Google’s Misleading Practices and Privacy Woes 

Google has paid $391.5 million in a settlement with 40 US states for tracking user location. Google misled users about its location tracking practices since at least 2014, violating state consumer protection laws. Tracking took place when tracking permissions had been switched off by the user.[1]

Google appears to be taking the line that this is an “historic breach”. Google’s public metamorphosis into bastion of data protection and user privacy is, however, now again subject to skepticism in many quarters. Indeed, a pivot to compliance would be impressive. This brief provides a clarification that, contrary to its public claims, Google continues to mislead consumers and capture and use information of exactly the kind that most worry privacy advocates.

Google is constantly promoting the message that data handled by first parties is inherently safer and less of a privacy risk than data handling by or between third-parties.

The Google position is laid out in its “Marketers Playbook” for “delivering performance and privacy”. Page 1 starts with “Build direct relationships with your customers.” And points to first party data as the way forward with an example:

“Gymshark harnessed its first-party data to improve their user experience and insight generation”.

However, when looking at privacy law the main point to bear in mind is whether data being handled is “personal data”, namely data that tends to identify a single living individual. When handling personal data, Section 6 of the most widely applicable data protection law, the GDPR, provides:

 “Processing shall be lawful only if and to the extent that at least one of the following applies:

      (a)  the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

       (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;…[other provisions omitted for reasons of space]”

Is there anything in the above, or elsewhere in the GDPR or any other law concerning privacy or data protection, that says that “first party data” is inherently safe?[2]

If a sensible assessment of compliance with the law is to be made, the starting point is whether the data in question is “personal”. So, email addresses, such as those that Google routinely captures, (and shares with other companies under its Customer Match [3] program) are likely to be regarded as personal data. Other types of information gathered – such as by your car’s computer about the functioning of your car engine which is routinely used to diagnose faults by the garage – is unlikely to be personal data. Whether the data is from, by, for or to a third, fourth, fifth or sixth party is irrelevant to the whether the data is personal or not.

Indeed, when thinking about this confusion of concepts, it is useful to consider what a third party is in daily life. Think of buying something in a shop. The payments and banking industry is a third party to the transaction between the customer and a vendor. The fact that they are provided by a third party does not make banking systems and payments processors unsafe or untrustworthy, or the data more or less personal.       

When measured against this basic principle, Google’s widespread promotion of “First Party Good/Third Party bad” raises the question, why then do they persist with the line? Its only obvious purpose is that it helps Google’s business.  By its own definition Google harvests huge amounts of “First Party” data. Much of that is likely to be personal data, so it is important from a marketing perspective that Google convinces users, industry, and regulators that its processes are inherently safe. Unfortunately, Google’s marketing does not address privacy issues in law.

Looking more closely, it becomes clear that the promotion and marketing is designed to undermine confidence in competitors’ products. The CMA found as much in its Decision of February this year.  Since Google makes money from ads it undermines trust in systems that support competing ads – and competing publishers.

Importantly, Google’s processing of first party data is highly questionable. Google promotes customer consent on a generalised, non-specific basis as a protection method and states that Google will only share personal information when it has obtained the user’s consent. This is followed by a statement that Google will: “ask for your explicit consent to share any sensitive personal information.” [4]

However, this claim runs up against Google’s actual practices. The company, for instance, advertises its use of both glucose and fertility data in its own paid ad solutions.[5]

Going forward, it is also worth checking out Google’s proposals to remove supposedly unsafe third-party cookies from the web ecosystem and replace them with First Party Sets (FPS) systems. 

Here, Google’s quarterly progress report is relevant.[6] The “privacy outcomes” of FPS are considered in scope. But not addressed with any evidence. Instead, Google asserts that privacy improves when fewer entities in the FPS are allowed to handle data. There is no evidence for this. There is, however, evidence to suggest that Google’s FPS would hurt competition and see data would concentrate in fewer hands. Perhaps it might also be thought that a careless single business is more of a problem than a stack of careful businesses.

Google is no more or less safe than any number of other parties who have personal data and who have obtained consent for the use of that personal data for specific purposes.[7]

But according to Google third parties cannot be trusted and Google can. This is quite rich from a company that has accrued more penalties for misleading consumers than nearly any other.

Google no longer tops the table measured on “biggest fine ever” but must be in contention for a prize in a table of most frequently fined companies.[8]

[1] Google to pay $392m to 40 states over location tracking in ‘historic win’ for users (msn.com)

[2] By contrast Article 6 (f) contemplates processing by the controller or a third party on equal terms when it states that processing may also be lawful where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

[3] About Customer Match – Google Ads Help

[4] See Privacy Policy – Privacy & Terms – Google.

[5] See Google product category [google_product_category] – Google Merchant Center Help.

[6] Privacy_Sandbox_Progress_Report_to_the_CMA_2022__1.pdf (publishing.service.gov.uk)

[7] Those purposes need to be presented to end users and laid out properly before the consumer when asking for consent to such use.

[8] https://www.tessian.com/blog/biggest-gdpr-fines-2020/