The Google logo framed with a location data pin.

Arizona state attorney general Mark Brnovich filed a lawsuit against Google Wednesday, accusing the company of illegally collecting users' location data even after they tried to stop the tracking by adjusting Google’s privacy settings.

The lawsuit alleges that Google’s products and software siphon location information and other data without users providing meaningful consent, and that Google's complicated settings frustrate consumers’ attempts to stop the data collection. The state argues these practices violate the Arizona Consumer Fraud Act, which makes it illegal for companies to misrepresent their business practices. 

More on Data Privacy and Security

“This case concerns Google’s widespread and systematic use of deceptive and unfair business practices to obtain information about the location of its users, including its users in Arizona, which Google then exploits to power its lucrative advertising business,” the complaint says. “Google makes it impractical if not impossible for users to meaningfully opt-out of Google’s collection of location information, should the users seek to do so.”

Google defended its practices in an email to Consumer Reports. “The Attorney General and the contingency fee lawyers filing this lawsuit appear to have mischaracterized our services,” Jose Castaneda, a Google spokesperson, wrote. “We have always built privacy features into our products and provided robust controls for location data. We look forward to setting the record straight.”

The complaint is unusual in that almost half of it is redacted, a fact that Pam Dixon, executive director of the World Privacy Forum, an Oregon-based advocacy group calls “bizarre” and “maybe unprecedented,” making it hard to see in detail what evidence of wrongdoing the state of Arizona is presenting.

The complaint doesn’t specify how much money the attorney general seeks in damages, but the law allows for up to $10,000 per violation.

Why Location Data Matters

An entire industry has developed to trade and sell data about everywhere that consumers go, often on a minute-by-minute basis.

Location data can be used to infer your interests, preferences, and habits, and it can be more revealing than the things you type or “like” online. It can reveal the gym and religious institution you belong to, the political events you attend, any mental health clinic you visit, your real-world friends, and, of course, where you shop.

For instance, Google offers a service to its customers called “Store Visits,” which measures how often online ads drive consumers into physical stores. Location data is even being used to blur the lines between the internet and the real world, as location data from consumers' cell phones is being used to trigger personalized ads on digital billboards based on who’s passing by.

“Ideally, Google would just keep and retain data to deliver the services that consumers ask for. Unfortunately, Google insists on repurposing our data to target ads to us, and the controls to address that are less than ideal,” says Justin Brookman, CR’s director of privacy and technology policy.

Consumers may not realize all the ways location data is collected. It goes beyond the GPS antenna in your phone. Details like Bluetooth, WiFi, IP address, and even which cell tower your phone connects to can be used to identify where you go. 

“Google's settings are byzantine and confusing at best. People can't be expected to manage all those levers and buttons that intersect in counterintuitive ways,” says Brookman. Even if you have time to make sure you're using Google’s privacy settings correctly, keeping your location completely private involves turning off so many settings that it hampers the functionality of the phone.

Google’s location data settings came into the national spotlight after a 2018 investigation by the Associated Press found the company collects location data even when you turn off the Location History setting. To prevent the company from adding details to your location history altogether, you need to adjust another setting called Web & App Activity. But disabling Web & App Activity also turns off other features, such as the ability to save your home address in Google Maps. 

The Arizona lawsuit identifies 12 different privacy settings that affect how Google collects and uses location data. These settings can affect individual apps, devices, or an entire Google account. The task is made even harder, according to the complaint, because Google regularly updates and changes these controls.

For example, you might turn off a location setting on your cell phone without realizing a separate setting controls location data on your tablet. Even on a single cellphone, you might switch off the settings in the location services tab without realizing that the company can still get location data from WiFi information, which is controlled using two different settings in different menus, one of which isn’t clearly related to location data.

The difficulty users face in adjusting these settings “misleads and deceives users of Google's products into believing that they are not sharing location information when they actually are,” the Arizona complaint says.

New Scrutiny on Tech Companies

The Arizona lawsuit fits into a rising level of attention on how the tech industry collects and uses consumer data. 

recent study by Consumer Reports examined more than 426 apps from 15 leading internet platforms, including Amazon, Apple, AT&T, Comcast, Facebook, Google, and Verizon, and found personally identifiable information being shared with a wide variety of companies with servers all over the world, from giant tech corporations to less familiar companies such as Mixpanel, Flurry, and Taboola.

Google alone comprised at least 197 products and services (including hardware, web apps, development tools, and defunct services), with a variety of documents describing their data practices. A single document we reviewed listed more than 60 different data elements collected by Google. “It's actually hard to tell what exactly they do with that data," CR's Brookman says. "Companies typically reserve broad and vague rights to do whatever they want with your information. And they don't always say what that is.”

The lawsuit also highlights a debate over how companies influence consumer behavior through the interfaces that control our apps and devices. Privacy experts call design elements such as hard-to-find buttons and confusing menus “dark patterns” when they seem to manipulate consumers into making decisions that might not benefit them and that they often don't understand.

“Privacy settings are one tool among many, but they’re important, and ideally they nudge people towards privacy, instead of away from it,” World Privacy Forum's Dixon says. “Given that so many people rely on smartphones and location data, we absolutely have to have default settings that are written and designed in a way that’s appropriate for the people who are using them.”

Regulators are paying more attention to how technology platforms operate. Over the past year, Google agreed to pay $170 million to settle claims from the FTC and New York State that its YouTube subsidiary violated the Children's Online Privacy Protection Act, and the attorneys general of 48 states, Puerto Rico, and the District of Columbia have launched an antitrust investigation into the company.

For now, few laws regulate how companies collect and use data, and there’s no comprehensive privacy law at the federal level. The country’s strongest data privacy law so far, the California Consumer Privacy Act, went into effect this year, and legislators in other states and in Congress have introduced bills that would place some limits on how data is collected and used.

“I’m optimistic. The dialogue around privacy has matured on all sides,” says Dixon. “We’re still faced with a variety of privacy challenges, but I’m not hearing anyone say privacy isn’t important anymore. Regulators are making progress.”