1Introduction
For over two decades, Google has built an empire around collecting, analyzing, and monetizing information. At the same time, it has carefully cultivated an image as a trustworthy steward of user data. Privacy dashboards, transparency reports, Incognito Mode, ad controls, privacy sandboxes, consent dialogs, and reassuring blog posts all communicate the same message: Google is protecting your privacy while giving you control over your data.
Yet time and again, independent researchers, privacy advocates, journalists, regulators, and courts have uncovered a different reality.
Users have been tracked after being told tracking was disabled. Data has been collected in situations where people reasonably believed it was not. Features marketed as privacy improvements have sometimes served Google’s business interests just as much as — or more than — the interests of users. Settings that appear straightforward often turn out to be anything but. Opt-outs can be difficult to find, consent mechanisms can be confusing, and privacy promises frequently come with footnotes large enough to drive a data center through.
None of this should be surprising. Google is not primarily a privacy company. It is one of the most sophisticated data collection and advertising companies ever created. The overwhelming majority of its revenue has historically depended on its ability to gather information, build behavioral profiles, and target advertisements with extraordinary precision. Every “privacy” initiative introduced by Google exists alongside this fundamental economic reality.
2Documentation of Instances Where Google Made False Claims About Data Collection
2.12007-2010: Street View WiFi Data Collection (“Wi-Spy”)
| Description | Google Street View cars collected WiFi data while photographing streets |
| What Google Said | “We do not gather ‘payload’ data passed through those wifi networks” — only collecting network names and MAC addresses |
| What Actually Happened | Collected 600GB of personal data including emails, passwords, URLs, and personal communications from unsecured WiFi networks across 30+ countries. FCC investigation found this was deliberate, not accidental — engineer designed system to collect payload data and documented it. |
| Result | • $7M settlement with 37 US states (2013) • $13M class action settlement (2019) • Multiple fines from European countries • FCC found Google “deliberately impeded and delayed” investigation |
| Sources | Guardian 2010, NPR 2013 |
2.22010: Google Buzz Privacy Violations
| Description | Automatic enrollment of Gmail users into social network without proper consent |
| What Google Said | Did not adequately disclose that users’ frequent email contacts would become public by default |
| What Actually Happened | Automatically enrolled all Gmail users in Buzz social network, publicly exposed users’ most frequent email contacts by default, made private contact lists visible to anyone |
| Result | • $8.5M class action settlement (2010) • FTC consent decree barring Google from misrepresenting privacy practices (2011) • This order was later violated by Safari cookie scandal |
| Sources | FTC 2011 |
2.32011: Android Cell Tower Location Tracking
| Description | Android phones collecting location data |
| What Google Said | Users could control location data collection through settings |
| What Actually Happened | Android phones collected cell tower addresses from all devices even when location services were disabled, sending data back to Google several times per hour |
| Result | • $50M lawsuit filed • Led to broader location tracking investigations |
| Sources | Quartz 2017, Guardian 2011 |
2.42011-2012: Safari Cookie Tracking Bypass
| Description | Google tracking Safari users despite privacy settings |
| What Google Said | Told Safari users that browser’s default cookie-blocking settings “effectively accomplishes the same thing as opting out” of Google’s advertising tracking. Safari users would automatically be opted out. |
| What Actually Happened | Deliberately circumvented Safari’s default privacy settings by exploiting a technical loophole to place tracking cookies despite explicit promises not to. This violated the 2011 FTC consent order from Google Buzz case. |
| Result | • $22.5M FTC fine (2012) — largest FTC penalty ever at that time for violating a Commission order |
| Sources | FTC 2012 |
2.52013-2017: Gmail Email Scanning for Advertising
| Description | Google scanning email content for targeted advertising |
| What Google Said | Provided consent through terms of service |
| What Actually Happened | “Unlawfully opens up, reads, and acquires the content of people’s private email messages” — scanned emails from non-Gmail users who never consented |
| Result | • Initial settlement rejected by judge • Revised $2.2M settlement approved (2018) • Google agreed to stop scanning emails for advertising purposes |
| Sources | EPIC 2016, Lieff Cabraser 2018 |
2.62006-2013: Search Referrer Header Data Sharing
| Description | Google sharing search queries with third parties |
| What Google Said | Users’ search data remained private |
| What Actually Happened | Violated users’ privacy by appending search keywords to HTTP Referer headers, which were then sent to third-party websites without user knowledge or consent |
| Result | • $23M class action settlement • Payments to affected users who searched between Oct 2006 — Sept 2013 |
| Sources | AARP, Yahoo Finance |
2.72017-2018: Location History Deception
| Description | Google continued tracking location with “Location History” turned off |
