Governance & Risk Management , Healthcare , Industry Specific
Groups Urge FTC to Scrutinize Google Location Data Practices
Complaint Alleges Tech Giant Is Breaking Privacy Promises, Putting Patients at RiskTwo tech advocacy groups are pushing the Federal Trade Commission to investigate Google, alleging the company has reneged on a promise it made after the Supreme Court's 2022 overturn of Roe v. Wade to promptly delete location data about users' visits to sensitive places, such as abortion clinics.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The complaint filed Thursday by advocacy groups Electronic Privacy Information Center and Accountable Tech also claims the tech giant is violating the terms of an earlier FTC enforcement action stemming from a separate data privacy complaint filed by EPIC more than a decade ago.
In the complaint filed Thursday, EPIC and Accountable Tech allege that Google has failed to honor the public pledge it made in 2022 - and updated in 2023 - to delete location data involving users' visits to sensitive places, such as addiction treatment centers, domestic abuse shelters and abortion clinics (see: Taking Actions to Enhance Sensitive Health Data Privacy).
The groups want the FTC to investigate Google for unfair and deceptive practices in violation of Section 5 of the FTC Act and for violating an FTC consent order in 2011 that arose from EPIC's complaint against Google targeting the company's alleged mishandling of personal data in the rollout of its Google Buzz social network.
The FTC's enforcement action in the Google Buzz case prohibited the company from making privacy misrepresentations in the future, required the implementation of a comprehensive privacy program, and called for regular, independent privacy audits for 20 years.
In this latest complaint, the advocacy groups are urging the FTC to issue civil penalties, order Google to delete "wrongfully retained" location data, and order the company to halt its "unlawful" collection, disclosure and retention of personal data, including sensitive location data.
Following the U.S. high court's June 2022 ruling in Dobbs v. Jackson Women's Health Organization, rescinding the national right to abortion, Google said that it would update its location history retention practices and delete records of visits to certain sensitive medical facilities "soon after" each visit.
"Location History is off by default, but if you choose to turn it on and our systems identify that you've visited certain locations that can be particularly personal, we will delete those entries from Location History soon after you visit," Google said in a May 2023 update, clarifying its policy promise.
"To estimate where you are, we rely on several sources, like GPS and Wi-Fi, so accuracy can be impacted by a variety of factors, like whether you’re inside a building, in a dense area or underground," Google said.
Google said the deletion policy applies to certain sensitive medical facilities, including counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics and cosmetic surgery clinics. "If you visit a general purpose medical facility - like a hospital, the visit may persist," Google said.
The advocacy groups' complaint alleges that research conducted by Accountable Tech and others found that months after making its pledge, Google had failed to delete the location information as promised and that issues continue to persist.
"Accountable Tech found that while Google had scrubbed 'Planned Parenthood' from a user's Location History map, it retained the route to the clinic in four out of eight of its tests," the groups allege.
"Follow-up research published by Accountable Tech in January 2024 confirms that this failure is still ongoing even as Google recently renewed its assurances to users that their sensitive location data would be protected," the complaint alleges.
"When this information is retained by companies like Google, it can be accessed by law enforcement and can be used to profile individuals in harmful ways," the groups allege.
"These harmful practices show us why we cannot rely on pinky promises from Google to protect our most sensitive information," said Sara Geoghegan, an EPIC attorney, in a statement. "The FTC and Google have recognized the serious harms that stem from excessive data retention, and it is critical for the commission to step in to hold Google accountable for these violations."
Google in a statement to Information Security Media Group disputed the groups' allegations.
“We continue to uphold our promise to delete particularly personal places from Location History if these places are identified by our systems - any claims that we're not doing so are patently false or misguided," said Marlo McGriff, director of product for Google Maps. "This report is an inaccurate and misleading representation of our commitment and how Location History works - it does not show evidence that visits to particularly personal places are being retained."
An FTC spokeswoman declined Information Security Media Group's request for comment on the groups' allegations about Google. "I can confirm we received the complaint but we do not have any additional comment," she told ISMG.
Growing Scrutiny
The groups' complaint about Google comes in the midst of FTC enforcement actions against several other entities in cases involving the collection of sensitive data, including location and health-related information.
On Thursday, the FTC issued a proposed order banning data aggregator InMarket Media from selling or licensing any precise location data. This order settled charges that the company did not fully inform consumers and obtain their consent before collecting and using their location data for advertising and marketing.
Also, earlier this month, the FTC issued an order banning data broker Outlogic, formerly X-Mode Social, from sharing or selling sensitive location data with third parties (see: Breach Roundup: FTC Bans Data Broker From Sharing Location).
The commission over the past year or two has also taken actions against several health-related business - including GoodRx, BetterHelp, Premom and Flo Health - in cases involving the collection and disclosure of sensitive health and other information.
Given the FTC's enforcement actions in these and previous cases, regulatory attorney Rachel Rose predicts the agency will take up the request by EPIC and Accountable Tech to investigate their complaint.
"The FTC has the authority to do so under FTC Act," she said. "It is likely that the FTC will proceed."
The collection and disclosure of sensitive personal and health information by data brokers, health-related companies and others appears to be a hot-button issue for the FTC, whether it involves the use of web tracking or other tech tools.
The FTC and the Department of Health and Human Services over the last year has been warning telehealth companies and hospitals about potential FTC Act and HIPAA violations involving their use of web trackers that collect and disclose sensitive personal and health information with third parties (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
"This is an area that will continue to receive more interest, especially with the July 2023 FTC-HHS joint letters and the anticipated updates to the HIPAA Privacy Rule," Rose said (see: Biden Administration Issues Cyber Strategy for Health Sector).