Google’s “deceitful” location tracking is against the law, say 7 EU groups

The row over Google’s location tracking has spread to Europe.

Consumer organizations from across the region said this week that they will complain about Google’s location tracking activities to their data protection authorities, alleging that it is breaching the General Data Protection Regulation (GDPR).

BEUC, an umbrella group of 43 European consumer organizations, said that Norway, Netherlands, Greece, Czech Republic, Slovenia, Poland and Sweden will all file complaints.

They’re basing their gripes on a report from the Norwegian Consumer Council (Forbrukerrådet) called Every Step You Take that explains what Google is doing and why they think it might be flouting Europe’s privacy laws.

Monique Goyens, Director General of The European Consumer Organisation, summed up the complaints in a statement on the BEUC site:

Google’s data hunger is notorious but the scale with which it deceives its users to track and monetise their every move is breathtaking. Google is not respecting fundamental GDPR principles, such as the obligation to use data in a lawful, fair and transparent manner.

The report takes a deep dive into Google’s location tracking activities. The company tracks you in two ways, according to the research: Location History and Web & App Activity.

Alongside basic data such as where you went and what mode of transport you took to get there, Location History also stores other data in the background, such as barometric pressure, nearby Wi-Fi hotspots and even your battery level. Google says that this is a voluntary, opt-in feature.

Web & App Activity is enabled by default, and tracks what you do on Google sites, apps and services. This includes searches and location, so if you googled “Krispy Kreme” in downtown San Francisco without deliberately turning off that setting, the Googleplex would know of your doughnut hankerings. All this data is used for advertising.

Closing the loop

Aside from knowing more about how Google stalks you, the report is a compelling read for anyone interested in what companies can do with this data. It describes a process called “closing the loop”, in which companies can combine location data with other information such as browsing history, social network activity and shopping habits. If a company can connect that data with your location, it can deduce things about you, such as whether an ad worked on you or not, and whether it should show you more of them.

Then, there’s the data about the places you visit. If you spend an hour at a health clinic or regularly frequent a bar, then companies can make assumptions about you and add those to your profile.

You can find these location settings in your phone and make sure they’re off if you look hard enough, so what is Forbrukerrådet’s beef with the search and advertising giant? It’s the “look hard enough” part that has the Council’s hackles up. It thinks the company is being deliberately circumspect with users.

“Deceptive design”

The report, subtitled ‘How deceptive design lets Google track users 24/7’, accuses the company of hiding default settings from users setting up their Google accounts, requiring that they click “more options” to find them. Because Web & App Activity is turned on by default, this means they may not be aware it is tracking their location, the report points out.

The report draws particular attention to the differences between Android and iOS…

 

… and on Android the set up process also uses blue buttons that look similar but display different options such as ‘Next’ and ‘Turn on’, the report warns. This means that users must be very attentive to avoid accidentally turning on location history during the setup process, it adds.

Forbrukerrådet believes that this may violate consent provisions under GDPR by persuading users to enable Location History without being aware of what it entails. It also argues that Google’s repeated nudging of Android users to turn on Location History when using other Google services amounts to pressuring the user, which it says could contravene consent rules under GDPR.

For example, turning on Google Assistant also prompts Android to ask you to turn on Location History, and Google doesn’t make it clear that Google Assistant will still work if you turn it off again.

The company also hides the negative implications of location tracking behind other links, while making the positive benefits more obvious, the report complains. And when users do click through to find out more, Google downplays the implications of the location tracking.

This may contravene GDPR if it can be shown that Google is hiding or obscuring the true nature of its location data usage sufficiently to violate GDPR’s rules around “specific and informed” consent, the report asserts.

The Web & App Activity tracking is turned on by default, so under GDPR rules Google can’t claim that the user has given consent, the report says. Instead, Google would have to rely on legitimate interest as its justification for gathering that data. However, the report points out that legitimate interests must be transparent and real. Hiding this information behind extra clicks could put Google in violation, it warns.

This isn’t the first tussle that BEUC and Forbrukerrådet have had with Silicon Valley. In June, Forbrukerrådet published a report on what it calls Dark Patterns, describing how it thinks tech firms mislead us with interface design choices. A lot of the same claims crop up in this report.

For its part, Google is already facing a class action lawsuit over its location tracking activities in the US.

Users can check what data Google has collected by going to https://myaccount.google.com, and clicking My Activity. You can also delete all or certain data and, by going to Activity Controls, turn on or off particular tracking services.