Google was hit with a $40M+ punishment for deceptive location tracking settings

According to a 2021 court judgement, Google must pay A$60 million (about $40M+) in Australia to settle claims that it misled customers with Android settings for at least five years over the company’s use of their location data.

In October 2019, the Australian Competition and Consumer Commission (ACCC) initiated proceedings against Google and its Australia subsidiary, taking the tech giant to court for making misleading representations to consumers about the collection and use of personal location data on Android phones between January 2017 and December 2018.

In April 2021, a court ruled that Google had violated Australia’s Consumer Law by misleading certain Android users into believing that the “Location History” option was the sole Google account setting impacting whether it collected, retained, and utilised personally identifiable data about their location.

The Australian Competition and Consumer Commission (ACCC) stated in a news release today that Google also had the ability to collect the location data of Android users via another option, dubbed “Web & App Activity,” which was enabled by default. As in, the standard black and white design. (As we will explain later, Google used many stacked dark patterns.)

According to the watchdog, about 1.3 million Google accounts in Australia may have seen a screen that violated Australia’s Consumer Law.

According to Gina Cass-Gottlieb, chair of the Australian Competition and Consumer Commission (ACCC), “this significant penalty imposed by the Court today sends a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their data is being collected and used.”

According to the report, “Google, one of the world’s largest companies, was able to keep the location data collected through the ‘Web & App Activity’ setting and that retained data could be used by Google to target ads to some consumers, even if those consumers had the ‘Location History’ setting turned off.”

“Personal location data is sensitive and significant to certain customers,” she said. “If the deceptive representations by Google had not been made, some of the users who saw the representations may have made other decisions regarding the collection, storage, and use of their location data.”

As of 20 December 2018, Google has allegedly taken measures to rectify the contravening behaviour, meaning that Australian customers were no longer presented with the deceptive displays.

Google stated its disagreement with the findings and potential appeal at the time of the court verdict last year. However, it ultimately chose to bear the consequences.

The ACCC notes that the majority of the sanctioned conduct occurred before September 2018, before the maximum penalty for breaches of the Consumer Law was substantially increased, from $1.1M per breach to — since then — the higher of $10M, 3x the value of any benefit obtained, or, if the value cannot be determined, 10% of turnover.

The court has also directed Google to contribute to the ACCC’s expenses and to guarantee that its policies include a commitment to compliance and requirements that it teach specific workers about the country’s Consumer Law.

In order to get Google’s take on the fine, they were approached. This comment was supplied to us by a corporate spokesperson:

“We can confirm that we’ve agreed to settle the matter concerning historical conduct from 2017-2018. We’ve invested heavily in making location information simple to manage and easy to understand with industry-first tools like auto-delete controls, while significantly minimising the amount of data stored. As we’ve demonstrated, we’re committed to making ongoing updates that give users control and transparency, while providing the most helpful products possible.”

Patterns of shadows inside shadows

Screenshots of three different versions of Google’s Web & Activity setup screen given to customers setting up a Google account on the device without any mention of the phrase “location” can be seen in the news release issued by the ACCC, which the court ruled to be deceptive to Android users.

Instead, between April 30 and December 19, 2018, one read: “This saves your searches, Chrome browsing history, and activity from sites and apps that use Google services,” with the caveat that doing so “gives you better search results, suggestions, and personalization across Google services.” However, it is not made clear anywhere that by using the app, the user is consenting to have their location monitored.

Android users who attempted to disable location tracking through the “Location History” option were instead met with a misleading pop-up asking whether they really wanted to “Pause Location History?” and warned them that doing so might “restrict functioning of certain Google products over time.”

It’s unclear why this was included, given the option didn’t provide users with enough control to completely stop Google from tracking their whereabouts.

At the end of the message, Google advises the user “see and manage this information on your Location History map” and adds the perplexing statement that “note, stopping this setting doesn’t remove any prior activity.” Presumably, this was done on purpose to divert their attention from the Web & Activity setting, where Google had buried yet another location tracking option.

For example, one version of the Web & Activity setting that the court found misleading Android users between early 2017 and late 2018 includes a full five possible actions a user could take, a surplus of choice obviously intended to bamboozle them into leaving the ‘on’ setting as is, since it is so radically unclear what anything else on the screen means.

