As part of a settlement with the US District of Columbia, Google has agreed to make a slate of changes to its location tracking practices and pay a fine of $9.5 million. The District of Columbia in January 2022 filed a lawsuit alleging that Google “deceived consumers regarding how their location is tracked and used by the company and [regarding their] ability to protect their privacy by stopping this tracking.”
We sued because Google made it nearly impossible for users to stop their location from being tracked. Now, thanks to this settlement, Google must also make clear to consumers how their location data is collected, stored, and used.
Read the agreement: https://t.co/D6TUaRNDGZ
— AG Karl A. Racine (@AGKarlRacine) December 30, 2022
Track someone’s location on your own terms with our expert-approved GPS trackers.
This settlement is one of the many that Google has reached in recent weeks with regard to its location tracking practices. In November 2022, Google agreed to pay $392 million to settle a lawsuit brought by 40 states, and in December, Google agreed to pay the state of Indiana $20 million. At the heart of these lawsuits are two settings: Location History and Web & Activity. Google suggested to users that turning off the Location History would stop it from collecting users’ location information, but the company continued to collect this information through Web & Activity and other sources. To read more about the allegations, read our summary of the lawsuit.
Why this matters: These multiple lawsuits against Google were prompted by an Associated Press story in 2018 that revealed the extent of Google’s location tracking practices, including tracking location when users had opted not to be tracked. The agreements reached to settle these lawsuits require Google to give users more genuine control over whether or not they want to share their location and also make clear how their location data is collected, stored, and used.
“Location data is a key part of Google’s digital advertising business. Google uses the personal and behavioral data it collects to build detailed user profiles and target ads on behalf of its advertising customers. Location data is among the most sensitive and valuable personal information Google collects. Even a limited amount of location data can expose a person’s identity and routines and can be used to infer personal details.” — Attorney General of Tennessee
What changes must Google make?
- Pop-up and email notifications to users who already have Location History enabled: Google must show a pop-up notification and send an email to users who have Location History or Web & App Activity settings enabled, disclosing to them whether these settings allow Google to collect location information and also instructing them how to disable the setting, delete the data collected and set data retention limits. Location History is a setting that lets Google automatically capture a user’s location information at different points in time from various sources. This data can be presented in a visual format shown on a map.
- Creation of a new Location Technologies webpage: Google must set up and maintain a Location Technologies webpage that is easily noticeable and easily understandable by the user, which discloses Google’s policies and practices concerning the types of location information the company collects, the sources, the precision and frequency of collection, the purpose of collection, the retention period, whether it can collect location information from across devices linked to the same Google account, what control do users have, how users can disable or limit collection and retention period, what happens when a user is signed out or deletes an account, etc. A hyperlink to this page must be included in Google’s Privacy Policy.
- Disclosure when users enable any location-related account setting: When a user enables or is prompted to enable any location-related account setting, Google must clearly disclose to the user a hyperlink to the Location Technologies page as well as information related to the source of location information, the purpose for collection, the retention and deletion controls available to users, and whether the setting allows Google to collect location information even when a user is not using a specific Google service. When a user enables or is prompted to enable Location History, Google must disclose ways in which location information previously stored in Location History (that has been de-identified or anonymized) is used.
- Disclosures when users create an account: When a user creates an account with Google, the company must clearly and noticeably disclose information regarding the collection, retention, and use of location information, “including, but not limited to GPS, IP address, DEVICE sensor data, Wi-Fi data, and Bluetooth data, that the USER agrees to prior to creating an account.” Google must also show a hyperlink to the Location Technologies page and an additional dialogue that reveals to users which location-related settings are enabled by default and how to disable these settings. All the above disclosures must be presented in a way that the user cannot avoid.
- Disabling location-related settings or deleting location information should be easy: Google must give users the ability to disable a location-related account setting or delete location information “stored by that setting in a single, continuous flow, i.e., without needing to navigate to a separate surface or page.”
- Notification of changes to the privacy policy: Google must notify users via email whenever there are any material changes to its Privacy Policy concerning the collection, use, and storage of location information.
- Explicit consent required for sharing precise location information: A user’s precise location information (defined as the latitude and longitude of a user or device) can only be shared with a third-party advertiser with the express affirmative consent from the user.
- Auto deletion of certain location information: Google must automatically delete location information derived from a device or an IP address as part of Web & App Activity within 30 days of collection of such information.
- Deleting Location History of inactive users: Google must automatically delete Location History data for inactive users within 180 days of the user receiving an email notification regarding the same unless the user takes steps to keep their data. An inactive user is defined as a user whose location information was last uploaded more than three years ago.
- Privacy impact assessments of changes: Before materially changing how Location History or Web & App Activity use precise location information, Google must internally assess the privacy impact of that change. The same goes for if and when Google changes how it shares users’ precise location information with third parties. These assessments must be documented in writing within Google.
This post is released under a CC-BY-SA 4.0 license.
The post 10 changes Google must make to its location tracking practices appeared first on MediaNama.
This content was originally published here.
Looking for your own GPS location trackers? Shop EyeSpySupply today.
