The six examples form the backbone of a report from the European Consumer Organization (BEUC) that alleges Google has broken the EU’s strict GDPR regulations by using “deceptive practices” to trick users into enabling its location tracking services. As BEUC wrote in a blog post:
Location data can reveal a lot about people, including religious beliefs (going to places of worship), political leanings (going to demonstrations), health conditions (regular hospital visits) and sexual orientation (visiting certain bars).
The report shows that Google uses various tricks and practices to ensure users enable these tracking features and does not give them straightforward information about what this effectively entails.
BEUC says these are the six main ways Google tricks its users:
- Hidden default settings: When setting up a Google account, the actual account settings are hidden behind extra clicks. Users first have to click “More options” to see what the settings are, and whether they are enabled or disabled. Web & App Activity is enabled by default, meaning that users who did not click “More options” will not be aware that this data collection is happening.
- Misleading and unbalanced information: Whenever the Location History and Web & App Activity settings are presented to the user, the clearly visible information is limited to a few positive examples of what the setting entails. The information that is visible often also trivializes the extent of tracking that is going on, and how it is used.
- Deceptive click-flow: Although Location History has to be “actively” enabled, the set-up process and click-flow is presented and designed in a way that the user is compelled to enable the setting.
- Repeated nudging: Users are repeatedly asked to turn on Location History, in many different contexts. On Android devices, users that do not wish to enable Location History have to decline the setting at least four times when using different services that are preinstalled on Android phones: in Google Assistant, Google Maps, Google app, and Google Photos.
- Bundling of services and lack of granular choices: Throughout the Google ecosystem of services, separate services or functionalities are integrated and codependent, or simply bundled together. Enabling Location History is required in order to enable other services that users may want to use, such as Google Assistant and Google Photos Places.
- Permissions and always-on settings: When enabled, Location History is always on in the background on Android devices, regardless of whether the user is actively using a service that requires location services.
BEUC’s complaints have been registered with national data protection authorities. If Google is found to have broken GDPR rules, it could be fined up to 4% of its global revenues, which would be over $4 billion according to its 2017 revenues.