Google records users’ locations even when they have asked it not to, a report from the Associated Press has suggested.
The issue could affect up to two billion Android and Apple devices which use Google for maps or search.
The study, verified by researchers at Princeton University, has angered US law-makers.
Google said in response that it provides clear descriptions of its tools and how to turn them off.
The study found that users’ whereabouts are recorded even when location history has been disabled.
- Google stores a snapshot of where you are when you open the Maps app
- Automatic weather updates on Android phones pinpoint roughly where a user is
- Searches that have nothing to do with location pinpoint precise longitude and latitude of users
To illustrate the effect of these location markers, AP created a visual map showing the movements of Princeton researcher Gunes Acar who was using an Android phone with location history turned off.
The map showed his train commute around New York as well as visits to The High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem. It also revealed his home address.
To stop Google saving these location markers, users have to turn off another setting called Web and App Activity, which is enabled by default and which does not mention location data.
Disabling this prevents Google storing information generated by searches and other activities which can limit the effectiveness of its digital assistant.
“You would think that telling Google that you didn’t want your location to be tracked by disabling an option called “Location History” would stop the internet giant from storing data about your location,” writes security researcher Graham Cluley on his blog.
“It seems pretty sneaky to me that Google continues to store location data, unless you both disable “Location history” and “Web & App Activity.””
In response, Google told AP: “There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services.
“We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”
- Facebook and Google use ‘dark patterns’ in privacy settings
- Google and Facebook accused of breaking GDPR laws
- Gmail messages ‘read by human third parties’
Following its research, AP created a guide to show users how to delete location data.
Presented with the evidence of the AP study, Democratic senator Mark Warner accused technology companies of having “corporate practices that diverge wildly from the totally reasonable expectation of their users”.
Republican senator Frank Pallone called for “comprehensive consumer privacy and data security legislation”.
In the UK, a spokesman for the Information Commissioner’s Office told the BBC: “Under the GDPR and the Data Protection Act 2018, organisations have a legal duty to be open, transparent and fair with the public about how their personal data is used.
“Anybody who has concerns about how an organisation is handling their personal information can contact the ICO.”
Technology firms are under fire for not being clear about privacy settings and how to use them. In June, a report from the Norwegian Consumer Council found evidence that privacy-friendly options are hidden away or obscured.
Location-based advertising offers big opportunities to marketers. According to research firm BIA/Kelsey, US brands are poised to spend up to $20.6bn (£16.3bn) on targeted mobile ads in 2018.
Since 2014, Google has let advertisers track the effectiveness of online adverts with a feature based on footfall data, which relies on location history.
Google tracks users who turn off location history