Diritto al Digitale

Diritto al Digitale is the must-listen podcast on innovation law, brought to you by Giulio Coraggio, data and technology lawyer at the global law firm DLA Piper. Each episode explores the cutting-edge legal challenges shaping our digital world—from data privacy and artificial intelligence to the Internet of Things, outsourcing, e-commerce, and intellectual property.

Join us as we illuminate the legal frameworks behind today’s breakthroughs and provide insider insights on how innovation is transforming the future of business and society.

You can contact us at the details available on dlapiper.com

All Episodes

Diritto al Digitale

Google, Privacy & $1.3B Fine: Who’s Tougher — US or EU?

May 27, 2025 • DLA Piper Law Firm

Google has agreed to pay $ 1.375 billion to settle two major privacy lawsuits in Texas—its largest data-related payout ever. But is the U.S. finally outpacing the EU in regulating Big Tech?

In this episode of Diritto al Digitale, Giulio Coraggio, technology and data lawyer at DLA Piper, compares this record-breaking settlement to key GDPR fines in Europe. From biometric data enforcement to location tracking, we explore the different legal models on both sides of the Atlantic.

Is it better to write a billion-dollar check and move on, or to face slower but deeper structural reforms under the GDPR?
And what does all this mean for the future of privacy compliance in a world increasingly driven by biometrics and AI?

Send us a text

📌 You can find our contacts 👉 www.dlapiper.com

What happens when one of the world’s most powerful tech giants gets caught misusing your data?
Is justice just a matter of writing a massive check—or are deeper reforms possible?
And more importantly… who’s really setting the standard in the global privacy battle: the United States or the European Union?

Welcome to Diritto al Digitale, the podcast where we explore the intersection of law and innovation.
I’m Giulio Coraggio, a technology and data lawyer at the global law firm DLA Piper, and today we’ll dissect one of the most headline-grabbing privacy cases of recent years:

Google’s $1.375 billion settlement in Texas over location tracking and biometric data misuse.
But we’ll also go beyond the dollar signs—comparing this case with some of the most impactful European GDPR sanctions.
Let’s dive in.

On May 15, 2024, Google agreed to pay $1.375 billion to settle two lawsuits filed by the Texas Attorney General, Ken Paxton.
The allegations were serious:

Google allegedly tracked users’ physical location, even when they thought they had opted out—like in Incognito Mode or with Location History disabled.
It also collected and stored biometric data—including voiceprints and facial geometry—without obtaining valid, informed consent.

If this sounds familiar, it’s because it is.
Google has been repeatedly targeted in the U.S. for privacy violations:

In 2022, the company paid $391 million to 40 U.S. states over similar location tracking issues.
In 2023, it reached smaller settlements with Indiana and Washington ($29.5 million combined), and California ($93 million).

So what makes the Texas case stand out?
The sheer amount—$1.375 billion—is the largest privacy-related settlement ever imposed on Google in the U.S.
And unlike some European cases, it focused not just on advertising data, but also on biometric identifiers—one of the most sensitive and legally complex categories of personal data.

Let’s take a closer look at the biometric side of this case.

In the U.S., states like Illinois and Texas have enacted dedicated biometric privacy laws.
The Biometric Information Privacy Act (BIPA) in Illinois is particularly aggressive: it allows individuals to sue companies directly for the unauthorized collection of their biometric data—think fingerprints, voice recognition, facial scans.

Under these laws, consent is not just nice to have—it’s legally mandatory.
And the damages are real: Meta, for instance, paid $650 million under BIPA for its facial recognition practices on Facebook.
Now Google is joining the list, with an even larger payout.

But unlike in Europe, where regulatory enforcement is centralized under Data Protection Authorities, the U.S. system enables private enforcement—a key reason why tech companies are being hit with such high settlements.

Now let’s flip the coin and look at Europe.

Here, privacy enforcement is grounded in the General Data Protection Regulation (GDPR).
Instead of settlements, we have administrative fines.
And Google hasn’t been immune:

In 2019, France’s CNIL fined Google €50 million for failing to obtain valid user consent for personalized ads.
In 2020, CNIL imposed a further €100 million fine over cookie violations.
In 2022, Spain’s data authority fined Google €10 million for improper international data transfers.
And in Ireland—home to Google’s European headquarters—multiple investigations have been launched, though often criticized for moving too slowly or ending without significant consequences.

This brings us to a crucial difference:
While U.S. cases often involve huge settlements, GDPR fines usually come with deep, structural consequences.
We’re talking about:

Mandatory audits,
Business process reforms,
and sometimes, orders to suspend data processing altogether.

It’s not just about the money—it’s about changing how companies operate.

So, who’s really tougher on Big Tech?

Let’s compare:

The U.S. model

Pros: Big, headline-making numbers.
Powerful state-level enforcement, especially on biometrics.
Civil liability and class actions act as powerful deterrents.
Cons: No admission of guilt. Companies often pay and move on.

The European model (GDPR)

Pros: Systemic impact. Reforms become permanent.
Focus on transparency, user control, and data minimization.
Cons: Enforcement can be slow, and fines don’t always reflect the scale of harm.

But here’s the twist: Google’s changes after the Texas case show the growing influence of U.S. pressure on product design.
The company has since started:

Storing location data locally,
Allowing easier deletion of tracking history,
And limiting voice and biometric data retention.

Would this have happened under the GDPR alone? Maybe—but probably not as fast.

If you're a tech company—regardless of where you’re based—these cases send a clear message:

Biometric data is a legal minefield.
Transparency and user control must be designed into your products from day one.
And privacy law isn’t just a European issue anymore—it’s a global strategic concern.

At DLA Piper, we help companies implement privacy compliance strategies that don’t just react to regulation—but anticipate it.
Because whether you're dealing with the FTC, the CNIL, or the Texas Attorney General, one thing is clear:
regulators are watching—closely.

[Final Thoughts – Questions to the Audience]

So let me ask you:

Do you think Google should be allowed to settle cases without admitting wrongdoing?
Is the European model really more effective, or just more bureaucratic?
And as we head into a future dominated by biometrics, AI, and surveillance… are we prepared for the privacy challenges ahead?

I’d love to hear your thoughts.

Write to me at giulio.coraggio@dlapiper.com to share your opinion or suggest future topics.
And don’t forget to:

Subscribe to Diritto al Digitale,
Turn on the notification bell so you don’t miss the next episode,
And if you enjoyed today’s discussion, leave us five stars on Apple Podcasts or Spotify.

I’m Giulio Coraggio,
This is Diritto al Digitale.
Arrivederci.

People on this episode

Giulio Coraggio

Host