On 14 September 2023, Google and the California Attorney-General’s Office reached a $93 million settlement.[1] This agreement follows allegations that Google’s location-privacy practices breached California consumer protection laws – collecting, storing, and using location data without users’ informed consent. It marks the fifth time that Google has settled over its use of geolocation data, and it is unlikely to be the last[2]. Importantly, however, the strong injunctive terms imposed on Google provide much-needed clarity to AdTech stakeholders over identity-linked and device-linked data.
Background
Location-based (geotargeted) advertising is a critical feature of Google’s advertising platform, as it enables advertisers to market to users based on their precise geographical locations. Google also uses location data to build behavioural profiles of its users, which can help determine what digital ads are shown to users.
California AG’s case follows the investigation into the same Google practices by 40 other states that reached settlement of $391.5 million in November 2022. The investigation was sparked by a 2018 article by the Associated Press, which revealed that Google continued to track users’ location data even after they disabled their ‘Location History’ settings.[3]
For instance, Google collects and stores users’ location data via ‘Web & App Activity’, a feature that is enabled by default when a user creates a Google account. Although Google states that Web & App Activity merely “saves your activity on Google sites and apps”, it fails to specify that this includes saving location data associated with that activity – used for profiling and advertising.
In a similar way, the investigation revealed that Google deceived users about their ability to opt out of geotargeted ads. Google’s ‘Ad Personalization’ setting governs the extent to which Google uses location information to profile and target advertisements to consumers. However, even when this setting is disabled, Google still uses users’ real-time location information to serve targeted ads.
Terms of Settlement
As well as the requirement to pay $93 million to the State of California, the settlement also prescribes a number of injunctive terms[4] that Google must comply with, with a view to protecting the privacy interests of users. It includes requirements for Google to show additional information to users when enabling location-related account settings, increase transparency around location tracking, and provide information about how this data is collected and stored for all users when they disclose their identity to Google.
Importantly, the settlement clarifies the rules for AdTech stakeholders – namely, that the rules for location information linked to devices are different from when location information is linked to users. Google’s ‘Covered Conduct’ to which the complaint and investigation relates to refers to Google’s use of a user’s location information rather than a device’s.
Google must first obtain user choice when geolocation information is linked to a specific individual’s account (see Injunction 17). However, Injunction 7 highlights that users do not need to consent or choose to Google’s use of geolocation information for advertising purposes when their device is not authenticated with a consumer-facing Google service. This landmark settlement with 41 US states now sets the precedent that no consent is required to use geolocation data for advertising purposes when Google does not link this information to a specific individual’s identity. The rationale for this exemption is that even though Google could link geolocation information collected with a MAID or cookie to a specific individual, Google has the appropriate organizational measures to keep such information distinct from the identity of that individual, while such user is in a logged-out state.
Wider Consideration
This settlement is a pragmatic step forward to support responsible handling within a decentralised, competitive ecosystem.
The California AG’s settlement exempted Google’s use of deidentified and pseudonymized data from requiring consent, on the basis that neither constitute the Personal Data of a specific individual or household.
This distinction between identity-linked and deidentified data aligns with the existing set of US data protection laws that recognize the important safeguards for protecting individuals’ privacy by exempting data exchanges involving non-identity-linked anonymous and deidentified data.[5]
This latest development is consistent with the landmark decision in SRB v EDPS [2023], where the General Court of the European Union held that deidentified data transmitted to a data recipient will not be considered Personal Data if the recipient does not have the legal means to reidentify the data subjects.[6] In that case too, organizational measures were in place to keep the deidentified data in its non-identity-linked state, even though the sender had the technical means to easily reidentify the information.
Even more importantly, this crucial distinction further undermines Google’s excuse for its interfering with rivals’ use of deidentified match keys required to support interoperability across the open internet.
In light of this development, MOW urges the CMA to further scrutinize Google’s excuse that their Privacy Sandbox browser changes aim to improve privacy for users, rather than distort competition.
[1] https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-93-million-settlement-regarding-google%E2%80%99s
[2] Google throws California $93M to make tracking suit go away • The Register
[3] https://www.texasattorneygeneral.gov/sites/default/files/images/executive-management/DRAFT%20Texas%20Geolocation%20Petition%201.23%20Final%20Redacted.pdf?utm_content=&utm_medium=email&utm_name=&utm_source=govdelivery&utm_term=
[4] See proposed judgment containing the settlement terms at https://oag.ca.gov/system/files/attachments/press-docs/Google%20Proposed%20Order%20FINAL%20%283%29.pdf
[5] See California 1798.145(a)(6): “The obligations imposed on businesses by this title shall not restrict a business’ ability to: Collect, use, retain, sell, share, or disclose consumers’ personal information that is deidentified or aggregate consumer information.” https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article
[6] See Case T-557/20, SRB v EDPS at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62020TJ0557
Header image courtesy of Henry Perks on Unsplash (licensed for free via Unsplash Licence)