Did Google spy on you?
A court case in the US over allegations that Google collected app-based activity and other information about users, even when they had opted out, has spread to SA, raising privacy concerns about how the search giant used South Africans’ activity.
In September 2025, a jury found Google liable on two California privacy claims and awarded $425.65 million in compensatory damages in the Rodriguez et al vs Google class action. Media reports indicate Google has denied the allegations and says it will appeal the ruling, meaning the litigation is not yet final and no compensation is currently being distributed.
The plaintiffs have been broadly defined as “all individuals” who, between July 2016 and September 2024, had Google’s ‘Web & App Activity’ settings turned off but whose activity on third-party mobile apps was allegedly still transmitted to Google. Court filings and reporting on the case have estimated the class at approximately 98 million users and 174 million devices.
A court-authorised notice relating to the class action landed in this journalist’s inbox over the weekend, stating that Google’s records indicate she may be a class member in litigation over the company’s Web & App Activity privacy controls.
The notice arrived shortly before Google e-mailed users about changes to its privacy controls, saying it was splitting Web & App Activity into separate settings for Search services and Google Play, with users’ existing preferences carrying over to the new controls.
We told you
Four Google users sued the search giant, claiming it had continued collecting information about what they were doing in apps on their phones even after they had switched off Google’s activity-tracking settings, according to the court-authorised settlement website googlewebappactivitylawsuit.com.
The lawsuit focused on data transmitted through Firebase and Google Mobile Ads software development kits (SDKs) – tools embedded in millions of apps for analytics, advertising and app functionality.
Plaintiffs argued that activity from non-Google-branded apps continued to be sent to Google despite users disabling the relevant settings. Google has denied wrongdoing and argued that users had received disclosures about data collection and that questions of consent varied between individuals.
Although the class is not defined by Gmail use, Google’s reach in South Africa is extensive, with Gmail use at 65.5%, according to worldpopulationreview.com, and Android dominating the local smartphone market at a minimum of 75%, according to StatCounter.
When off isn’t off
Jacqui Muller, Belgium Campus iTversity researcher and PhD candidate in computer science, explains that the case hinges on whether users can trust privacy controls to do what they say they will do.
“The finding suggests that turning off a user-facing setting may not be enough if data continues to move through embedded SDKs, advertising libraries or analytics services.”
Muller explains the case underscores the complexity of modern apps, where third-party analytics, advertising and software tools can continue transmitting information despite users disabling tracking controls.
By this year, attackers were using AI to scale and accelerate cyber crime, which extends from generating code and automating attacks, to crafting convincing phishing and deepfake scams. The AI Incident Database lists more than 7 000 incidents in which AI was used as a hacking tool.