The Cost of Non-Compliance: A Look into Google’s $391m Settlement in US Privacy Lawsuit
Wednesday 16th November 2022
Google is once again in the spotlight as it has agreed to pay a $391.5m settlement (c£329.6m) to 40 US states relating to its historic use of user location data.
Despite users turning off the location tracking feature, Google allegedly continued to store that data without user knowledge or consent.
Connecticut Attorney General William Tong said in a statement: ’Location data is among the most sensitive and valuable personal information Google collects, and there are so many reasons why a consumer may opt out of tracking.”
Whilst this relates to a US lawsuit, the privacy issues at the heart of this case are interesting (and concerning) as they relate to alleged practices which fall foul of UK and EU data protection laws. Consumers should be able to trust that their privacy preferences have been applied. Designing and respecting privacy settings help to demonstrate that a business is adopting a ‘data protection by design and default approach which is a requirement under UK and EU laws.
The reason behind location tracking exacerbates the issues in this case. Location data allows advertisers to geo-target and proximity-market to people based on their location which is clearly privacy-intrusive. Google makes billions in making this type of data available to advertisers. With this in mind any failure to obtain consent or otherwise using this data without the user’s knowledge, or in a way they don’t expect, would be directly profiting from non-compliant data collection practices.
Consumer choice and control are key
It will be interesting to see if any enforcement action will follow in the UK/Europe.
Although this lawsuit focuses on consumer protection laws in the US, the issues shine a light on some of the big privacy issues which come with Big Tech globally. Despite the bigger fines we have seen levied under GDPR being aimed at Big Tech, there are two clear takeaways for UK businesses:
- Adopting a ‘data protection by design and default approach when creating services is a regulatory requirement. For those operating online services, designing appropriate privacy settings, making sure all processing activities of the business are documented, and that user choice is respected are important.