Noyb, an Austrian advocacy group, has filed a complaint against Google for allegedly collecting users’ data without appropriately asking for consent and being non-transparent with its advertising practices in the EU.
The complaint filed with the Austrian data protection authority concerns Google’s Privacy Sandbox API, introduced in 2023. In 2020, Google pledged to phase out third-party cookies, which collect data from websites for targeted advertising in Chrome, citing privacy concerns.
It said it would replace this current system with Google Privacy Sandbox, which aims to “protect people’s privacy online and give companies and developers tools to build thriving digital businesses.”
While third-party cookies have not been phased out completely, the Sandbox API was made available to users. It aims to replace third-party cookies, the most common tracking technology, with what Google calls “topics.” These ‘topics’ consist of various advertising categories.
Google classifies its users based on their behavior on Chrome. Thus, the lawsuit noted that the Sandbox API still allows Google to track user behavior. The Electronic Frontier Foundation explained, “The idea is that instead of the dozens of third-party cookies placed on websites by different advertisers and tracking companies, Google itself will track your interests in the browser itself, controlling even more of the advertising ecosystem than it already does.”
What does the lawsuit allege?
Google deceived users:
The complaint accused Google of deceiving users and marketing Sandbox API as a “privacy feature” rather than clarifying that Chrome was asking for consent to have its browser track users. It claimed that using terms like “protect,” “limit,” and “privacy features” on the banner asking for consent was intentionally misleading.
A press release by Noyb refuted Google’s argument that the new Privacy Sandbox is less invasive than third-party tracking systems. Max Schems, Honorary Chairman of Noyb said, “Google has simply lied to its users. People thought they were agreeing to a privacy feature but were tricked into accepting Google’s first-party ad tracking.
Also Read: Why Data Quality Matters for Business Success
Google used dark patterns:
The General Data Protection Regulation (GDPR) and Google’s designation as a ‘very large online platform’ under the Digital Services Act (DSA) require Google to ask users for their consent before collecting their data in the EU. This requires presenting a pop-up that allows users to consent to sharing their data. However, the advocacy group claimed that Google manipulated users into consenting to share their data by using dark patterns.
It noted that Google conducted ‘A/B testing’- testing two variants of the same web page to compare which variation got more positive feedback. It is alleged that this process allowed Google to optimize its prompts to get more people to agree to the collected data.
Google is not being transparent with the data being collected:
The complaint also alleged that Google intentionally demonstrated topics like “sports, music and film” to imply that the data collected was generic, as opposed to demonstrating topics and sub-topics like “/Jobs & Education/Jobs/Job Listings/Government & Public Sector Jobs” and “/Finance/Credit & Lending/Credit Reporting & Monitoring”, which are much more granular based on far more personal data.
Further, through a banner, Google informs users that their data will be used for “site suggested ads” and “ad measurement.” A banner entitled “Other ad privacy features now available” explains to users that their data can be used- to show them ads based on the sites they visited and for advertisers to measure the performance of their ads. Users are only provided with a ‘Got it’ or settings option. However, these are turned on by default unless the user goes to the settings and manually disables them. Noyb argued that this is another aspect of data collection where user consent is required, yet Google does not present the choice for users to opt out of this data collection.
Thus, based on these allegations, Noyb argued that Google violates Article 5(1)(a) and Article 6(1)(a) of the GDPR, which are “Fairness and Transparency “ and “Consent as a Legal Basis,” respectively.
Previous criticisms of Google’s Privacy Sandbox:
In 2021, the UK’s Competition and Markets Authority (CMA) began investigating Google’s proposal to remove third-party cookies from Chrome browsers. The CMA claimed that the new model would hamper “the ability of publishers to generate revenue and undermine competition in digital advertising, entrenching Google’s market power.”
Thus, to address advertisers’ concerns, Google committed to developing standards to enhance privacy and preserve competition under the CMA and the UK’s Information Commissioner’s Office (ICO) in “The Privacy Sandbox initiative.”
Also Read: Web Scraping for AI Training: Can it Comply with GDPR?
In April 2024, Google said it would delay phasing out third-party cookies until early 2025. It said, “We recognize ongoing challenges related to reconciling divergent feedback from the industry, regulators, and developers, and will continue to engage closely with the entire ecosystem. It’s also critical that the CMA has sufficient time to review all evidence, including results from industry tests, which the CMA has asked market participants to provide by the end of June.”
