On Tuesday, November 27th, consumer groups filed complaints with the data protection authorities in seven European countries, accusing Google of improperly collecting location tracking data in violation of the new General Data Protection Regulation (“GDPR”). The complaints, filed in the Czech Republic, Greece, Netherlands, Norway, Poland, Slovenia, and Sweden, cite to a study by the Norwegian Consumer Council, which reviews the various methods used to track consumers’ location when they use Google services on their smart phones.
Consumer groups claim that Google has been using a variety of techniques to “push or trick” users into allowing themselves to be tracked when they use Google services. These techniques include “withholding or hiding information, deceptive design practices, and bundling of services.” Complainants specifically allege that tracking is accomplished through the “Location History” and “Web & App Activity” features built into Google accounts, and these issues are particularly pronounced on mobile devices that use the Android platform.
The complainants go on to allege that Google does not have a valid legal basis for processing users’ location data and is processing personal information in violation of GDPR. Assuming Google will attempt to rely on consumer consent, complainants argue consent from Google users is inadequate because users are not given sufficient information to make informed choices, default settings are hidden, and users are repeatedly nudged to turn on features that track location.
In response to a request for comment, a Google spokesperson said: “Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute.
“If you pause it, we make clear that—depending on your individual phone and app settings—we might still collect and use location data to improve your Google experience.”
These recent complaints are significant for several reasons. First, GDPR only recently took effect on May 25, 2018. Enforcement to date has been limited and there is little legal precedent that can be relied on to ascertain a potential outcome for these complaints. It is difficult to predict how the data protection authorities in these seven countries will respond.
Second, penalties for violations of GDPR are prohibitive. Current regulations provide for fines of up to 4% of global annual revenue, so Google, and its parent company Alphabet, could face fines in the billions of dollars.
Third, Google is facing lawsuits in United States federal court over the same location tracking data. The plaintiffs in those suits allege Google continued to track users’ locations through their phone, even after location tracking features were disabled. Google has filed a motion to dismiss, which will be heard in January 2019. It is unclear what impact, if any, these new complaints in the European Union will have on ongoing US litigation, and vice versa.