Google has been ordered to pay $425 million in damages after a California federal jury found the company violated user privacy by collecting data even when people had turned off tracking on their devices. The class action suit alleged that, between 2016 and 2024, the company continued to capture app activity from users’ phones despite the “Web & App Activity” setting being disabled.
At the heart of the case is how the Web & App Activity feature was supposed to work. The control was designed to give users more say over what information—such as searches, locations, and in-app activities—was stored and used. Plaintiffs argued that data collection continued not only from the company’s own services, but also from third-party apps, undermining user consent and expectations. The jury agreed on two of the three claims: invasion of privacy and intrusion upon seclusion.
The scale of the case was significant, representing about 98 million users. While some early projections suggested potential damages could soar into the tens of billions, the jury ultimately awarded $425 million. The decision underscores a growing focus on consumer data rights and reinforces that privacy settings must function as users reasonably expect.
The company has denied wrongdoing, signaled its intent to appeal, and characterized the verdict as a misrepresentation of how its systems operate. Its spokesperson said that when Web & App Activity is turned off, any limited data that may still be collected does not directly identify individuals, and users are notified about how data is handled. Even so, the ruling adds pressure on the broader tech industry to ensure privacy tools are transparent, accurate, and aligned with user choices.
Why this matters goes beyond a single verdict. Regulators and courts are raising the bar on accountability, and consumers are paying closer attention to how their information is used. Features labeled as “off” or “paused” must reliably stop data collection for the average user, without hidden exceptions. The case signals that gray areas in data practices—especially around third-party app activity—are likely to face heightened scrutiny.
What users can do now to protect their privacy:
– Double-check Web & App Activity and related controls in your account and device settings, and review what’s being saved.
– Audit app permissions on your phone; limit access to location, microphone, camera, and activity data to only what’s necessary.
– Regularly delete stored activity data you don’t want retained, and set auto-delete where available.
– Be selective with third-party apps that request broad data access and review their privacy policies.
– Revisit your ad personalization and tracking preferences to reduce profiling where possible.
What’s next will hinge on the appeals process and potential policy changes. Regardless of the legal outcome, the message is clear: privacy settings must do exactly what they promise, and companies need to communicate those behaviors in plain language. As technology evolves, the expectation for transparency, consent, and user control is only growing stronger.
