Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 27, 2026 · 7 min read

A California Federal Jury Ordered Google to Pay More Than $425 Million to 98 Million Users Who Turned Off the Web & App Activity Setting and Were Tracked Anyway—The Verdict Lands in the Same Year as a $135 Million Android Settlement, a New RTB Control, and a $1.375 Billion Texas Payout

In Rodriguez v. Google LLC, a jury in the Northern District of California found that Google kept collecting activity data from third party apps for roughly 98 million people who had switched off the "Web & App Activity" setting—the toggle Google presents as the way to stop exactly that collection. The award is $425.7 million in compensatory damages, with interest pushing the judgment past $440 million. The jury found invasion of privacy and intrusion upon seclusion, but declined to award punitive damages.

An editorial photograph of a smartphone resting on a desk showing a privacy settings screen with a toggle switched to the off position, lit in muted indigo light with shallow depth of field, representing an opt out control that did not stop data collection

Key Takeaways

  • A federal jury in the Northern District of California awarded $425.7 million in compensatory damages against Google in Rodriguez v. Google LLC, with the class covering roughly 98 million users of phones and tablets.
  • The case centered on a single claim: that Google continued to collect data from third party apps after users turned off the "Web & App Activity" setting, the control Google markets as the way to stop that collection.
  • The jury found Google liable for invasion of privacy and intrusion upon seclusion but declined to award punitive damages, and rejected a separate claim under California's Computer Data Access and Fraud Act.
  • The verdict breaks down to roughly $247 million for Android device members and $178 million for non Android members, or about $4 per person, and with interest the judgment had reached more than $440 million by March 2026.
  • The award is one of four 2026 privacy events hitting Google at once: a $135 million Android cellular data settlement, the new RTB Control launched April 24, 2026, and a $1.375 billion settlement with the Texas Attorney General.

What Did the Jury Decide?

The jury decided that Google unlawfully collected activity data from people who had asked it not to, and put a price of $425.7 million on that conduct. The trial ran in the Northern District of California, the home court for most large technology privacy litigation, and the verdict came down in September 2025. The certified classes covered roughly 98 million people who used a "supplemental Web & App Activity" privacy option tied to third party app use between July 2016 and September 2024.

Two of the plaintiffs' theories carried the day. The jury found invasion of privacy under California's constitutional right to privacy and common law intrusion upon seclusion. A third theory, brought under California's Computer Data Access and Fraud Act, was rejected. The jury also declined to award punitive damages, which signals that jurors saw the collection as a real intrusion worth compensating but stopped short of finding the kind of willful, malicious conduct that punitive awards are reserved for.

Google has moved to vacate the judgment and has signaled an appeal, so the money is not changing hands yet. With prejudgment interest, the judgment stood at more than $440 million by early March 2026.

What Is the "Web & App Activity" Setting Supposed to Do?

Web & App Activity is the Google account control that is supposed to govern whether Google saves your activity on its sites, apps, and the third party apps and sites that use Google services. When you turn it off, the plain reading of Google's own description is that this saving stops. That is the promise users relied on, and that is the promise the jury found Google broke.

The mechanism is subtle and matters to anyone designing or auditing consent flows. Plaintiffs argued that a separate, lower level stream of data continued to flow from third party apps that embed Google's developer tools, regardless of the main Web & App Activity switch. The user sees one toggle, set to off, and reasonably concludes the matter is settled. The data kept moving through a channel the toggle did not actually govern. The gap between what the control appears to do and what it actually does is the whole case.

For compliance officers, the takeaway from the trial commentary is blunt: a privacy toggle has to be intuitive to an average user, and the scope of what it controls has to match what the surrounding language implies. When a control reads as a global off switch but governs only one of several collection paths, a jury can treat the difference as an intrusion rather than a technicality.

How Did Google Keep Collecting Data After Users Opted Out?

Google kept collecting because the data path that mattered ran through code embedded inside other companies' apps, not through the setting users believed they had switched off. Many of the most common apps on a phone—shopping, fitness, news, finance—integrate Google software development kits and analytics libraries to measure usage and serve ads. Those libraries transmit information back to Google as part of their normal operation.

The plaintiffs' position was that flipping Web & App Activity to off did not sever that flow. The toggle governed what Google saved to the user's own account history. It did not, on the plaintiffs' reading, stop the device level and app level signals that arrived through the embedded code. To the user, the distinction is invisible. The setting page said the activity would not be saved. The activity kept arriving anyway.

This is the structural lesson privacy researchers keep documenting across the industry: an opt out that sits on top of a collection pipeline it does not actually control is not a real opt out. The control changes what the user sees in their dashboard while the underlying data continues to move. The same pattern shows up in unrelated cases, including the ChatGPT and Facebook pixel tracking lawsuit, where collection ran through a channel users did not know they had to disable.

How Does This Fit Google's Other 2026 Privacy Losses?

The $425 million verdict is not a standalone event. It is one of four privacy reckonings landing on Google inside a single year, and the pattern across them is the same: data collected through paths users either did not see or could not fully control.

First, Google agreed to pay about $135 million to settle claims that Android phones consumed users' cellular data in the background to send information to Google without consent. We cover that in detail in our piece on the $135 million Android cellular data settlement. The theory there mirrors Rodriguez: collection happening at the device level, outside the user's awareness.

Second, a federal judge in March 2026 approved a settlement in In re: Google RTB Consumer Privacy Litigation, and on April 24, 2026 Google launched a new RTB Control. Real time bidding is the split second auction that decides which ad you see, and plaintiffs said Google shared user data with hundreds of third parties through that process billions of times a day. When the new RTB Control is enabled at the partner ads settings page, bid requests are supposed to drop identifying details like pseudonymous IDs, mobile advertising IDs, IP addresses, and user agent strings, and to block cookie matching.

Third, Google settled with the Texas Attorney General for $1.375 billion over claims spanning location tracking, incognito browsing, and biometric data—the largest single state privacy recovery against the company to date. Read alongside the Rodriguez verdict, the picture is consistent: regulators and juries are increasingly willing to treat the gap between a stated privacy choice and the actual data flow as a legal wrong, not a design quirk.

What Can You Do to Limit Google Tracking?

You can narrow the data Google collects with a handful of concrete steps, though the Rodriguez case is a reminder that toggles alone are not a complete defense.

  • Turn off Web & App Activity and review your full Activity Controls. Go to myactivity.google.com, open Activity Controls, and switch off Web & App Activity, Location History, and YouTube History. Then use Auto delete to purge what is already stored.
  • Enable the new RTB Control. Visit adssettings.google.com/partnerads, find "Help advertisers select ads for you," and turn the blue check mark off so it shows a gray X. This is the control Google launched on April 24, 2026 to keep identifying data out of real time ad auctions.
  • Reset and limit your advertising ID. On Android, under Settings, Privacy, Ads, you can delete the advertising ID entirely. On iPhone, restrict app tracking under Settings, Privacy and Security, Tracking.
  • Audit app permissions. The Rodriguez collection ran through third party apps, so review which apps have location, contacts, and background data access, and revoke anything that does not need it.
  • Watch for the claims process. If the verdict survives appeal, class members may be able to file for a payout. Follow official channels rather than third party sites that ask for personal details up front.

The deeper lesson cuts across all of these steps. A setting labeled as an off switch is only as trustworthy as the collection paths it actually governs, and the past year of Google litigation shows how often those two things diverge. For a state level example of regulators pressing the same point, see our coverage of the OnStar $12.75 million CCPA fine, where a record California penalty followed undisclosed driving data collection.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.