Google will delete data collected from 'private' browsing
Declares victory in settlement of class action lawsuit, but individual claims remain possible
In hopes of settling a lawsuit challenging its data collection practices, Google has agreed to destroy web browsing data it collected from users browsing in Chrome's private modes – which weren't as private as you might have thought.
The lawsuit [PDF], filed in June, 2020, on behalf of plaintiffs Chasom Brown, Maria Nguyen, and William Byatt, sought to hold Google accountable for making misleading statements about privacy.
Specifically, the search behemoth's Privacy Policy claimed that users could control the information Google collects. But, as alleged in the lawsuit, Google didn't provide the privacy it promised and implied through services like Chrome's Incognito mode.
"Despite its representations that users are in control of what information Google will track and collect, Google's various tracking tools, including Google Analytics and Google Ad Manager, are actually designed to automatically track users when they visit webpages – no matter what settings a user chooses," the complaint claims. "This is true even when a user browses in 'private browsing mode.'"
Chrome's Incognito mode only provides privacy in the client by not keeping a locally stored record of the user's browsing history. It does not shield website visits from Google. The lawsuit was filed because the language Google used at the time suggested otherwise. It also covers Google's data collection from those using private modes in other browsers.
Google tried and failed to get the case dismissed.
During the discovery period from September 2020 through March 2022, Google produced more than 5.8 million pages of documents. Even so, it was sanctioned nearly $1 million in 2022 by Magistrate Judge Susan van Keulen – for concealing details about how it can detect when Chrome users employ Incognito mode.
- Google updates Chrome's Incognito Mode data slurp disclaimer in early browser build
- Tails 5.11: Secure-surfing 'amnesiac' live distro arrives
- Virtual reality telemetry means you can virtually kiss goodbye to privacy
- Google's 'privacy-first' ad tech FLoC squawks when Chrome goes Incognito, says expert. Web giant disagrees
What the plaintiffs' legal team found might have been difficult to explain at trial.
"Google employees described Chrome Incognito Mode as 'misleading,' 'effectively a lie,' a 'confusing mess,' a 'problem of professional ethics and basic honesty,' and as being 'bad for users, bad for human rights, bad for democracy,'" according to the declaration [PDF] of Mark C Mao, a partner with the law firm of Boies Schiller Flexner LLP, which represents the plaintiffs.
An email to this effect surfaced in the Justice Department's antitrust case against Google. Lorraine Twohill, chief marketing officer at Google, sent an email [PDF] in 2021 to Sundar Pichai, CEO of Google, and other executives, calling for "meaningful change" in the tech titan's privacy practices.
On December 26 last year the plaintiffs and Google agreed to settle the case. The plaintiffs' attorneys have suggested the relief provided by the settlement is worth $5 billion – but nothing will be paid, yet.
The settlement covers two classes of people: one of which excludes those using Incognito mode while logged into their Google Account:
- Class 1: All Chrome browser users with a Google account who accessed a non-Google website containing Google tracking or advertising code using such browser and who were (a) in "Incognito mode" on that browser and (b) were not logged into their Google account on that browser, but whose communications, including identifying information and online browsing history, Google nevertheless intercepted, received, or collected from June 1, 2016 through the present.
- Class 2: All Safari, Edge, and Internet Explorer users with a Google account who accessed a non-Google website containing Google tracking or advertising code using such browser and who were (a) in a "private browsing mode" on that browser and (b) were not logged into their Google account on that browser, but whose communications, including identifying information and online browsing history, Google nevertheless intercepted, received, or collected from June 1, 2016 through the present.
The settlement [PDF] requires that Google: inform users that it collects private browsing data, both in its Privacy Policy and in an Incognito Splash Screen; "must delete and/or remediate billions of data records that reflect class members' private browsing activities"; block third-party cookies in Incognito mode for the next five years (separately, Google is phasing out third-party cookies this year); and must delete the browser signals that indicate when private browsing mode is active, to prevent future tracking.
"We are pleased to settle this lawsuit, which we always believed was meritless," declared Google spokesperson José Castañeda in a statement to The Register. "The plaintiffs originally wanted $5 billion and are receiving zero. We never associate data with users when they use Incognito mode. We are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization."
Google may yet pay something. The settlement terms leave in place the plaintiffs' right to sue Google individually for damages. And according to the settlement, "a very large number of class members recently filed and are continuing to file complaints in California state court individually asserting those damages claims in their individual capacities."
The class of affected people has been estimated to number about 136 million. ®