Consumer protection agencies from seven EU countries have now filed complaints of GDPR violations against Google for the use of misleading practices that help the company locate users' position.
The seven consumer protection organizations claim that Google "does not have a valid legal background for the processing of such location data and that, due to its misleading practices, the consent of users is not provided to their knowledge", therefore, the company violates the new General Data Protection Regulation (GDPR) introduced into force in the EU from the end of May of 2018.
GDPR complaints have been filed with the national data protection authorities in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia and Sweden.
"Location data can reveal a lot about people, such as religious beliefs (from places of worship), political expectations (demonstrations), health conditions (regular hospital visits) and sexual orientation (visiting some bars)," executives said today. BEUC, an umbrella that includes 43 consumer organizations from 32 European countries.
All seven GDPR complaints have been filed on the basis of the results of a report 44 pages (PDF) published today by the Consumer Council of Norway.
The aforementioned report shows how Google uses several misleading practices to track location data in Google accounts through two settings known as Location History and Web & App Activity.
The report claims Google is using these practices to push users to enable both location data monitoring features and leave them enabled.
The report lists the following practices:
Hidden default settings: When setting up a Google Account, the actual account settings are hidden behind an extra click. Users must first click on "More Options" to see what the settings are and whether they are enabled or disabled. Web and Application Activity is enabled by default, which means that users who did not click on "More Options" are unaware of this data collection.
Misleading and Unbalanced Information: every time the site history and web activity and web application settings are presented to the user, the visible information is limited to some positive examples of what the setup implies. The information that is visible often hides the extent of the monitoring that is going on and the way it is done.
Misleading Click Flow: Although Location History should be clearly enabled, the setup process and click-flow are designed to be displayed in such a way that the user is required to enable the setting.
Repeated promotion: users have to repeatedly turn off Location History in many different environments. On Android devices, users who do not wish to enable Location History must reject the setting at least four times when using different services pre-installed on Android mobile phones: Google Assistant, Google Maps, Google app, and Google Photos .
Missing options: Throughout the Google services ecosystem, separate services or functionalities are complete and co-dependent. You need to enable Location History to enable other services you may want to use, such as Google Assistant and Google Photos Places.
Permissions and settings always-on: When enabled, Location History is always active in the background on Android devices, regardless of whether the user is using a service that requires location services.
The Norwegian report was written after testing on recent Android smartphones in July (a Samsung Galaxy S7 with Android 8.0.0) and in October (on the same Samsung device and on a Google Pixel with Android 9 version). Both tests showed similar issues.
If found guilty, Google is at risk of paying a fine of 20 million or 4% of its annual global turnover.