Google agreed to pay $391.5 million and make changes to its user privacy controls as part of a settlement with a coalition of 40 state attorneys general. The coalition accused Google of misleading customers about location-tracking practices that informed ad targeting.
The deal represents the largest privacy settlement won by states in U.S. history. Even so, the payout amounts to a drop in the bucket for Google’s parent company Alphabet, which reported $13.9 billion in profit from the last quarter alone. In January, a smaller coalition of AGs sued Google over the location-tracking issue. And last month, Arizona attorney general Mark Brnovich won an $85 million settlement from Google over it.
State AGs had been working on this case since 2018, following an Associated Press report that found Google tracked users’ location data even when they explicitly turned off “Location History” tracking in Android or iOS settings. At the time, Google denied wrongdoing and maintained that users could further limit location-tracking services by turning off “Web and App Activity.” The AGs weren’t convinced, likely in part because Google’s in-house copy at the time told customers that “with Location History off, the places you go are no longer stored.”
A Google spokesperson told Protocol that the settlement was consistent with improvements made in recent years, and that the case involved “outdated product policies that we changed years ago.” As part of the settlement, Google will further clarify location-tracking disclosures beginning next year, The New York Times reports.
“The transparency requirements of this settlement will ensure that Google not only makes users aware of how their location data is being used, but also how to change their account settings if they wish to disable location-related account settings, delete the data collected and set data retention limits,” Michigan attorney general Dana Nessel wrote in a press release.
State AGs have had to compensate for a lack of online privacy regulation at the federal level. That may soon be changing, however, as Politico reported on Monday that a bipartisan group of lawmakers intends to push the American Data Privacy and Protection Act through in the lame duck session.
ADPPA includes provisions protecting user geolocation data, including its transfer to third parties. The bill leaves enforcement up to the FTC, state AGs, state privacy authorities, and the California Privacy Protection Agency.Figures such as House Speaker Nancy Pelosi and Reps. Fred Upton and Billy Long shared concerns over ADPPA preempting state legislation. ADPPA sets out to supersede the existing patchwork of state laws, but in so doing it could crystalize the legislative landscape and make it more difficult for relatively nimble state legislatures to respond to evolving technologies.