Ten consumer groups coordinated by the European Consumers’ Organization (BEUC) have accused Google of unfairly inducing consumers to open a Google Account, allowing the company to harvest large amounts of personal data.
They claim that Google is preventing consumers from protecting their privacy, which would be an unfair business practice since, under the EU’s General Data Protection Regulation, users should be offered privacy by design and by design. default.
The complaint is the latest in a growing row that sees consumer organizations taking an increasingly active role in GDPR enforcement via consumer protection complaints. The most significant recent cases concern WhatsApp and TikTok.
“It only takes one simple step to let Google monitor and exploit everything you do. If you want privacy-friendly settings, you have to navigate through a longer process and a mix of unclear and misleading,” said BEUC Deputy Director General Ursula Pachl.
The complaint points to the fact that consumers are required to create a Google account when buying a smartphone with an Android operating system, which accounts for 70% of smartphones worldwide.
“We know that consumer confidence depends on honesty and transparency. That’s why we’ve staked our future success on making controls ever simpler and more accessible and giving people clearer choices. And, equally important, doing more with less data,” a Google spokesperson told EURACTIV.
Users can “express their personalization” during account creation with a single click, signing up for what consumer advocates call “default monitoring.” In contrast, to disable “manual personalization,” users must go through five steps (and ten clicks).
For BEUC and its members, the information provided in this registration manual is unclear, incomplete and misleading, leading consumers to make choices without a transparent understanding of how their personal data will be processed.
Additionally, the complaint notes that Google portrays the less privacy-intrusive option as lacking in benefits, preventing consumers from making a free and informed choice. Google Accounts track users of all Google services, including Chrome, Gmail, YouTube, and Google Maps. Therefore, the registration process is critical to the operation of the business.
Google rejects the accusation that the options presented are unclear, pointing out that they were designed based on extensive research and feedback from website testers.
Additionally, Google notes that its approach is in line with guidance from the European Data Protection Board, which brings together all EU data protection authorities. The guidance notes that a layered approach providing granular information is considered appropriate to inform users in an accurate and understandable way.
“We welcome the opportunity to engage on this important topic with consumer rights advocates and European regulators. People should be able to understand how data is generated from their use of internet services. If they don’t like it, they should be able to fix it,” the Google rep added.
The national consumer associations lodged the complaint with their respective data protection authorities in Czechia, France, Norway, Greece and Slovenia. In Germany, a warning letter has been sent to Google which could be a first step to take legal action.
Consumer groups in Denmark, Sweden and the Netherlands have sent a letter to their national authorities alerting them to Google’s practices. Similarly, US consumer advocates from the Transatlantic Consumer Dialogue write to the Federal Trade Commission.
Under the GDPR, data protection watchdogs will have to refer to the Irish authority, as this is where Google has its European headquarters.
Google was also targeted by a series of complaints in 2018 related to how tech giants track consumer data, but the lead authority, Ireland’s Data Protection Commissioner, has yet to issue an opinion. decision on this case.
“This case is of strategic importance for which cooperation between data protection authorities across the EU must be a priority and supported by the European Data Protection Board,” underlined BEUC’s Pachl.
[Edited by Alice Taylor]