Google: If you don’t want us to track your phone – just get another tracking ID!
Today noyb.eu filed a formal GDPR complaint against Google for tracking users through an “Android Advertising ID” without a valid legal basis. The data collected with this unique tracking ID is passed on to countless third parties in the advertising ecosystem. The user has no real control over it: Google does not allow to delete an ID, just to create a new one.
Buy a phone, get a tracker: Every time you buy a new Android phone and happily turn it on for the first time, Google places a unique tracking ID on your phone. Just like a “digital license plate” the tracking ID allows Google and countless third-parties to surveil users.
“In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device.” - Stefano Rossetti, privacy lawyer at noyb.eu
EU Law requires user choice. Under GDPR, the strict European privacy law, users must consent to being tracked. Google does not collect valid “opt-in” consent before generating the tracking ID, but seems to generate these IDs without user consent.
Google: Choice between tracking or more tracking. Google claims that users can control the processing of their data, but when put to the test Android does not allow deleting the tracking ID. It only allows users to generate a new tracking ID to replace the existing one. This neither deletes the data that was collected before, nor stops tracking going forward.
“It is grotesque: Google claims that if you want them to stop tracking you, you have to agree to new tracking. It is like cancelling a contract only under the condition that you sign a new one. Google´s system seems to structurally deny the exercise of users´ rights.” - Stefano Rossetti, privacy lawyer at noyb.eu
Complaint filed. The formal legal complaint was filed on behalf of an Austrian citizen with the Austrian Data Protection Authority (DPA) and is partially based on the report “Out of control” by Norwegian Consumer Council. The Austrian DPA may involve other European DPAs in the case. Under the GDPR the authorities can fine Google up 4% of the global turnover, which amounts to up to € 5 Billion.