In what is considered the largest privacy-related settlement in history, Google will pay $391.5 million to 40 states to settle an investigation by 40 state attorneys general. The bipartisan coalition of attorneys general alleged that Google misled users into believing that opting out of sharing their location data prevented the company from tracking users’ locations. But even when users opted out of location tracking, researchers confirmed that Google nonetheless tracked user location data across a number of its services, including its search tool, maps, and applications. The practices, which occurred between 2014 and 2020, violated consumer protection statutes that prohibit misleading and deceiving consumers, the attorneys general said. Among the consumer protection statutes that were violated according to the investigation were New York General Business Law Sections 349 and 350 and Massachusetts General Law Chapter 93A.
User location data was allegedly sold to advertisers, who then used the data to provide targeted advertisements to consumers based on their locations. The attorneys general claimed the valuable location data was key to Google’s advertising business, which has generated more than $200 billion in annual ad revenue.
In addition to the significant payout, the company also agreed to improve its disclosures regarding location tracking data as part of the settlement. In a blog post published on November 14, 2022, Google assured it would soon provide users “even greater controls and transparency over location data.”
The record settlement comes at the midst of increasing pressure from state and federal lawmakers across the political spectrum to revamp corporate privacy practices and policies. Proposed federal legislation seeks to regulate and apply greater scrutiny to privacy practices, including allowing federal, state, and private causes of action for privacy violations. Such legislation would permit private and public lawsuits nationwide. Although the legislation in its current form is not expected to pass, it illustrates the political momentum behind increased privacy regulations.
The current statutory landscape also provides state-specific avenues to challenge privacy practices and policies, as five states, including California, Colorado, Connecticut, Utah, and Virginia, already have comprehensive consumer data privacy laws. Among these five states, only California permits a private right of action. Other states have introduced privacy legislation or passed targeted privacy legislation. Illinois, for example, has biometric data laws (the Illinois Biometric Privacy Act, or BIPA) that create a private right of action, which has served as the basis for several major lawsuits and settlements, including a $228 million class action judgment against BNSF Railway Co. resulting from its requirement that truck drivers provide biometric identifiers to access the company’s facilities. The social media giant TikTok also entered into a $92 million settlement to resolve class action lawsuit based on BIPA claims in October 2022. Internationally, Europe has its own set of comprehensive privacy regulations that have similarly prompted multimillion dollar fines by European regulators. Within the past year, New York-based facial recognition company Clearview AI was fined £7.5 million by a U.K. privacy regulator and €20 million by both Italian and French data protection agencies for violation of European privacy laws.
It is very likely that there will be an increase in privacy lawsuits and settlements as new privacy legislation is passed. In fact, there has already been an increase. For example, Apple was recently sued in California under the California Invasion of Privacy Act for its own data collection practices. Similar to Google’s practices that prompted settlement, the lawsuit alleged that Apple tracks and shares application data across hundreds of thousands of users, despite users disabling such features. Moreover, three states and the District of Columbia also sued Google in their respective jurisdictions in January 2022 for the company’s location tracking practices. The cases are currently pending, and Google’s motions to dismiss in two cases were denied. As far as settlements, Google also separately paid $85 million in October 2022 to settle a privacy lawsuit brought by the State of Arizona.
The evolving legal landscape around data privacy should encourage data holders to regularly assess their practices concerning the use of consumer data.
If you have any questions about your data collection and use policies, or need to develop and implement such policies, contact the Mintz Privacy Team.