| What Google Said | “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.” On iPhone: “None of your Google apps will be able to store location data in Location History.” |
| What Actually Happened | Continued storing location data through second setting “Web & App Activity” (on by default). Simply opening Maps recorded location, weather updates pinpointed location, random searches saved precise latitude/longitude (accurate to square foot). AP investigation with Princeton confirmed. |
| Result | • Australian Federal Court ruled Google misled consumers (2021) • $391.5M settlement with 40 US states (2022) • $93M California settlement (2022) • $85M Arizona settlement (2022) • $1.375B Texas settlement (2022) |
| Sources | AP 2018, ACCC 2021 |
2.82017-2020: Android Lockbox Data Collection
| Description | Android collecting cellular and WiFi data without consent |
| What Google Said | Users could control data collection through privacy settings |
| What Actually Happened | Program called “Android Lockbox” collected users’ cellular and WiFi data without consent, even when apps were closed and location services were disabled |
| Result | • $135M settlement (2026) • $314M jury verdict for secretly transferring cellular data |
| Sources | Engadget 2026 |
2.92018-2020: Incognito Mode Tracking
| Description | Chrome’s Incognito mode providing privacy |
| What Google Said | Chrome’s Incognito splash screen stated browsing activity “won’t be saved” and suggested private browsing |
| What Actually Happened | Tracked and collected user data even when users browsed in Incognito mode, including browsing histories, search queries, and personal information |
| Result | • $5B class action lawsuit settlement (Dec 2023) • Google agreed to delete billions of records • Affected ~136M Chrome users |
| Sources | NPR 2023, BBC 2024 |
2.102018-2020: App Data Collection Despite Settings Disabled
| Description | Users disabling data collection in apps |
| What Google Said | Users could disable data collection through privacy settings |
| What Actually Happened | Secretly collected user data from cellphone apps even after users explicitly disabled data collection settings, including location tracking, browsing activity, and voice data |
| Result | • $425.7M California jury verdict to ~100M users (2025) |
| Sources | Fox Business 2025 |
2.112019: YouTube Children’s Data Collection (COPPA Violation)
| Description | YouTube not directed at children under 13 |
| What Google Said | Claimed YouTube was not directed at children and therefore didn’t need to comply with COPPA |
| What Actually Happened | Knowingly collected personal information from children watching child-directed content, used data to serve targeted advertising. Internally marketed to advertisers as “#1 website regularly visited by kids” |
| Result | • $170M FTC/New York settlement (2019) — record COPPA penalty at time • Additional $30M class action settlement (2025) |
| Sources | FTC 2019 |
2.122019: Project Nightingale (Ascension Health Data)
| Description | Google accessing millions of patient medical records |
| What Google Said | Partnership with Ascension was HIPAA-compliant and proper |
| What Actually Happened | Secretly collected detailed personal health information of millions of patients across 21 states without patient knowledge or consent. Google employees had access to patient names and full medical records. |
| Result | • Congressional investigation launched • Multiple lawsuits filed • Ongoing regulatory scrutiny |
| Sources | Guardian 2019, Nature 2019 |
2.132019-2024: Google Assistant Voice Recording
| Description | Google Assistant only recording when activated |
| What Google Said | Voice assistant only listened and recorded when users said “Hey Google” or “OK Google” |
| What Actually Happened | Illegally recorded users and shared private conversations with advertisers. Human contractors listened to recordings. Recorded conversations even when not intentionally triggered. |
| Result | • $68M settlement for secretly recording private conversations (2025) |
| Sources | CBS News, BBC |
2.142020-Present: Student Data Collection in Education Apps
| Description | Student data only used for educational purposes |
| What Google Said | Promised schools that Chromebooks and education apps would only use student data for educational purposes |
| What Actually Happened | Embedded hidden tracking technologies in education products, collected student browsing activity, location data, and other personal information for purposes beyond education without parental consent |
| Result | • Multiple ongoing lawsuits (2020-2025) • New Mexico lawsuit • California federal lawsuit filed 2025 |
| Sources | Bloomberg Law 2025 |
2.15April 2025: Google Workspace for Education Data Collection & Sale
| Description | K-12 student data protected and not sold |
| What Google Said | “None of the information collected in Workspace for Education services is ever used for targeted advertising and we have strong controls to protect student data” — Signed Student Privacy Pledge |
| What Actually Happened | Lawsuit alleges Google unlawfully collects and sells K-12 student web activity data, creates “fingerprints” to track individual children across internet even with cookies disabled, collects names, emails, web activity, documents created, messages sent, and sells student profiles to third parties. Schools consent on behalf of parents without proper COPPA compliance. |
| Result | • Active lawsuit filed April 7, 2025 seeking class-action status • Affects millions of students (1M+ Chromebooks in NC alone) • Ongoing litigation |
