Google is under fire once again, facing a $425 million lawsuit over claims it violated user privacy by continuing to collect personal data, even after users disabled tracking features in their account settings. The lawsuit, which originated from a class action filed in 2020, alleges that Google harvested data through third-party apps despite users turning off the “Web & App Activity” setting.
This isn’t an isolated incident. Earlier this year, Google was fined a record $1.4 billion for similar privacy violations, intensifying scrutiny from regulators and undermining consumer trust. With multiple lawsuits now targeting their data practices, questions are mounting about the reliability of Google’s privacy safeguards.
As confidence in big tech’s data ethics continues to wane, organizations across industries are being urged to take a hard look at their own privacy frameworks. What proactive steps can businesses take to avoid similar missteps, and build lasting trust with their users?
Jump to:
- Google’s “Web & App Activity” setting
- Google’s rocky history with data privacy
- Is there a consent gap across Big Tech?
- Lessons for other organizations
Google’s “Web & App Activity” setting
Affecting over 100 million users, the alleged violations claim that Google misled its users by continuing to collect personal data, even after certain privacy settings were enabled within their accounts.
At the heart of the issue is the “Web & App Activity” setting, which Google assured would prevent data collection from third-party apps using its backend analytics services. However, despite users believing they had control over their privacy, Google allegedly continued to gather data, raising serious concerns about transparency and user consent.
Google’s rocky history with data privacy
This isn’t the first time Google has faced major penalties over data privacy violations. In 2025 alone, we’ve seen multiple cases involving breaches related to location tracking, children’s data, and targeted advertising.
May 2025 – Texas data privacy lawsuit
One of the most significant legal outcomes this year came when the Texas Attorney General announced a landmark $1.4 billion settlement against Google. The lawsuit alleged that the company was tracking users’ personal locations, incognito browsing activity, and voice data without explicit consent. This raised serious concerns about ethical data collection and consent management practices across Big Tech.
August 2025 – Children’s privacy lawsuit
In another major privacy case, Google and YouTube agreed to a $30 million settlement to resolve allegations that they unlawfully collected personal data from children under the age of 13 without parental consent. The lawsuit cited violations of the Children’s Online Privacy Protection Act (COPPA), claiming that data was harvested while children watched child-directed content (such as cartoons and nursery rhymes) on YouTube, and was then used for targeted advertising.
September 2025 – CNIL advertising practices
Google was fined €325 million by France’s data protection authority (CNIL) for breaching national privacy laws through its Gmail advertising practices and cookie consent mechanisms. The investigation, prompted by a complaint from privacy advocacy group NOYB, revealed that Google had inserted advertisements in the form of emails into users’ Gmail inboxes, specifically within the “Promotions” and “Social” tabs, without obtaining prior consent.
Is there a consent gap across Big Tech?
Across each of these cases, consent management appears as the standout concern for data privacy. Whether it’s buried in account settings, obscured by design, or bypassed entirely, the failure to obtain clear, informed, and voluntary user consent is at the heart of Google’s legal troubles.
However, this pattern isn’t unique to Google. It reflects a broader challenge across Big Tech, where user data is often treated as a resource to be mined rather than a right to be respected. As regulators tighten their grip and consumers grow more privacy-conscious, the pressure is mounting for organizations to get their consent practices right.
Investing in a scalable consent management solution is a crucial first step. The right Consent Management Platform (CMP) not only helps organizations comply with global privacy regulations, it also enables smarter, more ethical use of data. By processing and storing user consent across individual data subject records, a CMP plays a vital role in managing consent preferences. This, in turn, determines how organizations can lawfully utilize personal data in accordance with evolving privacy legislation.
With a well-implemented CMP, businesses can confidently enable personalized marketing, streamline data governance, reduce silos, and eliminate manual workflows.
Lessons for other organizations
Google’s privacy violations aren’t isolated incidents. Across various industries, from retail to pharmaceuticals, data privacy is becoming a critical concern for any forward-thinking business. To avoid similar pitfalls, organizations must treat privacy as a strategic priority:
- Ensure consent is meaningful: Users should fully understand what they’re agreeing to and be given genuine control over their data.
- Conduct regular audits: Review how data is collected, processed, and stored to ensure alignment with your privacy policies and legal obligations.
- Design for transparency: Avoid manipulative interfaces or “dark patterns” that nudge users into sharing more than they intend.
- Stay ahead of regulation: Proactively align with frameworks like GDPR, CCPA, and other emerging standards to build trust and reduce risk.
