Google’s privacy policy is public. Most people have never read it. This is the first part of an investigation into what happens in the gap between what we agree to and what we understand.
This article is the first part of a larger investigation into how major technology companies collect, use, and retain data about the people who use their products. I started with Google because it touches more parts of daily life than almost any other company on Earth. Future parts will examine Meta, Microsoft, and the less visible data broker industry operating behind all of them.
A note on methodology: factual claims in this series are drawn from court filings, regulatory decisions, and official company documentation unless stated otherwise. Where I share my own interpretation, I mark it clearly. The two are not the same thing, and I will not pretend they are.
Photo by SHVETS production from Pexels
01 · A Checkbox and a Thousand Pages
You probably accepted Google’s privacy policy without reading it.
Most of us did.
A few taps. A checkbox. A blue button that said Agree. Then we moved on with our lives. Jobs, meals, sleep, repeat. The policy kept running in the background like an app we forgot to close.
Google’s own privacy policy states that it collects unique identifiers, browser and device settings, IP address, crash reports, system activity, and interaction data. On paper, that is all explained. In practice, most people never see the paper.
There is a difference between information being available and information being understood.
We built a world where the contract governing a large part of your digital life is technically accessible but practically unreadable, and then we called that consent.
Everyone knows the quote.
“If it’s free, then you are the product.”
It gets repeated so often that it has almost stopped sounding like anything. But what does it actually mean? Not in theory. In practice. What is being traded, exactly? And did you fully understand the trade when you clicked that button?
That is what this series is trying to find out.
02 · The Company That Knows Your Route Home
Before anything else, scale matters.
Google Search processes billions of queries every day. Chrome is the dominant browser by global share. Android powers most smartphones worldwide. YouTube is one of the most visited websites on the internet. Gmail, Maps, Photos, Drive, Assistant — the list keeps going.
This is not an accusation. It is context.
The point is not that Google collects data. Nearly every digital service does. The point is how many separate opportunities Google has to collect data about a single person in a single day.
You wake up and check the weather on your Android phone. You navigate somewhere using Maps. You search something in Chrome. You watch a video on YouTube during lunch. You receive an email in Gmail.
That is one ordinary day. Five different products. Five different data streams. One company receiving all of them. Whether that aggregation is a problem depends on what happens to the data afterward.
Photo by Czapp Árpád from Pexels
That is where the story begins.
03 · “Don’t Be Evil”
Google’s unofficial corporate motto for most of its early existence was three words.
It was not a marketing slogan. It appeared inside the company’s code of conduct . It stuck in the public imagination because it sounded like a promise in plain language. Not legal language. Human language. The kind of thing a person says, not a corporation.
In 2018, it was quietly removed from the preface of that document. Multiple news organizations reported the change at the time, and archived versions of the code of conduct confirm the earlier wording existed.
Ross LaJeunesse , Google’s former Head of International Relations, later said publicly that the phrase had become a corporate marketing tool rather than a genuine reflection of the company’s values.
The removal of three words is not evidence of wrongdoing. It does not prove anything on its own. But it is a data point. And data points are what this series runs on.
04 · The Location That Wasn’t Supposed to Be There
Imagine something simple. You open your phone’s settings. You find a toggle called Location History. You switch it off. You assume Google stops recording where you go.
Reasonable assumption. That is exactly what the setting implies. In 2018, the Associated Press investigated that assumption. Reporters found that several Google services on Android and iPhone devices stored location data even after users had paused Location History. Princeton University researchers independently confirmed the findings at the AP’s request.
Opening Google Maps was enough to generate a location record. Performing a Google search was enough. The setting appeared to say one thing. The underlying behavior did another.
A year earlier, Quartz had reported something more direct: Google was collecting the addresses of nearby cell towers from Android devices even when all location services were switched off. Google said it would stop the practice and stated the data had not been used for location tracking.
The legal consequences arrived later. Forty U.S. states joined a settlement worth $391.5 million over allegations that users had been misled about what their location privacy settings actually controlled. Connecticut Attorney General William Tong called it a historic win for consumers and noted that location data is among the most sensitive personal information Google collects. Your location is not just a coordinate. It is your routine. Your workplace. Your home. The people you visit. The places you avoid. A map of your life is still a map, even when it is reduced to data points.
My opinion: The gap here is not between privacy and no privacy. It is between what a setting says and what a setting does. When that gap appears repeatedly across products and across years, it becomes a pattern worth paying attention to.
05 · The Private Window That Was Not Private
Everyone knows Incognito mode. The icon is a spy wearing a hat. The name is Incognito. The implication is obvious: what happens in this tab stays in this tab.
