Texas Accuses Google of Geolocation, Incognito Mode, and Biometric Violations
Texas has finalized a settlement of nearly $1.4 billion with Alphabet, the parent company of Google, following allegations that the tech giant breached state privacy laws. The accusations stem from alleged violations involving geolocation tracking, incognito browsing, and biometric data collection.
Texas Attorney General Ken Paxton initiated two lawsuits against Google in 2022, claiming that the company had improperly utilized facial and voice recognition technologies in its products without securing proper consent. The Attorney General further alleged that Google misrepresented the privacy assurances of its Chrome Incognito mode while continuing to track users’ locations, despite being instructed to disable geolocation features.
In his statement, Paxton remarked, “For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products.” He described the $1.375 billion settlement as a significant victory for the privacy rights of Texas residents, signaling that violations of trust would incur financial penalties.
While Alphabet, headquartered in Mountain View, California, reported a revenue increase of 14% to $350 billion in 2024, the company stated that steps had already been taken to address Texas’s concerns, asserting no admission of wrongdoing. “This agreement resolves a series of outdated claims, many of which have been previously addressed,” Google spokesperson José Castañeda commented.
Similar legal actions by other states have yielded settlements; however, none have reached the scale of Texas’s recovery. Notably, a multistate coalition involving 40 states achieved a settlement of $391 million, significantly less than Texas’s amount.
The lawsuit journey began in January 2022, with Paxton alleging that Google’s “Location History” feature misled consumers about data tracking practices. This included tracking users despite assurances that disabling location history would cease data storage. The suit was amended in May 2022 to include allegations of continued tracking during incognito sessions, misleading consumers regarding privacy protections.
Further legal challenges arose when Paxton accused Google of improperly collecting and storing biometric data—specifically voiceprints and facial characteristics—through services like Google Photos and Google Assistant without explicit consent, in violation of Texas’s laws on biometric data usage.
Despite setbacks in court regarding the allegations related to incognito mode tracking, the Texas Attorney General has previously secured substantial settlements with Google over accusations of deceptive and anticompetitive business practices amounting to $700 million and $8 million, respectively.
In response to these privacy concerns, Paxton announced the formation of a specialized data privacy team dedicated to safeguarding the privacy rights of Texas residents. Following similar legal precedents, Meta (formerly Facebook) reached a $1.4 billion settlement earlier this year over unauthorized biometric data capture, highlighting the increasing scrutiny on technology companies.
This case not only underscores ongoing issues surrounding data privacy but also illustrates potential vulnerabilities that organizations face. From a cybersecurity perspective, tactics such as initial access and persistence, as defined in the MITRE ATT&CK framework, form crucial elements in this complex landscape. Organizations must remain vigilant against potential intrusions and ensure compliance with privacy laws to mitigate risks of similar allegations.
