Google fined $40M+ for misleading location tracking settings on Android

2 years ago 130

Google has been sanctioned A$60 million (around $40M+) in Australia over Android settings it had applied, dating back around five years, which were found — in a 2021 court ruling — to have mislead consumers about its location data collection.

Australia’s Competition & Consumer Commission (ACCC) instigated proceedings against Google and its Australia subsidiary back in October 2019, going on to take the tech giant to court for making misleading representations to consumers about the collection and use of their personal location data on Android phones, between January 2017 and December 2018.

In April 2021 the court found Google had breached Australia’s Consumer Law when it represented to some Android users that the “Location History” setting was the only Google account setting affecting whether it collected, kept and used personally identifiable data about their location.

In actuality, another setting — called ‘Web & App Activity’ — also enabled Google to grab Android users’ location data and this was turned on by default, as the ACCC noted in a press release today. Aka, a classic dark pattern. (Actually Google deployed nested dark patterns, plural, as we detail below.)

The regulator estimates that users of around 1.3 million Google accounts in Australia may have viewed a screen found by the Court to have breached the Consumer Law.

“This significant penalty imposed by the Court today sends a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their data is being collected and used,” said ACCC chair, Gina Cass-Gottlieb, in a statement.

“Google, one of the world’s largest companies, was able to keep the location data collected through the ‘Web & App Activity’ setting and that retained data could be used by Google to target ads to some consumers, even if those consumers had the ‘Location History’ setting turned off.”

“Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google,” she added.

Per the ACCC, Google took steps to correct the contravening conduct by 20 December 2018, meaning consumers in the country were no longer shown the misleading screens.

At the time of the court ruling last year, Google said it disagreed with the findings and that it was considering an appeal. But, in the event, it decided to take the lumps.

(These are not as painful as they might have been if the infringements had occurred more recently: The ACCC notes that the majority of the sanctioned conduct occurred prior to September 2018 which is before the maximum penalty for breaches of the Consumer Law was substantially increased — from $1.1M per breach to — since then — the higher of $10M, 3x the value of any benefit obtained or, if the value cannot be determined, 10% of turnover.)

The Court has also ordered Google to ensure its policies include a commitment to compliance, and requirements that it train certain staff about the country’s Consumer Law, as well as to pay a contribution to the ACCC’s costs.

Google was contacted for comment on the sanction. A company spokesperson sent us this statement:

“We can confirm that we’ve agreed to settle the matter concerning historical conduct from 2017-2018. We’ve invested heavily in making location information simple to manage and easy to understand with industry-first tools like auto-delete controls, while significantly minimising the amount of data stored. As we’ve demonstrated, we’re committed to making ongoing updates that give users control and transparency, while providing the most helpful products possible.”

Dark patterns inside dark patterns

The ACCC’s press release includes some screengrabs showing Google notifications to Android users that the court found to be misleading — which includes three versions of Google’s Web & Activity setting screen shown to consumers setting up a Google account on their device that do not mention the word “location” at all.

Instead, on one — which appeared between April 30, 2018 and December 19 2018 — Google instructs consumers that the setting “saves your searches, Chrome browsing history and activity from sites and apps that use Google services”, before nudging them to retain a pre-selected option to “save my Web & Activity to my Google account” (aka, opt into Google’s tracking) by suggesting: “This gives you better search results, suggestions and personalisation across Google services.” But nowhere does it explain that the user is agreeing to be location tracked.

If Android users chose to try to turn off “Location History” — i.e. via a totally separate setting that did not actually enable them to prevent Google’s location tracking — they could also be shown a confusing pop-up querying their decision to “Pause Location History?”, as Google put it, warning them the decision would “limit functionality of some Google products over time”.

It’s hard to know what even the point of this was, since the setting did not empower consumers to entirely prevent Google snooping on their location, so probably it was mostly there to spread FUD.

The text in this notification concludes with a further confusing line — telling the user to “remember, pausing this setting doesn’t delete any previous activity” — and pointing them to yet more settings where Google suggests they could “view and manage this information in your Location History map”. This was presumably intended to send them down a pointless rabbit hole — while drawing their attention away from the Web & Activity setting where Google had hidden another location tracking setting.

Other versions of the Web & Activity setting which the court found misleading Android users between early 2017 and late 2018 include one which contains a full five possible actions a user could take — a surfeit of choice obviously intended to bamboozle them into leaving the ‘on’ setting as is, since it’s so drastically unclear what anything else available on the screen means.