| Sources | WRAL 2025 |
2.162020-2024: Third-Party Cookie Blocking Promise
| Description | Would phase out third-party cookies by 2022 (later 2024) |
| What Google Said | Announced “Privacy Sandbox” initiative to protect user privacy by blocking third-party cookies in Chrome |
| What Actually Happened | After years of promises, completely abandoned the plan in July 2024. Third-party cookies will remain in Chrome indefinitely. |
| Result | • No legal penalties but significant reputational damage • EFF called it breaking a promise, “bad for your privacy and good for Google’s business” |
| Sources | EFF 2024 |
2.172021: Google Photos Face Recognition (BIPA Violation)
| Description | Proper consent obtained for facial recognition |
| What Google Said | Complied with Illinois Biometric Information Privacy Act |
| What Actually Happened | Used face-recognition technology to group photos without proper consent, collected and stored facial biometric data of Illinois residents in violation of BIPA |
| Result | • $100M settlement with Illinois residents (2022) |
| Sources | Top Class Actions |
2.182021: YouTube Face Blur BIPA Violation
| Description | Face Blur feature protected privacy |
| What Google Said | Feature only blurred faces as claimed |
| What Actually Happened | Face Blur feature collected biometric data without proper consent in violation of Illinois BIPA |
| Result | • $6M BIPA settlement approved |
| Sources | Top Class Actions |
2.192021: Fitbit Acquisition Data Promises
| Description | Fitbit health data won’t be used for Google Ads |
| What Google Said | “Your Fitbit health and wellness data won’t be used for Google Ads, and it will continue to be kept separate from Google Ads data” |
| What Actually Happened | Privacy advocates filed complaints alleging Fitbit forces users to consent to sharing sensitive health data without clear information. Concerns about data integration despite promises. |
| Result | • Three complaints filed by noyb (Max Schrems) • Ongoing regulatory scrutiny • EU antitrust concerns |
| Sources | noyb 2021 |
2.202023: Evidence Destruction in Antitrust Cases
| Description | Google preserving chat messages as required |
| What Google Said | Claimed to have legal holds in place and was preserving employee chats as required |
| What Actually Happened | “Systematically destroyed” instant message chats every 24 hours despite federal rules to preserve communications. DOJ said Google “falsely” told them auto-deletion was suspended. Judge found “intentional and repeated destruction.” |
| Result | • Judge ruled Google intentionally destroyed evidence and must be sanctioned • Contributed to adverse rulings in Epic Games case • Ongoing sanctions in DOJ antitrust case |
| Sources | CNBC 2023, Tech Oversight 2023 |
2.212024: Medical Location Data Retention
| Description | Would delete sensitive location data including visits to abortion clinics |
| What Google Said | Promised in 2022 to delete location history for visits to sensitive locations including abortion clinics, domestic violence shelters |
| What Actually Happened | Failed to follow through on promises. Continued tracking and storing sensitive medical location data including visits to abortion clinics without proper deletion |
| Result | • FTC complaint filed by EPIC and Accountable Tech (2024) • Under investigation |
| Sources | Bloomberg Law 2024, EPIC |
2.222024-2025: Hospital Website Tracking Pixels
| Description | Healthcare data privacy protected |
| What Google Said | Tracking pixels on websites don’t collect protected health information |
| What Actually Happened | Tracking technology used on hospital and healthcare provider websites transmitted sensitive patient data to Google without consent, potentially violating HIPAA |
| Result | • Multiple class action lawsuits filed • Some claims dismissed, others proceeding • Ongoing litigation |
| Sources | HIPAA Journal 2024 |
2.232025: “Fake” Privacy Opt-Out Button
| Description | Users could opt out of data collection |
| What Google Said | Opt-out button gave users control over their data |
| What Actually Happened | Plaintiffs alleged opt-out button was “fake” — Google stored and used consumers’ data to sell ads even when users clicked opt-out |
| Result | • Part of $425.7M verdict • Jury found Google duped users with fake privacy controls |
| Sources | Law360 2025 |
2.242025: Play Store Children’s Privacy
| Description | Proper age verification and parental consent |
| What Google Said | Complied with children’s privacy laws |
| What Actually Happened | Collected personal information of children under 13 through Play Store without proper parental consent |
| Result | • $8.25M settlement |
| Sources | Top Class Actions |
3Patterns Identified
3.1Systematic Deception Through Hidden Settings
Google repeatedly claimed users could control data collection through one setting, while secretly collecting the same data through different, undisclosed settings:
- Location History vs. Web & App Activity
- Incognito Mode vs. actual tracking
- Visible opt-out buttons that didn’t actually stop collection
3.2“Accidental” Collection That Was Deliberate
Multiple cases where Google initially claimed data collection was accidental or a mistake, but investigations revealed deliberate engineering:
- Street View WiFi collection (engineer designed and documented the system)
- Chat message deletion (systematic policy, not error)
3.3Broken Promises
Google made explicit public commitments, then failed to follow through:
- Third-party cookie blocking (promised for years, abandoned)
