top of page

Google Pays Up for Alleged Privacy Violations

*The views expressed in this article do not represent the views of Santa Clara University.

Credit: Mitchell Luo | Unsplash

In October, Arizona’s Attorney General Mark Brnovich announced an $85-million-dollar settlement with Google for allegedly tracking and using users’ geolocation information with the “deceptive and unfair” purpose of selling advertisements. The settlement marks Google’s “largest amount fined per capita” in response to a privacy- or consumer fraud-focused action.

The settlement stems from Republican Brnovich’s 2020 suit against Google for its alleged deceptive business practices and the company’s coercive product-design tactics built into its consumer-facing applications. Brnovich accused Google of collecting and using consumers’ geolocation information in order to amplify its advertisement revenue, even after consumers disabled their location history, through Google’s alleged collection of such data through the user’s web and application activity. As of 2021, the majority of Google’s revenue came from its advertising services offered on its search and map functions.

The $85-million-dollar fine in Arizona comes after Google settled with Illinois residents this summer for $100 million in response to a class action lawsuit that claimed Google violated the Illinois Biometric Information Privacy Act (“BIPA”) in its face-grouping tool. The tool automatically identifies a user’s face in the photos and videos uploaded by the user to Google Photos.

Google is now required to post a notice about the face-grouping tool’s collection and use of a user’s facial-structure data, but will it post such notice only to Illinois-based users? Or will Google develop and implement a widespread notice regardless of users’ geographic location? While Illinois is the only state with a biometric privacy law that provides a private right of action, Texas and Washington also have codified biometric-privacy laws, and several states introduced such bills during their 2022 legislative sessions. As the privacy landscape continues to evolve, it is worthwhile for entities to examine their use, collection, or transfer of biometric data.

Business Implications

While BIPA is one of the most stringent privacy laws concerning biometric data to have been codified, it only safeguards the rights of Illinois residents as its scope is limited to companies operating in Illinois. Although BIPA does not apply in Arizona where the $85-million-dollar fine occurred, it can undoubtedly be viewed as a step in the right direction for other states to soon follow suit. Correspondingly, Texas had introduced its biometric privacy law in 2009 soon after BIPA was passed in 2008. Ironically, Texas also filed suit against Google last month, alleging that Texans’ facial and voice recognition information was collected without users’ explicit consent.

The statutory language in BIPA emphasizes the increased risk and consequences inherent in biometrics given its nature of being biologically unique to each individual, unlike other forms of unique identifiers like social security numbers which can be changed when compromised. Arizona is yet an additional example of how states without stringent biometric privacy laws like BIPA, can still go after tech companies who engage in ‘deceptive and unfair practices.’ Based on the current trend, states seem to turn to applying their version of Section 5 of the Federal Trade Commission Act (FTC Act) that prohibits ''unfair or deceptive acts or practices” in commerce, as an alternative to ensure they can still safeguard residents’ rights.

State laws regarding biometric privacy laws are determinative. Illinois’ version of the law in BIPA permits individuals to sue companies directly while in stark contrast, the state must be the one to sue companies on behalf of its consumer residents in Texas. The privacy lawsuits filed in Arizona, Illinois, and Texas respectively concerning biometrics make evident that the stringency of a state’s privacy laws has a drastic effect on how global corporations can be precluded from the mining biometric information for profit.


bottom of page