Seven GDPR complaints filed against Google over user location tracking

GDPR complaints have been filed today against Google in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden.
Written by Catalin Cimpanu, Contributor

Consumer protection agencies from seven EU countries filed today GDPR complaints against Google for using deceptive practices to track users' location.

The seven consumer protection agencies claim that Google "lacks a valid legal ground for processing the [location] data in question" and that because of its deceptive practices the users' consent "is not freely given," hence, the company is in violation of the new General Data Protection Regulation (GDPR) that entered into effect in the EU space since late May, this year.

GDPR complaints have been filed with national data protection authorities in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden.

Also: Russian election hacking hits a bump, but it's still going on CNET

"Location data can reveal a lot about people, including religious beliefs (going to places of worship), political leanings (going to demonstrations), health conditions (regular hospital visits) and sexual orientation (visiting certain bars)," said today officials from BEUC, an umbrella group for 43 national consumer organisations from 32 European countries.

All seven GDPR complaints have been filed based on the findings of a 44-page report published today by Norway's Consumer Council, the country's consumer protection agency.

The aforementioned report shows how Google has been using a number of deceptive practices to enable location tracking for Google accounts via two settings known as Location History and Web & App Activity.

  • Location History is a Google account setting that continuously logs the location of the user. The location data collected through Location History is derived from GPS, Wi-Fi scanning, and Bluetooth scanning, which means that Google can track a user's precise location inside buildings as well as outside. This setting has to be 'activated' by the user, however, the report has found that Google used several tricks to ensure that users do so.
  • Web & App Activity is another Google account setting, which collects different user data from a variety of Google services. Certain apps and services, such as Google searches and searches made through Google Maps, are logged with location data of where the user was when he or she performed the search. In other words, users who turn Location History off, but leave Web & App Activity on, will still have some of their location data collected by Google. This setting is activated by default in all Google accounts.

The report claims that Google has been using a series of deceptive practices and design tricks to push users into activating the two location tracking features and leaving them enabled. The report lists the following practices:

  1. Hidden default settings: when setting up a Google account, the actual account settings are hidden behind extra clicks. Users first have to click "More options" to see what the settings are, and whether they are enabled or disabled. Web & App Activity is enabled by default, meaning that users who did not click "More options" will not be aware that this data collection is happening.
  2. Misleading and unbalanced information: whenever the Location History and Web & App Activity settings are presented to the user, the clearly visible information is limited to a few positive examples of what the setting entails. The information that is visible often also trivialises the extent of tracking that is going on, and how it is used.
  3. Deceptive click-flow: although Location History has to be "actively" enabled, the set up process and click-flow is presented and designed in a way that the user is compelled to enable the setting.
  4. Repeated nudging: users are repeatedly asked to turn on Location History, in many different contexts. On Android devices, users that do not wish to enable Location History have to decline the setting at least four times when using different services that are preinstalled on Android phones: in Google Assistant, Google Maps, Google app, and Google Photos.
  5. Bundling of services and lack of granular choices: Throughout the Google ecosystem of services, separate services or functionalities are integrated and co-dependent, or simply bundled together. Enabling Location History is required in order to enable other services that users may want to use, such as Google Assistant and Google Photos Places.
  6. Permissions and always-on settings: When enabled, Location History is always on in the background on Android devices, regardless of whether the user is actively using a service that requires location services.

The Norwegian agency's report has been put together after two field tests carried out on freshly installed Android smartphones in July (Samsung Galaxy S7 Android device running Android version 8.0.0) and again in October (on the same Samsung device, and on a Google Pixel device running Android version 9). The two tests identified similar issues, resulting in a decision from the seven agencies to go forward with GDPR complaints.

Following today's filings, data protection agencies in each of the respective seven countries will have to investigate Google's location tracking practices in light of the current GDPR legislation.

If found guilty, Google risks fines that can go up to €20 million ($22.6 million) or 4 percent of annual global turnover.

Also: 7 tips for SMBs to improve data security TechRepublic

Today's GDPR complaint filings also come after two separate investigations by Quartz and the Associated Press found similar issues with Google collecting users' location details, even when location services are visibly disabled in the user interface.

Google tried to save face over the summer when it made changes to the Google account dashboard interface, but by that point, it was too little too late, as the company had already drawn the ire of users and EU consumer protection agencies alike.

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage:

Cisco Live 2018: 'GDP is directly linked to GDPR'

The protection of data will become linked with economic growth, according to Cisco's chief privacy officer.

GDPR's silver lining: Data-driven AI and innovation in the enterprise

IBM's Cristina Cabella explains why GDPR has the potential to promote AI and machine learning in the enterprise.

Facebook's latest breach could cost the social network over a billion under new GDPR laws

Facebook was fined £500,000 under the Data Protection Act for the Cambridge Analytica scandal but may not get away so lightly this time.

UK levels first GDPR fine against Canadian analytics firm linked to Brexit campaign

AggregateIQ, also linked to the Facebook & Cambridge Analytica data scandal, is the first to be put on notice.

Brave browser files GDPR breach complaints against Google in the EU

Google and fellow ad tech firms accused of violating GDPR during the "bid request" process used in behavioral ads.

GDPR cuts tracking cookies in Europe

Three months after the introduction of the General Data Protection Regulation (GDPR), European news sites have reduced their use of tracking cookies by 22 percent, according to research from the University of Oxford. Companies that run websites should be aware of the problem and ready to act.

Editorial standards