure it meets the required standard for compliance.

Contact our Privacy and Data Protection Experts to discuss privacy settings, data mapping or the use of cookies.