“Some information may be stored in your default account if you utilise several accounts simultaneously. One conspicuous section of Google’s fine print reads, “Learn more at support.google.com,” without actually attaching the URL to take the user to the page where they may “learn more” (or, well, soon find there is nothing much to learn and definitely no “off” option there).

Given that the definition of the Web & Activity setting’s function is hidden underneath this block of fine text, it seems as if its primary purpose is to discourage customers from reading it (and above a more eye-catching tick-box). In this regard, though, Google is not entirely transparent: Again, the term “location” is nowhere to be seen; a mention of “Maps” is hidden in a bulleted list that prioritises “faster searches” and “customised experiences” in an effort to get users to agree.

Google seems to be implying that Android users need to have this option turned on in order to utilise Google’s famous Maps product as a stand-in for location, rather than making it clear that the setting pertains to its capacity to monitor users’ whereabouts.

Another pre-ticked checkbox appears next to some additional text on the same settings page, which reads, “Include Chrome browser history and activity from websites and applications that utilise Google services.” It would seem that Google is unbundling tracking options, maybe as a fallback in case one of these pre-checked settings gets unchecked and it still needs to collect data.

After that there’s additional tiny print, housed under the bland title “data from this device”, which reads: “Control reporting of App Activity from this device”. A casual observer would believe that this wording is not referring to an option at all since it is not immediately visually connected to any setting the user is able to interact with.

The “MANAGE ACTIVITY” option is a clickable link at the very bottom of the screen. The text in this instance is more pronounced since it is written in ALL CAPS. To a same extent, attracting attention does. However, what the heck is this? If the user wants to disable tracking, why should they be forced to navigate the new Google submenu hell to do so, as this choice implies? Surely all they need to do is flip the “on” switch at the top of the settings page.

Naturally, everything layered into this ominous pattern is designed to discourage the user from trying to figure out what’s happening to their data and increase the likelihood that they’ll give up and keep the default tracking settings intact. A masterpiece of cunning and manipulation.

In need of a major refresh?

Google may be in for a heftier fine if it is found to have violated the European Union’s General Data Protection Regulation (as penalties can scale up to 4% of global annual turnover), despite its statement today on the ACCC sanction suggesting that all misleading location tracking stuff is in the past. The EU investigation into the same practises has been open since February 2020.

In November of 2018, EU consumer watchdogs lodged concerns with Google about the company’s misleading location tracking. So Google may say it has “moved on” regardless of the verdict.

While the DPA handling the inquiry in Ireland is scheduled to release a draught judgement this year, the final decision may not be made until 2023 if the DPA network in the bloc has to evaluate it and agree on any enforcement.

In addition, earlier this summer, European consumer rights groups filed a new series of complaints against Google, accusing the advertising giant of deceptive design surrounding the account creation process that, according to the groups, steers users into agreeing to extensive and invasive processing of their data.

Complaints show how many more “clicks” consumers must go through to prevent Google from following them, as opposed to just giving Google access to their data. plus ça change, right?

Given how slowly privacy laws are enforced in Europe, it may be years before any redressing orders are issued, leaving customers vulnerable in the meanwhile.

But more strenuous changes are coming: Lawmakers in the European Union have just decided to put a prohibition on online platforms building and deploying deceptive/manipulative and/or misleading interfaces in a scheduled major update to the bloc’s digital rules.

The DSA’s overarching goal is to direct governance in a way that increases responsibility and accountability for digital services.

When it comes to shadowy patterns, a lot will depend on the fine print of the DSA and how it’s interpreted, and there may still be potential for dominant platforms to discover loopholes and adopt predatory techniques to strip consumers of their rights and agency. However, the law’s primary characteristic is that it mandates the European Commission play an active role in enforcement (against bigger platforms, so-called VLOPs).

As part of this, the EU’s executive branch will be given the authority to provide recommendations for things like interface design. Some of the EU’s consumer-focused legislation might, suddenly, become quite tougher to ignore, as it acquires the right to slap VLOPs with hefty penalties if they disobey the terms of the DSA. (From the beginning of the next calendar year, the DSA will be in effect.)

The maximum amount that may be fined for breaking the DSA is 6% of the company’s yearly gross revenue. Therefore, stealing personal information comes with a greater and greater potential for disastrous consequences. It remains to be seen whether this will be enough to cause monitoring industry titans to stop for thinking or, more importantly, if it will induce substantial change of privacy-hostile business structures.