A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy.

In July 2020, Google user Anibal Rodriguez filed a lawsuit against the search giant, arguing that it misled users with its “Web & App Activity” setting. The setting was supposed to stop Google collecting data about users’ activities online and in apps.

In reality, Google continued to collect data about how people were using their apps, even after they had switched off data collection in the Web & App Activity setting. Although it said that it was anonymizing that data.

The company collected this information via Firebase, a database that it uses to monitor activities across 1.5 million apps for analytics purposes which operates separately to the Web & App Activity setting. It’s reportedly in 97% of the top thousand Android apps, and 54% of leading iOS apps. Google harvested data from apps including Uber, Venmo, Shazam, the New York Times, Duolingo, and Instagram.

This arrangement created a dual data collection system. It misled 98 million Google users into thinking that their actions were completely private, argued the case, which became a class action suit.

Google’s lawyers protested that users were properly informed about how the company collects information and what it does with it. They pointed out that when confirming their choice, Google displays an “Are You Sure?” prompt that lets them check on what information Google collects, according to Bloomberg Law.

This clearly didn’t resonate with jurors, one of whom said after the verdict that Google needed to be clearer in how it communicated its data handling to its users. They’re generally “skimmers, not readers” he said.

Plaintiffs originally asked for $31bn in damages, but the amount awarded is far less, equating to around $4 per user.

Nevertheless, Google plans to appeal. “This decision misunderstands how our products work,” its spokesperson Jose Castaneda reportedly said. “Our privacy tools give people control over their data, and when they turn off personalization, we honor that choice.”

A history of questionable tactics

This isn’t the first time that Google has been found guilty of misleading users. In February 2023, it agreed to pay $392m in a settlement with 40 states for storing users’ locations when it told them it wouldn’t. It coughed up another $40m in a separate arrangement with Washington state later that year and also settled with Arizona for $85m.

In December 2023, the search giant also settled in a class action over alleged misleading language in its incognito mode service, which promised not to collect data about browsing activity but actually did. It deleted records costing it at least $5bn to settle that claim, but didn’t pay damages to users. However, in May this year it settled with Texas to pay $1.38bn to resolve the state’s own claims in the location and incognito mode affairs.

One interesting snippet is that Google has a habit of internally playing down its privacy claims because it knows that explaining exactly what it keeps might alarm users. In a ruling that denied a motion to dismiss the Web & App Activites-related case in January, district judge Richard Seeborg said:

“Internal Google communications also indicate that Google knew it was being ‘intentionally vague’ about the technical distinction between data collected within a Google account and that which is collected outside of it because the truth ‘could sound alarming to users.'”

Google executives had also privately discussed the need to soften up the privacy language in the company’s services to avoid alarming users of incognito mode. The message here to Joe and Jane Public is even clearer now than it was before; take privacy claims from big tech vendors with the skepticism they deserve, and adopt the ‘mom rule’ when dealing with them: never let them see anything you wouldn’t want them to know.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.