Press Release: AG Racine Announces Google Must Pay $9.5 Million for Using “Dark Patterns” and Deceptive Location Tracking Practices That Invade Users’ Privacy
News Release — DC Office of the Attorney General
FOR IMMEDIATE RELEASE:
December 30, 2022
MEDIA CONTACT:
Office of Communications
Continues OAG’s Work to Hold Big Tech Companies Accountable and Protect Consumers’ Privacy
WASHINGTON, D.C. – Attorney General Karl A. Racine today announced that Google will pay $9.5 million to resolve allegations that it deceived and manipulated consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked.
Significantly, pursuant to the settlement agreement, Google has also agreed to several important changes to how the company informs users how user location data is collected, stored, and used by the company.
“Given the vast level of tracking and surveillance that technology companies can embed into their widely used products, it is only fair that consumers be informed of how important user data, including information about their every move, is gathered, tracked, and utilized by these companies. Significantly, this resolution also provides users with the ability and choice to opt of being tracked, as well as restrict the manner in which user information may be shared with third parties,” said AG Racine. “I am proud of how the exceptional lawyers and professionals in my office have creatively applied the District’s strong consumer protection laws to set the standard nationally and provide users far greater control of their personal information.”
OAG opened an investigation into Google’s location tracking practices following a 2018 Associated Press story revealing that Google “records your movements even when you explicitly tell it not to.” The investigation confirmed other deceptive conduct, including a number of “Dark Pattern” practices, which are deliberate design choices that trick or coerce consumers into taking actions that don’t benefit them. Google’s dark patterns included repeatedly prompting users to enable location in certain apps and claiming products would not function properly if location was not enabled, when in fact location was not needed to even use the app. Based on its investigation, OAG filed a complaint to stop Google’s violations of the District’s consumer protection laws, which included:
- Making it impossible for users to opt out of having their location tracked;
- Deceiving users about their ability to protect their privacy through account settings;
- Misleading Android users about their ability to protect their privacy through their device settings; and
- Relying on “dark patterns” to undermine users’ informed choices.
Under the terms of the settlement, Google will be required to:
- Pay a $9,500,000 penalty to the District.
- Issue notifications to users who currently have certain location settings enabled. These notifications must instruct users on how to disable each setting, delete the data collected by the settings, and limit how long Google keeps their data.
- Clearly inform users of data collection when they enable location-related Google account settings. In addition, when users create a new Google account, Google must advise the user of location-related account settings that are enabled by default and provide an opportunity for the user to opt out.
- Maintain a webpage that discloses Google’s policies and practices concerning location data. This webpage will include information about what data Google collects, how users can check their location-related account settings and disable such settings, how users can limit Google’s uses of their location information, and how each location-related account setting impacts the collection, retention, or use of location information by Google.
- Improve users’ ability to identify location-related controls. Google will add language on the Account Data & Privacy Page to help users identify location-related account setting controls. Google will also give users the ability to disable a location-related account setting and delete the location information stored by that setting in a way that does not require the user to navigate to a separate surface or page.
- Limit sharing of users’ data and retention of data. Google will not share users’ precise location information with a third-party advertiser without affirmative consent from the user. Google will also automatically delete location information that came from a device or from an IP address in Web and App Activity within 30 days of obtaining that location information.
- Prepare annual compliance reports. The reports will detail Google’s compliance with this settlement agreement.
A copy of the settlement agreement is available here.
This matter was handled by former Assistant Attorney General Beth Feldstein; Deputy Director of the Office of Consumer Protection, Jennifer Rimm; former Director of the Office of Consumer Protection, Benjamin Wiseman; and Director of the Office of Consumer Protection, Adam Teitelbaum.
AG Racine’s Efforts to Stop Abuses by Big Tech
This lawsuit builds on AG Racine’s efforts to hold big tech companies and their executives accountable for their deceptive, predatory practices and to stand up for District residents when they are harmed. Among many other actions, AG Racine filed a lawsuit against Facebook for failing to protect the data of its users when Cambridge Analytica acquired and used that data to manipulate the 2016 election. He filed an antitrust lawsuit against Amazon to stop anticompetitive and unlawful behavior that controls prices across the entire online market. He sued Google for deceiving and manipulating consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked. He introduced legislation before the DC Council – which passed in 2020 – to modernize the District’s data breach law, strengthen protections for residents’ personal information, and prevent identity theft. AG Racine has also worked to make sure gig economy companies – like DoorDash, GrubHub, and Getaround – follow the same rules as brick-and-mortar businesses, including wage and hour laws.
###
Comments are closed.