Google Privacy News

Legal action reported by Ars Technica: Lawsuit: Google Gemini sent man on violent missions, set suicide "countdown"

A federal jury in San Francisco ordered Google to pay $425 million in a class- action lawsuit covering approximately 98 million users whose data was collected despite having disabled the Web & App Activity tracking setting in their Google accounts. The jury found Google continued accessing users' mobile devices to collect and save data over an eight-year period.

France's CNIL fined Google a record €325 million (€200M against Google LLC, €125M against Google Ireland) for inserting advertisements disguised as emails into Gmail inboxes without valid consent, and for placing advertising cookies when users created Google accounts without proper consent. The case originated from a complaint by privacy group NOYB.

Texas Attorney General Ken Paxton announced a historic $1.375 billion settlement with Google over violations of Texans' privacy rights, including unauthorized collection of biometric data (facial geometry, voiceprints), deceptive location tracking, and misleading Incognito mode disclosures. This was the largest state privacy settlement ever obtained against Google.

Google reversed its longstanding plan to deprecate third-party cookies in Chrome, abandoning a commitment first made in 2020. Instead, Google said it would offer users a choice prompt about cookie tracking. The reversal came after pressure from the UK's CMA over antitrust concerns and repeated delays to the original timeline.

Google settled the Chrome Incognito mode class-action lawsuit, agreeing to delete billions of browsing data records collected from users who believed they were browsing privately. Google also committed to blocking third-party cookies by default in Incognito mode for five years and rewriting its privacy disclosures. The settlement was valued at approximately $4.75 billion.

France's competition authority fined Google €250 million for using French news publishers' content to train its Bard/Gemini AI chatbot without notification or consent, and for failing to negotiate content licensing fees in good faith. This was the first major fine globally targeting a company's use of news content for AI training.

Google made Consent Mode v2 mandatory for all websites serving ads to or tracking EU/EEA users. Without implementation, Google Ads and GA4 would stop capturing data about new EEA users. The update introduced granular consent parameters for ad personalization and user data, aligning with GDPR requirements.

Alphabet agreed to pay $350 million to settle a shareholder lawsuit over the Google+ data breach. A software bug between 2015 and 2018 exposed personal data of approximately 500,000 Google+ users, and the lawsuit alleged Google concealed the breach for months while publicly touting its data security.

Google announced general availability of the Privacy Sandbox APIs in Chrome, including Topics, Protected Audience (formerly FLEDGE), and Attribution Reporting. This marked the major milestone of shipping the cookie-replacement technologies after three years of development and regulatory scrutiny.

Eight plaintiffs filed a class-action lawsuit against Google, Alphabet, and DeepMind in federal court, alleging Google scraped massive amounts of web data including copyrighted material and personal information to train Bard and other AI products, violating privacy, anti-hacking, and intellectual property laws.

Google updated its privacy policy to explicitly state it may use publicly available information from the internet to train its AI models including Bard, Translate, and Cloud AI. The change broadened the prior language from training 'language models' to training 'AI models,' sparking concern from privacy advocates and a class-action lawsuit filed on July 11.

Google announced a new policy to delete accounts inactive for two or more years, starting December 1, 2023. Inactive accounts and their data, including Gmail, Drive, Photos, and YouTube content, would be permanently deleted. Google cited security risks, as inactive accounts are more likely to be compromised.

Google agreed to a $391.5 million settlement with 40 U.S. state attorneys general over deceptive location tracking practices. The investigation found Google misled users about the scope of its Location History and Web & App Activity settings, continuing to collect location data even when users believed tracking was disabled.

Spain's AEPD fined Google €10 million for two violations: unlawfully sharing users' right-to-be-forgotten requests (including personal data) with the Lumen Project at Harvard, and obstructing citizens' right to erasure under GDPR Article 17 by making the removal process unnecessarily complex.

Google officially killed FLoC and announced the Topics API as its replacement within the Privacy Sandbox. Topics API assigns users interest categories based on browsing history and shares a limited subset with advertisers, aiming to address the fingerprinting and discrimination concerns raised against FLoC.

France's CNIL fined Google a total of €150 million (€90M for Google LLC, €60M for Google Ireland) for making it difficult for users to refuse cookies on google.fr and youtube.com. Accepting cookies required one click, while refusing them required five clicks, violating French data protection law.

Google began testing Federated Learning of Cohorts (FLoC) in Chrome 89 as its proposed replacement for third-party cookies. FLoC grouped users into behavioral cohorts for ad targeting. Privacy advocates, the EFF, and competing browsers like Brave and Vivaldi rejected FLoC, calling it a new privacy risk that enabled fingerprinting and discrimination.

Google and YouTube agreed to pay a record $170 million to settle FTC and New York Attorney General allegations that YouTube illegally collected personal information from children under 13 without parental consent, violating COPPA. YouTube was required to implement a system for channel owners to identify child-directed content.