Google to Delete Billions of User Records Following Privacy Lawsuit Settlement

Google has agreed to delete and anonymize billions of records containing data from 136 million American users. This move comes as part of a settlement in a class-action lawsuit that alleged Google tracked people, including through the Chrome browser, without their knowledge or consent.

Background of the Lawsuit

The class-action lawsuit against Google was filed in 2020. Plaintiffs claimed that the company misled users and continuously tracked their online activity, even when they used private browsing modes such as Chrome’s “Incognito” mode. The lawsuit stated that websites using Google Analytics and Ad Manager collected information from browsers in Incognito mode, including web page content, device data, and IP addresses.

Plaintiffs also alleged that Google collected personal data from Chrome users and linked it to existing user profiles. Initially, Google tried to dismiss the lawsuit, citing the message displayed when users activate Incognito mode in Chrome. However, in August 2023, Judge Yvonne Gonzalez Rogers rejected Google’s motion, noting that the company never informed users that data collection continued even in Incognito mode.

Soon after, Google updated the Incognito mode warning to clearly state that data collection on visited sites would continue: “Websites you visit and their services, including Google products, can still collect data as usual.”

Settlement Details and Next Steps

In late December 2023, it was reported that Google agreed to settle the lawsuit. The settlement is currently pending approval by Judge Yvonne Gonzalez Rogers, with the next hearing scheduled for July 30, 2024.

As part of the settlement, Google has agreed to delete billions of previously collected records about users’ private online activity, update its disclosures about data collection practices, and take steps to limit the accumulation of personal data in the future. Specifically, Google will delete or anonymize personal data collected in the past and “maintain changes to Incognito mode that allow users to block third-party cookies by default.” Google will delete data older than nine months, collected in December 2023 and earlier, with the process to be completed within 275 days of the settlement’s approval.

Plaintiffs’ attorneys describe this as a “historic step requiring transparency and accountability from dominant tech companies,” and say it will “provide additional privacy for Incognito users in the future by limiting the amount of data Google collects.” According to lawyers, this means “Google will collect less data about private browsing sessions” (which are valued in the billions of dollars) and “will make less money from this data.”

No Monetary Compensation, but Future Legal Rights Preserved

Notably, the settlement does not include monetary compensation for plaintiffs. Instead, Google agreed that class members retain the “right to file individual claims against Google for damages,” which lawyers say is important given the significant damages allowed under federal and wiretapping laws.

Google maintains that it “disagrees with the legal and factual characterizations in the motion.” A company spokesperson told ArsTechnica that Google considers the data to be deleted “insignificant,” but is “pleased to resolve a lawsuit it has always considered meritless.”

“The plaintiffs originally sought $5 billion and got nothing,” said Google spokesperson José Castañeda. “We never associate data with users when they use Incognito mode. We’re happy to delete old technical data that was never linked to specific people or used for personalization.”

Technical Measures for Enhanced Privacy

Court documents note that Google initially claimed it was impossible to identify (and therefore delete) private browsing data due to how it was stored. The planned corrective measures now include deleting fields that could be used to identify users in Incognito mode, “partial redaction of IP addresses” (to prevent re-identification of anonymized user data), and removing “detailed URLs, so Google cannot determine which specific pages a user visited in private mode.”

The documents state that “retaining only part of the URL at the domain level (i.e., just the site name) significantly improves user privacy, as Google (or anyone else with access to this data) will not be able to determine exactly what users viewed.”