This was shaping up to be the year of data privacy. May 25 marked the effective date for the EU’s General Data Protection Regulation (GDPR). Then California rushed to pass its own bill protecting individuals’ digital privacy. Even the Supreme Court got on board, holding in Carpenter v. U.S. that the police couldn’t obtain cell phone location data without a warrant.

 

Google, of course, is not the police. It can obtain your cell phone location data anytime.

And, as the Associated Press learned, it turns out that it does — even when users have asked it not to track or store their location data.

The AP Investigation

On August 13, the AP released an exclusive report about Google’s collection of location data for users who had turned off the “Location History” setting. It concluded that “many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.” In fact, an inactive Android phone sent location information to Google 340 times in 24 hours.

Three days later, Google responded — not by changing its practice, but by adjusting its policy language. It had previously claimed that “With Location History off, the places you go are no longer stored.” The revised policy vaguely explains that “some location data may be saved as part of your activity on other services.”

The Fallout

The repercussions have been immediate. One man filed a class action complaint for privacy violations on behalf of every cell phone user who turned off Google’s Location History.

To make matters worse, this isn’t the first time Google has been accused of playing fast and loose with its representations about data use and privacy. In 2011, it entered a settlement with the Federal Trade Commission (FTC) to resolve privacy violations involving Google Buzz. At that time, it agreed not to misrepresent anything regarding “the extent to which consumers may exercise control over the collection, use, or disclosure” of certain information.

Just a year later, it paid $22.5 million to resolve a charge that it violated that agreement with its cookie policy.

In the wake of the AP report, the Electronic Privacy Information Center has written to the FTC suggesting that Google has again violated the 2011 consent decree by making another misleading representation.

What Now?

As far as corporate ediscovery is concerned, this news raises two points. First, the AP report suggests that, sometimes, data that could technically be generated really might have been. Consider phrasing your external discovery requests — and your internal legal hold notifications — broadly enough to capture that data in the event that it exists.

Second, this should serve as a reminder to review your organization’s privacy policies. Ensure both that your policies comply with current regulations and that your organization follows its own policies.

With seemingly constant news about data breaches and privacy violations, consumer trust may be approaching an all-time low. Let’s go back to making 2018 the year of data privacy.