A federal jury in San Francisco has ordered Google to pay $425 million in damages after finding the company continued collecting personal data from millions of users even after those users had explicitly switched off Google’s own tracking tool. It is one of the largest privacy-related verdicts ever handed down against a technology company in the United States.
The class-action lawsuit represented approximately 98 million users and painted a damning picture: for nearly a decade, Google allegedly kept harvesting data in the background while its own settings screen told users their activity was no longer being saved.
The Setting That Didn’t Actually Work
At the center of the case is Google’s “Web & App Activity” feature, a toggle presented to users as a way to stop Google from recording their searches and app usage. Google’s own documentation states clearly that turning it off prevents the company from saving that data.
But evidence presented before the U.S. District Court for Northern California told a different story. Even with the setting disabled, Google allegedly continued pulling in data from third-party apps including widely used platforms like Uber, Instagram, and various travel and dating apps. The data collected included location history, device identifiers, and behavioral usage patterns exactly the kind of information that powers Google’s advertising engine.
In short: the off switch wasn’t really off.
$425 Million, A Message, If Not a Maximum Blow
The jury found Google liable for privacy violations but stopped short of ruling that the company acted with malicious intent, which meant punitive damages were off the table. Plaintiffs had originally sought $31 billion, a figure that reflected the sheer scale and duration of the alleged breach.
The final $425 million award breaks down to roughly a few dollars per affected user, which won’t feel like much individually. But as a collective judgment, it represents a serious financial consequence and, perhaps more importantly, a public declaration by a jury of ordinary people that what Google did was wrong.
Google Is Pushing Back and Heading to Appeal
Google wasted no time in rejecting the verdict. A company spokesperson stated the company disagrees with the jury’s conclusion and plans to appeal, maintaining that its privacy controls work as described and that the data involved was used for security purposes only not for advertising or personalization.
Google’s legal team has also argued that the data collected was pseudonymized meaning it was stripped of directly identifying details. Privacy experts, however, push back hard on that defense, pointing out that so-called anonymized data can frequently be cross-referenced and re-identified, especially when combined with location and behavioral signals.
The appeal means this legal battle is far from over, and could eventually work its way up through higher courts with nationwide implications for privacy law.
This Verdict Didn’t Come Out of Nowhere
The ruling lands amid a global wave of scrutiny aimed at how big tech companies collect and monetize user data. Earlier this year, France’s data protection authority, the CNIL, fined Google €325 million for placing advertising cookies on Gmail without proper user consent. Meanwhile, the European Union’s Digital Markets Act is pushing for greater transparency and limits on what so-called “gatekeeper” platforms can do with user data.
A tech policy analyst described the verdict as a watershed moment evidence that juries are now willing to hold even the most powerful companies accountable when their real data practices contradict what they tell users.
What This Means for Everyone Who Uses the Internet
For everyday users, the verdict reinforces something that privacy advocates have argued for years: a toggle on a settings page means nothing if the company behind it isn’t actually honoring it. Offering the appearance of privacy control while quietly continuing to collect data is no longer just a PR risk, it is now a proven legal liability worth hundreds of millions of dollars.
For the broader tech industry, the message is harder to ignore than ever. The era of burying data collection practices in fine print, or hiding them behind the illusion of user controls, is running out of road. As regulators tighten their grip and juries prove willing to act, companies that have built their business models on opaque data practices will need to make a choice rebuild trust genuinely, or keep paying for the alternative.
