Google has agreed to pay a $391.5 million settlement reached with 40 attorneys general over its location tracking practices relating to Google account settings.

This is the largest multistate privacy settlement in U.S. history.  A multistate investigation found that Google failed to notify users that location tracking services were automatically turned on for web and app activity. Millions of consumers with Google accounts who used Google’s apps, such as Google Maps, Google Search, Google Chrome and other Google apps, were unaware that their location was being tracked.

According to New York Attorney General Letitia James, Google told consumers they could turn off location tracking under “location history” in their settings, but failed to notify consumers that their “web and app activity” setting also collected location data.

Connecticut Attorney General William Tong said location data is a key part of Google’s digital advertising business. It’s among the most sensitive and valuable personal information Google collects. Even a limited amount of location data can expose a person’s identity and routines. In addition, it can be used to infer personal details. Google uses this data to build detailed user profiles and target ads to consumers on behalf of its advertising customers.

‘Historic Win’ for Consumers

Connecticut Attorney General William Tong

“This $391.5 million settlement is a historic win for consumers in an era of increasing reliance on technology,” Tong said. “Location data is among the most sensitive and valuable personal information Google collects, and there are so many reasons why a consumer may opt-out of tracking. Our investigation found that Google continued to collect this personal information even after consumers told them not to. That is an unacceptable invasion of consumer privacy, and a violation of state law.”

As detailed in the settlement, the attorneys general found that Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Specifically, Google misled users about the scope of the location history setting, the fact that the web and app activity setting existed and also collected location information, and the extent to which consumers who use Google products and services could limit Google’s location tracking by adjusting their account and device settings.

Settlement Includes New Requirements for Google

The settlement requires Google to be more transparent with consumers about its location tracking practices. In particular, Google must:

The settlement also limits Google’s use and storage of certain types of location information. Moreover, it requires Google to make its account controls more user-friendly.

In a blog, Google said it has introduced more transparency and tools in recent years to help users manage their data and minimize the data it collects.

“Consistent with those improvements, we settled an investigation with 40 U.S. state attorneys general based on outdated product policies that we changed years ago,” it said. “As well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data.”

New Tools and Approaches Needed for Data Control

Chris McLellan is director of operations for the Data Collaboration Alliance. It’s a nonprofit focused on helping people and organizations get full control of their information.

“There’s no question that flagrant violations of data protection regulations deserve to be punished,” he said. “But there’s a larger question here that also merits attention. Does any organization anywhere – even multinational conglomerates with virtually unlimited resources – truly have the ability to control sensitive and personal data in its possession? The answer is no, and that’s in part because of the way today’s apps and systems fragment information into databases, data warehouses and even spreadsheets. These practices inevitably lead to unrestricted copying of data for the purposes of data integration. This high-profile settlement offers yet more proof that if we want real innovation without retribution in every field – think sustainability, health care, open banking, public services – we need to equip technologists with some new tools and approaches.”