- Abortion clinic location data deletion (promised, not executed)
- Fitbit health data separation (promises, concerns remain)
3.4Targeting Vulnerable Populations
Repeated violations involving children’s data:
- YouTube COPPA violations
- Student data in education apps
- Play Store children’s privacy
- All despite specific laws protecting children
3.5Technical Circumvention
Google used technical means to bypass user privacy choices:
- Safari cookie blocking exploit
- Android location tracking despite disabled settings
- Incognito mode tracking
3.6Obstruction of Justice
Destruction of evidence in legal proceedings:
- Systematic deletion of chat messages during antitrust litigation
- Misleading statements to DOJ about preservation
4Insights
This comprehensive documentation reveals a consistent, 18-year pattern of Google making explicit privacy promises in user-facing interfaces and public statements, then systematically violating those promises through:
- Hidden secondary settings that continued data collection
- Technical circumvention of user privacy choices
- Deliberate engineering of collection systems later claimed as “accidents”
- Broken commitments to delete or protect sensitive data
- Targeting vulnerable groups including children and patients
- Obstruction of legal investigations
The pattern is not one of occasional mistakes or misunderstandings, but of systematic deception where:
- User-facing claims say one thing
- Technical implementation does another
- When caught, Google initially claims error
- Investigations reveal deliberate design
- Settlements include no admission of wrongdoing
- Violations continue in new forms
5Latest Development: Google Gemini for Education Claims
Google currently claims that when using Gemini (their AI assistant) in educational settings through Google Workspace for Education:
- “Submissions aren’t used to train models and are never reviewed by humans”
- “Your interactions stay within your organization”
- “Your content is not used for any other customers”
- “Enterprise-grade data protection with no ads”
Sources:
- Gemini for Google Workspace FAQ — Education
- Generative AI in Google Workspace Privacy Hub
- Google Workspace for Education Privacy Notice
5.1Why This Matters
Google is making these same privacy promises while actively being sued for violating nearly identical claims in the same platform [source].
| Aspect | Google’s Current Gemini Claim | April 2025 Lawsuit Allegation | Historical Pattern |
|---|---|---|---|
| Platform | Google Workspace for Education | Google Workspace for Education | Same platform, same promises |
| Promise | “Strong controls to protect student data” | Alleges unlawful collection and sale of student data | Made similar promises 24+ times before |
| Data Collection | Claims minimal collection for service provision only | Alleges comprehensive tracking including “fingerprinting” to track students across internet | Street View, Location History, Incognito — all claimed minimal collection |
| Third-Party Sharing | Claims data stays within organization | Alleges selling student profiles to third parties | YouTube ads, Gmail scanning — both involved third parties despite promises |
| Consent | Claims proper consent mechanisms | Alleges schools consent without proper parental COPPA compliance | Student Privacy Pledge signed, now being sued for violating it |
5.2Red Flags
- No Independent Verification — All claims are self-reported with no third-party auditing
- Ongoing Lawsuit — Currently being sued (April 2025) for doing exactly what they claim they’re not doing
- Storage Concerns — Data retained up to 36 months in Gemini app; users cannot delete individual conversations
- Definition Games — Distinction between “training models” vs. “improving AI services” is unclear
- Admin Surveillance — School administrators have complete access to all student AI conversations
- Service Data Collection — Still collecting activity logs, device info, location data even if prompts aren’t “trained on”
5.3Assessment
Given Google’s documented 18-year pattern of making false privacy claims (see table above), their current Gemini for Education promises should be viewed with extreme skepticism:
The track record shows:
- 24+ documented instances of making similar promises and breaking them
- Over $3.5 billion in fines and settlements for privacy violations
- Currently being sued for violating the exact same promises in the exact same platform
- Pattern of claiming collection is “minimal” or “for service provision only” while actually conducting extensive tracking
- History of using vague language that provides legal wiggle room
Recommendation: Assume all Gemini interactions are permanently stored, accessible to administrators, and potentially used in ways not disclosed. Google’s promises about education data carry no more weight than their previous claims about Location History, Incognito mode, or Street View data collection — all of which proved false.
The April 2025 lawsuit directly contradicts Google’s current Gemini privacy marketing, suggesting the pattern of deception continues into their newest products.
5.4Additional Reading
On the April 2025 Lawsuit:
- WRAL: Google school software is unlawfully collecting students’ data, lawsuit alleges
- EdTech Law: Google Data Privacy Litigation
On Google’s Education Data Practices:
- NBC News: Google’s work in schools aims to create a ‘pipeline of future users’
- Reddit: Gemini in Google Workspace is a Privacy & Compliance Nightmare
Privacy Advocacy Organizations:
- EPIC: Google Privacy Cases (search for “Google”)
- EFF: Google Privacy Issues
Miscellaneous compilations: