PRESS RELEASE: EPIC, Accountable Tech Urge FTC to Investigate Google’s Failed Promise to Delete Sensitive Location Data
January 18, 2024
In a complaint filed today, the Electronic Privacy Information Center (EPIC) and Accountable Tech called on the Federal Trade Commission to investigate tech giant Google for failing to promptly delete location records of users’ visits to abortion clinics and other sensitive facilities despite publicly promising it would do so.
Google retains and processes vast troves of personal information collected through its many applications, programs, and partners. This includes massive amounts of location data, which can reveal sensitive details about a person—including health information like whether and when a person visited a doctor’s office, an addiction treatment center, or an abortion clinic. When this information is retained by companies like Google, it can be accessed by law enforcement and can be used to profile individuals in harmful ways.
In July 2022, following the U.S. Supreme Court’s rescindment of the constitutional right to abortion in Dobbs v. Jackson Women’s Health Organization, Google announced a major policy change to its handling of location data. Google stated that if “its systems identified that a user had visited” an abortion clinic, it would “delete these entries from Location History soon after they visit.” Google’s commitment also extended to location records identifying a user’s visits to addiction treatment centers, domestic violence shelters, and other similarly sensitive facilities.
But Google broke that promise. Months later, research by Accountable Tech and others showed that Google had failed to delete the location information it had promised to. For example, Google’s systems retained search queries and directions to Planned Parenthood clinics and granular map data placing users at Planned Parenthood locations they had visited for more than a month. And the problem continues to this day: a follow-up experiment from Accountable Tech found that while Google had scrubbed “Planned Parenthood” from a user’s Location History map, it retained the route to the clinic itself in four out of eight of its tests. Although Google recently promised—again—to extend enhanced protections to users’ location data, it has yet to follow through on the deletion promise it made more than a year ago, leaving users vulnerable to privacy harms.
“Google’s personal location data practices have caused or are likely to cause substantial injury to its users because they expose users to excessive retention of their ‘particularly personal’ information that can reveal highly sensitive information about them, including whether an individual visited a medical treatment facility, domestic violence shelter, abortion clinic, fertility center, addiction treatment facility, or a surgery clinic.,” EPIC and Accountable Tech’s complaint explains. “The ability of law enforcement to access such data can lead to criminal prosecution and unduly discourage individuals from seeking vital health care services—a risk of substantial injury that has dramatically increased following the Dobbs ruling.”
The complaint calls on the FTC to investigate Google for unfair and deceptive practices in violation of Section 5 of the FTC Act and for violating the 2011 FTC Consent Order arising from Google’s previous mishandling of personal data in the rollout of the Google Buzz social network. EPIC and Accountable Tech are urging the FTC to impose civil penalties, order Google to disgorge wrongfully retained location data, and enjoin Google’s unlawful location data practices.
“These harmful practices show us why we cannot rely on pinky promises from Google to protect our most sensitive information,” EPIC Counsel Sara Geoghegan said. “The FTC and Google have recognized the serious harms that stem from excessive data retention, and it is critical for the Commission to step in to hold Google accountable for these violations.”
“Google can’t have it both ways. If the company wants the reputation of being strong on privacy protection, it must live up to its commitments – not merely pay them lip service,” said Kaili Lambe, Policy and Advocacy Director at Accountable Tech. “But over and over again Google has broken its promises, risking the personal data of the people who rely on its services. Google can’t be trusted, which is why we’re asking the FTC to investigate.”
EPIC is a public interest research center in Washington, DC. EPIC was established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC has played a leading role in developing the authority of regulators to safeguard the rights of consumers, ensure the protection of personal data, and address privacy violations. In 2010, EPIC filed a complaint with the FTC concerning Google’s mishandling of users’ personal data during the rollout of the Google Buzz social network—a complaint which the FTC credited when it announced in 2011 that it was adopting a Consent Order restricting Google’s handling of personal data.
Accountable Tech is a nonpartisan, nonprofit organization that advocates for structural reforms to repair our information ecosystem and foster a healthier and more equitable democracy.