EU Privacy Group Says Location History Requirement for Google Assistant Features Violates GDPR Protections
The European Consumer Organization (BECU) has announced a formal complaint will be filed against Google for breaching the General Data Protection Regulation (GDPR) related in part to the Google Assistant requirement that location history must be active to features. Research by Forbrukerrådet, a Norwegian consumer organization and member of BECU, claims that:
“Google deceives users to provide access to their location data…Google is using deceptive design, misleading information and repeated pushing to manipulate Android users into allowing constant tracking of their movements. BEUC and its members argue that what Google is doing is in breach of the GDPR.”
Complaints will be filed with national data protection authorities by BECU affiliated consumer organizations in the Czech Republic, Denmark, Greece, The Netherlands, Norway, Slovenia, and Sweden. A consumer organization in Germany is also considering whether to seek an injunction of some sort, but it is unclear whether that would seek to curtail all location data services provided by Google, many of which are very popular. An FAQ document related to the announcement gets to the core issue by alleging “Google’s practices leave consumers very little choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising.”
Google Assistant Gets Special Attention
Most of the findings in question relate to default settings or how location services are presented to the user. For example, the complaint alleges “unbalanced information” such as location permission dialogue boxes only presenting the benefits of using location services. One area there seems to be concern about is targeted advertising. A negative example offered is “someone who regularly goes for runs could be offered lowered [insurance] premiums or be targeted by advertisements for sporting equipment.” It is not clear why the organization believes discounts would be viewed negatively by the consumer, but we can surmise the argument could be made stronger by discussing unwanted ad targeting.
“Repeated nudging” also gets called out as an issue. Google Assistant, Google Maps, Google app, and Google Photos all require a user to decline location history tracking when first launching the apps. It is unclear what value Google Maps would provide without active location services, but it could be useful without location history and the other apps have value irrespective of location. The complaint goes further to single out Google Assistant saying that “Enabling Location History is required in order to enable other services that users may want to use, such as Google Assistant and Google Photos Places.” Again, there are clearly services within Google Assistant that do require location services to function or benefit from location history, but it is not clear how Google Photo Places could work at all without location.
Targeting Deceptive Design for Regulation
There is also concern expressed about “deceptive design” in the use of what are known as dark patterns. This is the practice of using a specific color such as a blue button for “continue” steps like benign set-up flows as well as for accepting location tracking and other permissions. These dark patterns are a common practice in mobile apps and on the web that seek to establish consumer habits around clicking certain button designs and funneling users into a choice preferred by the publisher. Is there a compelling case for governments to regulate mobile app button design even when clear information about the permission is presented to the user? It seems like overreach, but dark patterns are also a nuisance and unnecessary manipulation so this should be an easy concession by Google.
A Google representative told Information Security Media Group that the company will review the findings to determine “if there are things we can take on board.” The representative went on to say:
“Location History is turned off by default, and you can edit, delete or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute. If you pause it, we make clear that – depending on your individual phone and app settings – we might still collect and use location data to improve your Google experience.”
Will Governments Regulate Voice Assistants?
This will be an interesting test of GDPR and how broadly regulators intend to interpret protections. Would default settings with location history activated be deceptive? Is Android’s current default of not enabling location history sufficient consumer protection? Is it worse to have default location settings as deactivated, but offer permissions to activate these settings that some users may misinterpret? Should app publishers be required to state potential negative outcomes of persistent tracking no matter how unlikely their occurrence? If so, what should be included? Should location services and location history be separate permissions? Is targeted advertising really a bad outcome for users if they receive more offers that save them money on goods and services?
The scope of the questions and potential regulation are substantial. Consumers typically choose convenience in-the-moment over abstract privacy concerns. The question appears to be whether the EU will use to GDPR to restrict some conveniences to curtail targeted advertising. In turn, this may have an impact on how effective voice assistants are at meeting consumer needs or at least determine the boundaries of their benefits. One of the looming conflicts of our age is whether free products that generate revenue based on consumer data should be permitted or if it would be better to regulate the market and force consumers to pay for the services they use.
The research was conducted during July 2018 on a Samsung Galaxy S7 running Android version 8.0.0 and replicated in October 2018 on a Google Pixel running “Android version 9.” You can read the full FAQs about the forthcoming complaints here.