Google agreed to one of the largest data privacy settlements at $392 million this week over its location tracking, a slap on the wrist for Alphabet Inc., Google's parent, which reported almost $70 billion in revenue in its most recent quarter.
Still, the settlement could lead to legislation to change the types of controversial data-handling practices that got Google into trouble.
The settlement is with 40 states that began filing lawsuits in 2020 alleging Google illegally tracked users for years. According to the lawsuit, Google assured users of Android devices that they could turn their location history off at any time. However, even with location history disabled, Google could track and store users' locations by other means, including their web and app use, the states claimed.
In a blog post, Google said the settlement is "based on outdated product policies that we changed years ago." Along with paying the fine, Google said it's planning several updates in the coming months to provide users more transparency and controls over location data.
Yet some experts believe the fine and Google's commitments aren't enough to change location tracking practices at Google or other companies.
"$400 million is around 0.1% of Google's annual revenue," said Alan Pelz-Sharpe, founder of market analysis firm Deep Analysis. "More importantly, it's actually incredibly costly and complex to eliminate tracking of users once it's deployed at scale."
Legislation needed to effect change
Pelz-Sharpe said that despite the looming threat of potential lawsuits and financial penalties for location tracking practices, most companies that deploy the technology will continue to use it.
"Most will continue to do this, hope they don't get caught and issue a mea culpa if they do," he said.
Alan Pelz-SharpeFounder, Deep Analysis
Beyond lawsuits, federal data privacy legislation could serve as the method for holding companies accountable for how they collect and use data, said Caitlin Seeley George, campaigns and managing director at Fight for the Future, a nonprofit digital rights advocacy group.
Seeley George said the group is pushing Congress to pass the American Data Privacy and Protection Act (ADPPA) during the lame-duck session before new Congress members take office in January. She said Congress needs to pass legislation because "we cannot trust companies."
"The only way we'll really get the changes necessary to ensure people's privacy is respected and protected is through policy," she said. "We need federal data privacy legislation yesterday, and we need strong antitrust legislation so that we aren't limited by big tech monopolies."
The likelihood of federal data privacy legislation advancing in 2022 remains slim, with both parties torn on the exact language that should be included in such a law. The ADPPA has yet to come to a House floor vote.
Google settlement a warning for businesses
Businesses should heed Google's settlement for several reasons, including proof that regulators are starting to set standards for clear user consent -- a trend that won't stop anytime soon, according to Forrester Research analyst Stephanie Liu.
The European Union recently passed the Digital Markets Act, which requires clear user opt-in and opt-out options. Indeed, France's data protection regulator fined Google nearly $155 million for not providing clear opt-out options on its cookie banner, Liu wrote in a blog post.
In the U.S., the California Consumer Privacy Act and even the proposed ADPPA prohibit deceptive methods of receiving user consent.
"The decision goes to show that giving users the ability to opt out isn't enough if that opt-out option is complex or counterintuitive," Liu wrote. "The writing is on the wall for deceptive or manipulative design that tricks people into sharing more data than they'd intended."
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.