“Big Tech is not above the law”: Google faces $1.4 billion penalty in Texas data privacy lawsuit
Posted: May 16, 2025
In a landmark case for data privacy, Texas Attorney General Ken Paxton recently announced a $1.4 billion settlement with Google, marking what could possibly be one of the most significant legal outcomes of 2025.
The tech giant was accused of tracking users’ personal locations, incognito searches, and voice and facial data without their consent.
The case against Google appears alongside a steady flow of enforcement action, from recent CCPA fines to actions against Apple and Meta, highlighting how regulators are increasingly holding brands accountable for privacy violations. And, in the words of Texas Attorney General, Big Tech is certainly not “above the law”.
The lead-up to the landslide: What went wrong for Google
The long-standing case against Google’s questionable privacy practices first arose in 2022, with three separate lawsuits in the same year:
January 2022
A lawsuit from Texas Attorney General states that Google allegedly continued to track their personal location even when the “Location History” feature was disabled.
May 2022
The previous lawsuit against Google in relation to geolocation is amended to include “Incognito Mode” as yet another deception in the tech giant’s privacy practices.
October 2022
Paxton submits a third lawsuit against Google for its apparent “unauthorized capture and use of biometric data”. The Attorney General alleged that Google had failed to obtain informed consent from users before collecting data such as voiceprints and face geometry.
These three strikes from Google highlight a troubling pattern of alleged privacy violations, raising serious questions about the tech giant’s commitment to user privacy.
How this settlement stacks up against other Big Tech cases
This isn’t the first time Paxton has taken on Big Tech for privacy violations.
The monumental case against Google closely mirrors another significant settlement against Meta, secured by Texas Attorney General in 2024.
Back in February 2022, he sued Meta for unlawfully capturing the biometric data of millions of Texans without obtaining their informed consent, as is required by Texas law.
With regulators ramping up enforcement, coupled with the ever-shifting tides of legislation, the pressure for businesses to step up their privacy practices has never been higher.
If not, as we’ve seen recently with Honda, Apple, and luxury menswear retailer Todd Snyder, the costs for non-compliance can be staggering.
So, what can brands do to guarantee compliance, and avoid the same privacy missteps we’ve encountered in recent months?
One thing is clear: Consent is critical
One standout aspect of the Google lawsuit would be the collection of consumer data without sufficient consent.
As stated in the lawsuit from January 2022, regardless of whether users had chosen to disable the Location History setting, Google “deceptively continued to collect and store users’ locations through other means”, including via Location Services, Web & App Activity, and WiFi or Bluetooth scans.
Critical to the majority of global privacy legislations, from GDPR to CCPA, collecting informed, affirmative consent from consumers is essential.
Without consent, organizations must respect consumer privacy and cease any data collection or usage. This process can be streamlined by implementing a Consent and Preference Management (CPM) platform, designed to centralize consumer consent data into a singular source of truth.
Effective consent management ensures that consumer choices are being respected, whilst adhering to legislative requirements.
Communication and transparency
Transparency is not just about compliance; it’s about building a trustworthy relationship with your consumers.
One step in the right direction for companies wishing to overhaul their privacy practices would be to clearly communicate any data collection practices from the onset. Businesses should provide easy-to-understand privacy policies and regular updates on how consumer data is being used.
Being responsive to privacy concerns and ensuring that any changes to data management practices are promptly communicated can go a long way to securing consumer trust and mitigating the risks of non-compliance.
Don’t downplay the significance of compliance
The significance of compliance should never be downplayed. Treating compliance as a bottom-of-the-pile task is a sure-fire route to enforcement action, with the costs of non-compliance often far greater than the effort required to implement a solution.
Start by picking apart your privacy practices, ensuring that any data is collected and used in accordance with legislation. Next, establish clear protocols for data handling and regularly audit these practices to identify and rectify any gaps. Lastly, keeping informed with any changes to legislation and adapting accordingly is crucial in building a privacy program that scales with growing business needs.
If anything, this landmark case should serve as a reminder to other Big Tech companies that privacy is non-negotiable. And as regulatory scrutiny intensifies, brands must prioritize transparent data practices to not only avoid similar consequences, but to honor consumer trust.
