Google says it will destroy browsing data collected by Chrome’s incognito mode

The first details emerged Monday of Google’s settlement of a class-action lawsuit over Chrome’s tracking of incognito users. Filed in 2020, the lawsuit could have required the company to pay $5 billion in damages. Instead, The Wall Street Journal reports that Google will destroy “billions of data points” improperly collected, update its data collection disclosures, and maintain a setting that blocks Chrome’s third-party cookies by default for the next five years.

The lawsuit accuses Google of misleading Chrome users about how private incognito browsing really is. The company allegedly told customers their information was confidential — even as it monitored their activity. Google defended its practices, saying it warned Chrome users that incognito mode “doesn’t mean invisible” and that sites can still see their activity. The settlement was first reported in December.

The lawsuit originally sought $5,000 in damages per user for alleged violations of federal wiretapping and California privacy laws. Google tried and failed to dismiss the lawsuit, with Judge Lucy Koch ruling in 2021 that the company “failed to notify” users that it was still collecting data while incognito mode was active.

Engadget has emailed Google for comment on the details of the settlement. We will update this article if we receive a response.

Discovery in the lawsuit includes emails that in late 2022 publicly revealed some of the company’s concerns about Incognito’s false privacy. In 2019, Google chief marketing officer Lorraine Toohill suggested to CEO Sundar Pichai that “private” was the wrong term for incognito mode, as it risked “exacerbating certain misconceptions”. In a later email exchange, Toohill wrote, “We’re limited in how heavily we can promote Incognito because it’s not really private, so it requires really fuzzy, hedging language that’s almost more harmful.”

The court did not approve a class of plaintiffs for financial damages, so users will have to sue Google as individuals to try to collect compensation. Some wasted no time: A group of 50 people already filed a separate lawsuit in California state court Thursday for privacy violations.

The case was originally scheduled for February. The settlement still needs final approval from Judge Yvonne Gonzalez Rogers of the Northern District of California before it becomes official.

“This settlement is a historic step in demanding honesty and accountability from dominant technology companies,” attorney David Boyce, who represents the plaintiffs, said in a statement to The Wall Street Journal.

One part of the agreement, the requirement that Google turn off third-party tracking cookies by default for the next five years, may already be a contentious issue. The company’s Privacy Sandbox initiative was already scheduled to disable all third-party cookies for Chrome users by the end of the year. It will replace them with the Themes API, a system that avoids cookies by categorizing browsing activity into locally stored themes. The new system allows advertisers to target ads to users without directly accessing their browsing data.

It is also questionable how effective the destruction of improperly collected data will be. Given that the lawsuit covers information dating back to 2016, it’s reasonable to assume that the company either sold much of the data to third parties long ago or incorporated it into separate products not covered by the settlement.

Google will also have to rewrite its privacy disclosures about its incognito data collection practices. That said WSJ has already started applying the change.