“If you use more than one account at the same time, some data may get saved in your default account. Learn more at support.google.com,” runs one prominent piece of cryptic Google small print — without actually hyperlinking the URL in question to send the consumer to where they might actually ‘learn more’ (or, well, quickly realize there is nothing much to learn and certainly no ‘off’ switch there).

This chunk of small print mostly appears intended to shield consumers from reading the actual description of the Web & Activity setting’s function — a setting which, remember, is defaulted to ‘on’ — since this very salient information is buried below it (and above a more eye-catching tick-box). But even here Google is not clear: Again, it does not use the word ‘location’ at all; there’s only an indirect reference to “Maps” buried in a list that foregrounds ‘faster searches’ and ‘customized experiences’ to nudge consumers to agree.

By using the name of its popular Maps product as a stand in for location Google appears to be suggesting that Android users need this setting to be on if they want to use Maps — rather than making it plain that the setting refers to its ability to track their location.

The same setting screen also includes a pre-ticked check-box next to yet more text that states: “Include Chrome browsing history and activity from websites and apps that use Google services” — so Google is seemingly unbundling tracking settings, presumably as a back-up in case one of these pre-checked settings gets unchecked, meaning it can at least grab data via the other.

After that there’s more small print, lodged under the bland rubric “data from this device”, which reads: “Control reporting of App Activity from this device”. However this text is not instantly visually linked to any setting the user is able to interact with — so anyone glancing at it might assume it’s not pointing them to an option at all and skip over it.

Airgapped below, towards the very bottom of the screen, is a hyperlinked option to “MANAGE ACTIVITY”. This text is bolder — being in ALL CAPS. So does draw the eye. Yet what even is this? Why does the user have to wade into fresh Google submenu hell to try to turn off tracking, as this option seems to be implying? Surely they can just toggle the ‘on’ switch at the top of the settings screen to do that…

Of course everything baked into this dark pattern layer cake is pushing the consumer far away from any understanding of what’s actually going on with their data in order that they give up and leave the default tracking on. Truly a masterclass in deceptive manipulative design.

Screengrab: ACCC

A big reboot?

While Google’s statement today on the ACCC sanction seeks to imply that all misleading location tracking stuff is in the past, the company is facing an ongoing investigation into the same practices in the European Union — open since February 2020 — where it could be on the hook for a more sizeable fine if it’s found to have infringed the bloc’s General Data Protection Regulation (as penalties can scale as high as 4% of global annual turnover).

Consumer watchdogs in the EU actually filed complaints about Google’s deceptive location tracking back in November 2018. So Google will still be able to claim it’s moved on — whatever the outcome.

A draft decision by Ireland’s DPA, which is leading the investigation, is expected this year — although a final decision could be pushed into 2023 since it must be reviewed by the bloc’s network of DPAs and agreement reached on any enforcement.

But there’s more — earlier this summer, European consumer rights groups filed a new series of complaints against Google — accusing the advertising giant of deceptive design around the account creation process that they say steers users into agreeing to extensive and invasive processing of their data.

The complaints highlight how many more ‘clicks’ are required by Google to let users opt out of its tracking vs handling it the keys to their data… so plus ça change right?

The plodding pace of European privacy law enforcement suggests Google can expect several years’ grace before any corrective orders land — leaving consumers exposed in the meanwhile.

But there’s some harder reform on the horizon: EU lawmakers recently agreed to include a ban on online platforms designing and deploying deceptive/manipulative and/or confusing interfaces in a forthcoming flagship update to the bloc’s digital rulebook.

The Digital Services Act (DSA) is generally intended to dial up responsibility and accountability around digital services by steering governance.

On dark patterns, much will hinge on the specifics of the DSA text, and its interpretation, clearly — and there may still be wiggle room for powerful platforms to find ways to use sharkish practices to rob consumers of their rights and agency. But a key feature of the law is it entails an active role for the European Commission in enforcement (against larger platforms — so called VLOPs).

This includes empowering the EU’s executive to step in and issue guidance on best practice in areas like interface design. Combined with a new ability to bare teeth at repeat offenders — as it gets empowered to hit VLOPs with beefy fines if they break the DSA’s rules — so some of the EU’s consumer-focused regulation could, suddenly, get rather harder to ignore. (The DSA will start applying from next year.)

Penalties for breaches of the DSA can scale up to 6% of global annual turnover. So the cost and risk of stealing people’s data are certainly rising. Whether it’ll be enough to give tracking giants pause for thought — or, what’s really needed, force meaningful reform of privacy-hostile business models — remains to be seen.

Read Entire Article