EU consumer groups accuse Google of violating GDPR with location history
The groups argue Google doesn’t sufficiently disclose how location data is being used and has not obtained consumer consent.
Characterizing smartphone location awareness as a form of “spying,” consumer groups in seven European countries are filing complaints with their respective data protection regulators against Google. The groups are all part of the BEUC network.
What happened. The groups contend that Google has violated the General Data Protection Regulation (GDPR) in terms of how it captures and uses smartphone location data. Each regulator is empowered to impose significant fines should the complaints be found meritorious. At the center of the complaints is the allegation that Google has not fully disclosed how it collects and uses location data and users have not freely consented to its use.
The BEUC’s press release says Google “uses various tricks and practices to ensure users have [location] features enabled and does not give them straightforward information about what this effectively entails. These unfair practices leave consumers in the dark about the use of their personal data. Additionally they do not give consumers a real choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising. These practices are not compliant with the GDPR.”
The BEUC’s discussion implies deliberate deception on Google’s part, which I think is unwarranted. However, Google has generally not done a good job of educating people about how it captures and uses location, which fuels this suspicion.
Similar to U.S. controversy. The claims at the center of the EU consumer complaints are identical to those raised not long ago in an AP story in which Google was similarly accused of tracking user location even when location history was turned off, through “Web & App Activity.”
Location is one of the key features of the smartphone, allowing users’ experiences to be tailored based on where they are and what they appear to be doing. It’s also used for ad targeting and offline attribution. But location data can be abused if privacy protections are not in place. The BEUC is pointing out hypothetical abuses, but that doesn’t mean such data isn’t already being used for questionable purposes. China, for example, is building a database of all its citizens to track and monitor them, demonstrating the malevolent applications of technologies such as smartphone location and facial recognition.
Earlier this month, in a similar case involving user location, the French data protection authority said that mobile advertising company Vectaury had violated GDPR consent rules by collecting location data in the background through SDKs and ad exchanges. The French regulator gave the company three months to change its consent practices to come into compliance with GDPR.
What’s at stake for marketers. Location data is extremely valuable to the ecosystem and stricter privacy rules, which now exist in Europe and soon will exist in the U.S., threaten the free flow of that data. There’s no way around more explicit disclosures and (in Europe) consent for secondary uses of location. Google will almost certainly be compelled to make changes to its policies and language.
More importantly, the industry in the U.S. needs to educate consumers about location data, how it’s used and assure them that personal information is safeguarded. If companies reliant on location data — which now includes retailers, large agencies and an increasing number of CPG brands — fail to do this there will be a significant consumer (and regulatory) backlash that will further undermine already fraying trust in large internet companies.