Enterprise Mobility Management / BYOD , Geo Focus: The United Kingdom , Geo-Specific
Google Faces GDPR Complaints Over Web, Location TrackingSearch Giant's Pervasive Tracking Isn't Clear to Consumers, Groups Contend
Consumer organizations in seven countries plan to file complaints alleging that Google is violating Europe's data protection regulation. The challenge takes square aim at the company's lucrative targeted advertising business, which depends on a rich stream of data.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The European consumer organization BEUC said on Tuesday that seven of its members will file complaints with their EU country's data protection regulator alleging that Google violates the EU's General Data Protection Regulation.
The consumer organizations filing complaints are located in the Czech Republic, Denmark, Greece, Netherlands, Norway, Poland, Slovenia and Sweden.
GDPR, which the EU began enforcing on May 25, came about in part due to Europeans' increasing concern over third parties' data collection practices and questions about whether consumers were being fully informed about those activities.
The EU regulation gives European consumers the right to ask companies what data they hold and request that it to be deleted. Also in place is a requirement that organizations notify regulators about certain types of data breaches within 72 hours. Organizations that fail to do so can be fined up to four percent of their annual global revenue, or €20 million ($23 million), whichever is greater.
At issue in the new complaints against Google is how it obtains permission to collect the location of users, as well as their browsing data and interactions with mobile apps. Such data-gathering is enabled - or disabled - via Google's Location History and Web & App Activity settings, which apply across desktop computers as well as all Android-based mobile devices.
The BEUC alleges that Google uses confusing and contradictory language in describing these features as well as misleading menus that nudge users into enabling these features or keeping them active.
"Google's practices leave consumers very little choice other than providing their location data, which is then used by the company for a wide range of purposes, including targeted advertising," BEUC says in a FAQ. "BEUC and its members argue that these practices contradict basic principles of the GDPR, such as lawfulness, transparency and fairness of processing, and infringe on data subjects' rights such as the right to information."
'I'll Be Watching You'
Along with BEUC's announcement, Norway's government consumer body, Forbrukerrådet, released a 44-page report detailing what it contends are Google's misleading practices around Location History and Web & App Activity. It's humorously titled "Every Step You Take," a nod to the song "Every Breath You Take" by the popular British rock band The Police.
By default, Location History is disabled when someone creates a Google account, but Web & App Activity is enabled. Web & App Activity records browsing data as well as when someone opens an application on an Android phone.
Forbrukerrådet's report includes a finding that was first discovered and then reported by the Associated Press in August: Turning Location History off does not completely stop Google from collecting location data. Google apps such as Search and Maps may still continue to collect location data.
As a result of the AP's investigation and reporting, Google didn't change its practices, but it did update its description of how Location History works.
Forbrukerrådet's report contends that the design of both of the settings, however, remains "problematic," particularly when it comes to consumer awareness and consent.
Google tells Information Security Media Group that it will closely read Forbrukerrådet's report "to see if there are things we can take on board," and it notes that it's constantly working to improve its controls.
"Location History is turned off by default, and you can edit, delete or pause it at any time," the company says. "If it's on, it helps improve services like predicted traffic on your commute. If you pause it, we make clear that - depending on your individual phone and app settings - we might still collect and use location data to improve your Google experience."
The report, however, also contends that Google uses "dark patterns" to push users into either accepting default settings or other settings that benefit the company. Dark patterns refer to design practices that may be misleading or intentionally opaque.
Even though Location History is off by default, Google appears to encourage its users to turn it on through overly simplified and carefully designed user interfaces that may drive users to hit "approve." In contrast to the ease of enabling the feature, any user who wants to research what their choice might mean must undertake extra clicks or explore multiple submenus, Forbrukerrådet's report contends.
These design choices may contradict GDPR's requirement for "specific and informed" consent, Forbrukerrådet says.
"Users will often take the path of least resistance in order to access a service as soon as possible," the report says. "Making the least privacy friendly choice part of the natural flow of a service can be a particularly effective dark pattern when the user is in a rush or just wants to start using the service."
Forbrukerrådet contends that if users don't click on Location History at the start, Google keeps trying to get them to enable it. For example, the report contends that in order to keep location-tracking disabled, users must again decline it when trying to use Google's Assistant, Maps and Photos apps.
"Instead of Google taking 'no' for an answer, users have to keep making the same choice repeatedly," the report says. "This increases the chances that users turn on the setting, either by accident, because they are tired of being asked or because they believe that the services will not work otherwise."
If users enable Location History for an app, it stays on in the background and could continue to transmit location data even when someone is not using the app, the report notes. By contrast, Apple's iOS allows users to restrict an app's ability to collect location data to only when an app is being used.
Forbrukerrådet says that "the latter [iOS] practice is an example of privacy-preserving technology, while Google's solution is an all-or-nothing choice that limits the users' options."