EPIC and Accountable Tech urge the FTC to investigate Google’s location data practices.
On January 18, 2024 EPIC and Accountable Tech filed a complaint with the Federal Trade Commission calling on the Commission to investigate tech giant Google for failing to promptly delete location records of users’ visits to abortion clinics and other sensitive facilities despite publicly promising it would do so. The complaint highlights Google’s long history of failing to uphold its privacy promises and the serious harms that excessive location data collection and retention cause. Research by Accountable Tech showed that Google failed to delete location data that revealed whether a user had visited an abortion clinic in 50% of the experiments. The complaint further alleges that Google’s failure to promptly delete records of users’ visits to medical facilities constitute unfair and deceptive acts and practices in violation of Section 5 of the FTC Act.
In July 2022, following the U.S. Supreme Court’s rescindment of the constitutional right to abortion in Dobbs v. Jackson Women’s Health Organization, Google announced a major policy change to its handling of location data. Google stated that if “its systems identified that a user had visited” an abortion clinic, it would “delete these entries from Location History soon after they visit.” Google’s commitment also extended to location records identifying a user’s visits to addiction treatment centers, domestic violence shelters, and other similarly sensitive facilities.
But Google broke that promise. Months later, research by Accountable Tech and others showed that Google had failed to delete the location information it had promised to. For example, Google’s systems retained search queries and directions to Planned Parenthood clinics and granular map data placing users at Planned Parenthood locations they had visited for more than a month. And the problem continues to this day: a follow-up experiment from Accountable Tech found that while Google had scrubbed “Planned Parenthood” from a user’s Location History map, it retained the route to the clinic itself in four out of eight of its tests. Although Google recently promised—again—to extend enhanced protections to users’ location data, it has yet to follow through on the deletion promise it made more than a year ago, leaving users vulnerable to privacy harms.
Google’s Unfair and Deceptive practices
The complaint asserts that Google’s personal location data practices have caused or are likely to cause substantial injury to its users because they expose users to excessive retention of their sensitive “particularly personal” location information. This information can reveal highly sensitive characteristics about a person, including whether an individual visited a medical treatment facility, domestic violence shelter, abortion clinic, fertility center, addiction treatment facility, or a surgery clinic. Google’s over collection and excessive retention of this information leaves it susceptible to law enforcement. This can lead to criminal prosecution and discourage people from seeking abortion care—a risk of substantial injury that has dramatically increased following the Dobbs ruling.
EPIC has played a leading role in developing the authority of regulators to safeguard the rights of consumers, ensure the protection of personal data, and address privacy violations. In 2010, EPIC filed a complaint with the FTC concerning Google’s mishandling of users’ personal data during the rollout of the Google Buzz social network—a complaint which the FTC credited when it announced in 2011 that it was adopting a Consent Order restricting Google’s handling of personal data.