Google has agreed to pay $135 million to settle allegations that it systematically harvested location data from Android users even when they explicitly disabled location tracking, marking one of the most significant privacy settlements in the technology sector’s ongoing reckoning with data collection practices. The settlement, reached with 40 states and the District of Columbia, represents a watershed moment in the battle between consumer privacy rights and the data-driven business models that have propelled Silicon Valley’s most powerful companies to unprecedented market dominance.

According to CNET, the investigation revealed that Google continued collecting location information through various backdoor methods, including Wi-Fi and Bluetooth scanning, even after users turned off their Location History settings. The multistate coalition found that Google’s practices between 2014 and at least 2019 constituted deceptive business practices, as the company failed to adequately inform users about the extent of its data collection mechanisms. This settlement follows a similar $391.5 million agreement Google reached in November 2022 with 40 states over location tracking practices, demonstrating a pattern of privacy violations that state attorneys general have increasingly targeted.

The investigation uncovered that Google’s data collection apparatus operated through multiple channels that remained active regardless of user preferences. Even when Android users disabled location services, Google continued gathering precise location data through app usage patterns, search queries, and device sensors. The company’s Web & App Activity setting, which remained enabled by default, continued collecting location information tied to users’ Google accounts, creating detailed movement profiles that proved invaluable for the company’s advertising operations.

The Architecture of Surveillance: How Google Built Its Location Tracking Empire

Google’s location tracking infrastructure represents one of the most sophisticated data collection systems ever deployed at scale. The company’s Android operating system, which powers approximately 70% of smartphones globally, provided an unprecedented platform for gathering real-time location data from billions of devices. This information became the foundation for Google’s advertising business, enabling the company to offer advertisers hyper-targeted campaigns based on users’ physical movements and behavioral patterns.

The settlement documents reveal that Google employed multiple technical mechanisms to maintain continuous location tracking. The company collected data through GPS signals, cellular tower triangulation, Wi-Fi network detection, and Bluetooth beacon scanning. Even seemingly innocuous activities like checking the weather or conducting a Google search triggered location data collection. The company’s algorithms analyzed this information to infer users’ home and work addresses, shopping habits, travel patterns, and personal interests—creating comprehensive digital dossiers that extended far beyond what most users understood or consented to.

State Attorneys General Lead the Charge Against Big Tech Privacy Violations

The multistate investigation, led by attorneys general from Oregon, Nebraska, and New Jersey, exemplifies a growing trend of state-level enforcement actions against technology companies. These officials have stepped into a regulatory vacuum created by the absence of comprehensive federal privacy legislation, wielding consumer protection statutes to challenge practices that they argue violate users’ reasonable expectations of privacy. The $135 million settlement, while substantial, represents merely a fraction of Google’s annual revenue, raising questions about whether such penalties effectively deter future violations.

Oregon Attorney General Ellen Rosenblum emphasized that the settlement goes beyond monetary penalties, requiring Google to implement significant transparency improvements. The company must now provide users with clearer information about location tracking practices, including detailed disclosures when users adjust their privacy settings. Google has also committed to displaying additional information to users about the types of location data it collects and how that information is used for advertising purposes. These transparency requirements aim to give users meaningful control over their personal information, though critics argue that complex privacy settings still favor data collection over user privacy.

The Economics of Location Data: Why Google Fought to Keep Tracking Users

Location data represents one of the most valuable commodities in the digital advertising economy. Advertisers pay premium rates for the ability to target consumers based on their physical movements, enabling campaigns that reach users when they’re near retail locations, attending events, or visiting competitors’ establishments. Google’s vast repository of location information allows the company to offer advertising products that competitors cannot match, helping maintain its dominant position in the $200 billion digital advertising market.

The economic incentives for maintaining comprehensive location tracking explain why Google designed its systems to continue data collection even when users believed they had disabled it. Internal company documents and user interface designs reveal deliberate choices that prioritized data collection over user privacy. The company’s privacy settings were structured in ways that confused users about what information was being collected, with critical options buried in settings menus and described using technical language that obscured their true purpose.

User Consent in the Digital Age: The Illusion of Control

The settlement highlights fundamental questions about meaningful consent in an era of complex digital services. Google argued that users consented to its data collection practices through terms of service agreements and privacy policies. However, state investigators found that these disclosures failed to adequately inform users about the full scope of location tracking, particularly the fact that disabling Location History did not stop all location data collection. This gap between user understanding and actual corporate practices represents a central challenge in privacy regulation.

Privacy advocates have long criticized the notice-and-consent framework that dominates privacy regulation, arguing that lengthy terms of service documents and complex privacy settings create an illusion of user control while enabling extensive data collection. The average user lacks the technical expertise to understand how their data is collected, processed, and monetized. Moreover, the power imbalance between individual users and trillion-dollar technology companies means that consent is rarely truly voluntary—users who want to access essential digital services have little choice but to accept whatever terms companies impose.

Regulatory Fragmentation and the Push for Federal Privacy Legislation

The patchwork of state-level enforcement actions and settlements underscores the need for comprehensive federal privacy legislation. While states like California, Virginia, and Colorado have enacted their own privacy laws, the resulting regulatory fragmentation creates compliance challenges for businesses and inconsistent protections for consumers. Technology companies face different requirements in different states, while users’ privacy rights depend on their geographic location rather than universal principles.

Congress has debated federal privacy legislation for years without reaching consensus. Disagreements over the scope of private rights of action, preemption of state laws, and enforcement mechanisms have repeatedly derailed legislative efforts. Meanwhile, the European Union’s General Data Protection Regulation (GDPR) has established a global standard that influences corporate practices worldwide. The absence of comparable federal legislation in the United States leaves American consumers with weaker protections than their European counterparts, despite the concentration of major technology companies in the U.S.

Corporate Accountability and the Limits of Settlements

The $135 million settlement raises important questions about corporate accountability for privacy violations. While the payment represents one of the larger privacy settlements to date, it amounts to a rounding error for a company that generated $282.8 billion in revenue in 2022. Critics argue that such penalties function as a cost of doing business rather than a meaningful deterrent. The settlement allows Google to continue operating its advertising business without fundamental changes to its business model, requiring only enhanced disclosures and minor adjustments to privacy settings.

Moreover, the settlement includes no admission of wrongdoing by Google, a standard provision in such agreements that prevents the company from facing additional liability in private lawsuits. This structure protects corporate defendants while potentially limiting accountability. Users whose privacy was violated receive no direct compensation, with settlement funds instead flowing to state treasuries. This disconnect between the victims of privacy violations and the beneficiaries of enforcement actions raises questions about whether current regulatory mechanisms adequately protect individual rights.

The Future of Privacy in Mobile Operating Systems

The settlement’s implications extend beyond Google to the broader mobile ecosystem. Apple, which has positioned itself as a privacy-focused alternative to Android, has implemented different approaches to location tracking and user consent. The company’s App Tracking Transparency framework requires apps to obtain explicit user permission before tracking them across other companies’ apps and websites. However, critics note that Apple’s own services remain exempt from certain privacy restrictions, suggesting that even privacy-focused companies prioritize their business interests.

The mobile operating system duopoly of Google and Apple means that billions of users worldwide have limited choices regarding their privacy. Both companies control the platforms through which users access digital services, giving them unprecedented power to set privacy standards—or fail to do so. The settlement may prompt other jurisdictions to scrutinize mobile operating system privacy practices more closely, potentially leading to additional enforcement actions or regulatory requirements. As artificial intelligence and machine learning systems increasingly rely on vast datasets for training and operation, the stakes of location data collection continue to rise, making effective privacy protections more critical than ever.