The Attorney General of Pennsylvania announced that Google has paid $391.5 million in a settlement agreement with various states in the United States after being sued for allegedly misleading consumers about how it collects and uses location data. This is the largest settlement in the history of state lawsuits in the United States. The settlement was reached in the wake of a 2018 report by the Associated Press, which revealed that Google tracked the location of users, even if they had requested not to.
The lawsuit alleged that Google was not sufficiently clear about how it collects, stores, and uses location data, and did not adequately explain to users how data collection could be limited. For example, disabling location history tracking in a user’s Google account ("Location History") did not stop Google from collecting location data. Google could have continued to collect this data by tracking the web and app activity of its users ("Web & App Activity"), a setting in the Google account that is activated by default.
As part of the settlement, Google agreed to provide additional information when users change settings in their accounts. It also agreed to highlight important information about tracking users' location and establish a web page that will provide a detailed explanation of the type of location data that the company collects and how it is used. Google further agreed to limit the use and storage of certain location data and improve account settings to be more user-friendly.
Separately, Ireland's Data Protection Commission fined Facebook’s parent company, Meta, €265 million for violating the EU GDPR. This new fine comes after Meta was hit with a fine of about €650 million last year for data protection deficiencies.
The latest investigation into Meta began in April 2021 amid media reports that a collated set of personal data from Facebook was available online. The Irish Data Protection Commission investigated Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer. The material issues in this investigation focused on the GDPR’s obligation to protect data by design and by default, and the Irish Data Protection Commission alleges that Meta had not protected the personal data properly to block scrapers from harvesting personal data.
Click here to read the press release of the Irish Data Protection Commission.