Google is $392 million poorer after settling a lawsuit with 40 US state attorneys general for its deceptive location-history user settings. In short, if users opted out from the collection of location data and location history, this setting only applied to Google Maps. Other Google services, bundled under “web and app activity,” continued to collect users’ location information. And worse, users’ location data collection on web and app activity was opt-in by default for all users. Google then shared and monetized this data via its massive advertising business.

This is a significant finding that other companies must pay attention to because:

  1. Regulators are setting standards for “freely given consent.” Overlapping consent notices for the collection and sharing of users’ location information was complex to manage for users — with opt-in by default as a de facto standard. The decision goes to show that giving users the ability to opt out isn’t enough if that opt-out option is complex or counterintuitive. The writing is on the wall for deceptive or manipulative design that tricks people into sharing more data than they’d intended. This isn’t the first time that Google has been fined for deceptive design (also known as dark patterns) — earlier this year, France’s data protection regulator slapped Google with a €150 million fine for not giving a clear opt-out option on its cookie banner. And in the US, the California Consumer Privacy Act (CCPA) and the proposed federal privacy bill explicitly state that consent captured via deceptive design is not valid. As companies around the world are investing more than ever in consent strategies and technologies, they must look at this case as a defining one. Ensure that you take an ethical approach to collecting customer data; leverage intuitive, user-friendly interfaces for your customer-facing privacy content; and provide users with options at their fingertips.
  2. The privacy user experience is in the limelight as a critical privacy program feature. The language and design of Google’s privacy settings created an illusion of control for users. This represents a deceptive and unfair business practice beyond being a clear privacy violation, according to most current privacy regulations. Regulators are increasingly scrutinizing the relationship between privacy and user experience/customer experience. In 2020, the French data protection regulator determined how poor customer experience (CX) can compromise privacy compliance. In fact, our research shows that firms must meet both customers’ and regulators’ privacy expectations. Good CX and effective privacy protection go hand in hand, promoting customer engagement, transparency, and effective control. But our data shows that the collaboration between privacy and CX/marketing pros is still a struggle for many organizations. A new era of privacy compliance, defined by unprecedented privacy and ethical risks and complex technology-driven use cases to address those risks, requires cross-functional partnerships across teams. Privacy stakeholders are a diverse group, and if your legal, privacy, marketing, and CX teams aren’t already collaborating, start doing so now.
  3. Location data continues to be a hot button issue. Location data is a particularly touchy subject — the ins and outs of where we are, where we’re going, and where we’ve been can reveal intimate details about our personal lives. In the US, in a post-Roe v. Wade world, location data is facing renewed scrutiny as regulators express concern about location-data brokers revealing people who visit women’s healthcare clinics, with the Federal Trade Commission filing a lawsuit against Kochava, one such data broker. And the emergence of VR/AR devices, which rely largely on users’ location data for many functions, will continue to bring geolocation data to the heart of the privacy battle in the coming years. Whether you are collecting location data directly or leveraging it through third parties, now is the time to review the risk profiles and classification of location data and implement measures to mitigate these risks, today and for the future.

Ultimately, privacy pros can take this latest fine as a reminder that following the letter of the law — capturing consent — isn’t enough. The spirit of the law — whether that’s the GDPR, CPRA, LGPD, or take your pick from the privacy-law alphabet soup — is intended to empower consumers and give them control over their data. The time of deceptive or manipulative design that only provides the illusion of control and flies in the face of what these regulations aim to achieve is coming to an end. Get ready for a new era of privacy.