A court case in the US over allegations that Google collected app-based activity and other information about users, even when they had opted out, has spread to SA, raising privacy concerns about how the search giant used South Africans’ activity.
In September 2025, a jury found Google liable on two California privacy claims and awarded $425.65 million in compensatory damages in the Rodriguez et al vs Google class action. Media reports indicate Google has denied the allegations and says it will appeal the ruling, meaning the litigation is not yet final and no compensation is currently being distributed.
The plaintiffs have been broadly defined as “all individuals” who, between July 2016 and September 2024, had Google’s ‘Web & App Activity’ settings turned off but whose activity on third-party mobile apps was allegedly still transmitted to Google. Court filings and reporting on the case have estimated the class at approximately 98 million users and 174 million devices.
A court-authorised notice relating to the class action landed in this journalist’s inbox over the weekend, stating that Google’s records indicate she may be a class member in litigation over the company’s Web & App Activity privacy controls.
The notice arrived shortly before Google e-mailed users about changes to its privacy controls, saying it was splitting Web & App Activity into separate settings for Search services and Google Play, with users’ existing preferences carrying over to the new controls.
We told you
Four Google users sued the search giant, claiming it had continued collecting information about what they were doing in apps on their phones even after they had switched off Google’s activity-tracking settings, according to the court-authorised settlement website googlewebappactivitylawsuit.com.
The lawsuit focused on data transmitted through Firebase and Google Mobile Ads software development kits (SDKs) – tools embedded in millions of apps for analytics, advertising and app functionality.
Plaintiffs argued that activity from non-Google-branded apps continued to be sent to Google despite users disabling the relevant settings. Google has denied wrongdoing and argued that users had received disclosures about data collection and that questions of consent varied between individuals.
Although the class is not defined by Gmail use, Google’s reach in South Africa is extensive, with Gmail use at 65.5%, according to worldpopulationreview.com, and Android dominating the local smartphone market at a minimum of 75%, according to StatCounter.
When off isn’t off
Jacqui Muller, Belgium Campus iTversity researcher and PhD candidate in computer science, explains that the case hinges on whether users can trust privacy controls to do what they say they will do.
“The finding suggests that turning off a user-facing setting may not be enough if data continues to move through embedded SDKs, advertising libraries or analytics services.”
Muller explains the case underscores the complexity of modern apps, where third-party analytics, advertising and software tools can continue transmitting information despite users disabling tracking controls.
For South African organisations, the lesson is directly relevant under POPIA, she adds. Organisations using third-party technologies need to understand what information is being collected, why it is being collected, where it is being sent and whether users have been given a meaningful choice over that processing.
“The risk is not only legal exposure, but reputational damage when users discover that ‘off’ did not necessarily mean ‘off’,” she says.
Under POPIA, Muller says, consent and legitimate purpose should not be limited to privacy notices and legal wording but should also be reflected in the technical configuration of the systems involved.
SA’s own battles
The issues raised by the Google litigation echo concerns previously raised by South Africa’s Information Regulator regarding how technology companies collect, process and share personal information.
WhatsApp was found to have breached POPIA when it updated its privacy policy in 2021. Following an April 2025 enforcement order, WhatsApp initiated legal action to have the regulator’s decision set aside.
In the WhatsApp enforcement notice, the regulator says: “It is important to note that where consent is given, it should be an informed, specific and voluntary expression of a data subject’s free will,” adding that “consent was made a condition of the service by WhatsApp. This cannot be deemed as voluntarily.”
In November, advocate Pansy Tlakula, chairperson of the Information Regulator, said the parties had reached a settlement that would see the instant messaging service introduce several enhancements around transparency for South African users.
Muller says one of the challenges is that it is difficult to govern technology by law. “From a technical perspective, if I was on the Google side, I would literally just change my terms and conditions and include the clause, and if you don’t like it, every time I change my terms and conditions, you’ve got to opt out.”
The Google case also serves as a reminder for users to understand what information may be shared when they sign into third-party services using their Google accounts, as well as how frequently technology companies update privacy policies and terms of service, adds Muller.
Share