Google has always stated that Incognito mode does not make users invisible. Its own support documentation says that websites you visit, including websites using Google services, may still receive information about your activity. That disclosure existed.
The question is whether most users ever saw it, understood it, or knew what it meant in practice.
In 2020, a class-action lawsuit argued that many did not. The case, Brown v. Google LLC , alleged that Google continued collecting browsing data from users in Incognito mode through Google Analytics and tracking tools embedded on third-party websites. Google disputed the allegations throughout the litigation.
The parties eventually reached a settlement, which received final approval in 2026. Under its terms, Google agreed to destroy or de-identify billions of private browsing records collected during the period in question, and to update its disclosures and default cookie behavior in Incognito mode.
Read that again slowly. Billions of records.
Photo by Panumas Nikhomkhai from Pexels
A settlement does not automatically establish legal liability. That distinction matters and should be stated clearly.
But settlements of that scale, requiring the destruction of that volume of data and the rewriting of product defaults, do not happen because a help page was slightly unclear.
Something had gone wrong somewhere between what users believed Incognito meant and what was actually happening behind the scenes.
My opinion: A privacy feature should not require careful study of support documentation to understand its actual limits. If a significant number of users consistently misunderstand what a feature does, the design of that feature is worth examining, not just the users.
06 · A Billion-Dollar Question
In October 2025, the Texas Attorney General announced a $1.375 billion settlement with Google.
Pause there for a moment.
The settlement resolved two lawsuits filed by Texas in 2022. The first alleged that Google had systematically misled users about how it tracked and used location data, and that it continued collecting data in Incognito mode contrary to what it had publicly represented. Texas cited Google’s own privacy policy disclosures in support of its claims under the Texas Deceptive Trade Practices Act.
The second lawsuit focused on biometric data. Texas alleged that Google collected voiceprints and facial geometry records through Google Photos, Google Assistant, and Nest Hub Max, in violation of the state’s Capture or Use of Biometric Identifier Act.
Voice. Face. Location.
Three categories of information most people would consider deeply
personal. Google did not admit wrongdoing as part of the settlement. That is standard legal practice and worth stating precisely.
But governments do not typically pursue billion-dollar settlements because a settings page was worded awkwardly. Whether you agree with Texas or with Google, the scale of the settlement reflects the scale of what was being disputed.
These are not minor technical disagreements. They are disputes about some of the most sensitive categories of personal information that exist.
My opinion: The location cases, the Incognito litigation, and the biometric claims become harder to view as isolated incidents when placed side by side. Individually, each has its own legal context and its own nuances. Together, they describe a pattern across products, years, and data types that is difficult to explain away.
Photo by Sagar Gnawali from Pexels
07 · Before You Close the Tab
You agreed to the policy. You clicked the button. You used the products.
So did I. So does almost everyone reading this. That is true. And it matters.
But if a decision affects years of your digital life, can consent really be reduced to a checkbox that takes seconds to click and pages that most people will never read? I am not sure anymore. That uncertainty is what started this investigation.
In Part 2, I will follow the rest of the paper trail: additional lawsuits, Google’s AI training practices, the advertising ecosystem, and the broader picture that starts to emerge when these cases are placed side by side. And after Google, this series moves to another company whose products you almost certainly used today without thinking about what they know about you.
Part 2: Google — The Full Picture, coming soon.
*Sources, case references, and primary documents for every claim in this
article will be available soon.
Appendix — Additional Cases
The following cases are part of the broader Google privacy litigation record. Full citations and source links will be updated on the repository soon.
| Case | Amount | Subject |
|---|---|---|
| Rodriguez v. Google LLC | $425.7 million | Web & App Activity tracking |
| California AG Settlement | $93 million | Location data practices |
| FTC / New York AG — YouTube Kids | $170 million | Children’s data, COPPA |
| YouTube Kids Class Action | $30 million | Children’s data |
| Kumandan v. Google LLC | $68 million | Google Assistant false activations |
| Google+ Privacy Bug | $350 million | Exposed profile data |
| CNIL Fine, France | €325 million | Gmail advertising consent |
| Ambriz v. Google | Ongoing | AI eavesdropping allegations |
| J.L. v. Alphabet Inc. | Ongoing | AI web scraping allegations |
| Dinerstein v. Google | Ongoing | Patient health record handling |
If you want to share your thoughts as a comment, I have posted this also on Medium .
Written sometime after midnight · Share freely, credit kindly · © @rhythmusbyte .