Google has come under fire after allegations it is in contravention of Europe's General Data Protection Regulation (GDPR) when it tracks its users' locations.
A group of seven European consumer organisations in the Netherlands, Poland, Greece, Norway, Slovenia, Sweden and Czech Republic have filed complaints against the Internet giant with their national data protection authorities, accusing it of forcing users to use its location tracking.
The complaints are based on new research published by Forbrukerradet, a member of European consumer organisation BEUC.
In a statement, the coalition alleged Google employed "deceptive practices" to get users to turn on its various tracking systems, and that consent was not being given freely.
It also claimed Google did not provide "straightforward information" about what surrendering the data really entailed, and "leaves consumers in the dark about the use of their personal data".
"Location data can reveal a lot about people, including religious beliefs (going to places of worship), political leanings (going to demonstrations), health conditions (regular hospital visits) and sexual orientation (visiting certain bars)," the statement added.
Gro Mette Moen, acting head of unit, digital services in the Norwegian Consumer Council, says Google is processing highly detailed and comprehensive personal data without proper legal grounds, and is acquiring that data through manipulation techniques.
He added that Google records where users go, and how they move, and this data can be combined with other information, such as what users search for, and the Web sites they visit.
"Such information can in turn be used for things such as targeted advertising meant to affect us when we are receptive or vulnerable."
Tricking users?
Google tracks its users through "Location History" as well as "Web & App Activity", settings that are integrated into all Google accounts. For those who use Android smartphones, including Samsung and Huawei phones, tracking is especially difficult to avoid.
A detailed report said there are several ways Google tricks its users into sharing their location.
Firstly, this is done through deceptive click-flow, which, when setting up an Android device, pushes users into enabling "Location History" without being aware of it. This contravenes the GDPR's legal obligations to ask for informed and freely given consent.
Next, default settings for "Web & App Activity" are hidden behind extra clicks and enabled by default.
Google also gives misleading and unbalanced information, the group claims, as users are given insufficient information when presented with choices, and are misled about the data that is being collected and how it is used. For example, information on how location data is being used for advertising is obfuscated behind extra clicks.
Then there's repeated nudging, that sees users being asked to turn on "Location History" over and over again when using various Google services, despite the fact that they opted out of this feature when setting up their device.
Finally, Google uses bundling of services, which means that should a user want a feature such as Google Assistant and photos sorted by location, Google turns on invasive location tracking automatically.
Improving services
A Google spokesperson told Reuters that "Location History" is turned off by default, and can be edited, deleted or paused at any time, but if turned on it helps improve services such as predicted traffic on a commute.
"If you pause it, we make clear that, depending on your individual phone and app settings, we might still collect and use location data to improve your Google experience," he added.
"We're constantly working to improve our controls, and we'll be reading this report closely to see if there are things we can take on board."
However, not everyone thinks this issue is a big deal. Amit Ashbel, security evangelist for data protection and compliance provider Cognigo, says: "As far as I know, Google does disable tracking by default, and it seems that this is an attempt to catch them on something that is very minor."
He added that the problem is so widely distributed that one doesn't have to look very hard to find a breach of GDPR regulation. "Most organisations today are in contravention of GDPR regulations by just not knowing where 80% of their data is, and thus not managing, protecting or being able to report on it," Ashbel concluded.
Share