Google is in the proverbial doghouse for claiming it was impossible to delete billions of data records it collected from users in Chrome’s Incognito mode. As it turns out, that simply wasn’t true.
Following the settlement of a lawsuit, Google has now agreed to do exactly that. Additionally, the fine print in Google Chrome’s Incognito mode windows has changed to somewhat clarify what the private browsing mode does—and does not do.
Here’s everything you should know about what changes Google has made, what data the company will delete, and how you can browse more privately.
In this article:
No matter whether you use Google Chrome, Microsoft Edge, Mozilla Firefox, Apple’s Safari, or any other Web browser, you are likely aware that each one has a private browsing mode. Most simply call this a “private window.” But there are two notable exceptions: Google Chrome calls it an “Incognito” window, and Microsoft Edge calls it an “InPrivate window.” These all operate in a more or less similar way.
When you open a private browsing window, all the browsing you do in that window will not keep any cookies, history, site data, or filled-out form information. Such data is only stored temporarily; moreover, is not mingled with non-private windows’ data. As soon as you close all private windows in that browser, all such data gets purged. This helps protect your privacy by preventing others who have access to your computer from discovering your browsing habits.
The key point is that, when in private browsing mode, your browsing history remains quarantined in that private session, and gets deleted from your computer when you close all private windows. (Or until you quit the browser—in most cases. Safari is the exception to the rule; it reopens private browsing windows when you relaunch the browser. You need to manually close all of Safari’s private windows to end the private session.)
In 2020, a class-action lawsuit was filed against Google, accusing the company of continuing to “track, collect, and identify [users’] browsing data in real time”—even when an Incognito window was used. The plaintiffs also accused Google of taking Chrome users’ private browsing activity and then associating it with their already-existing user profiles.
Google attempted to have the case thrown out. But in March 2021, a judge ruled that Google had to face the lawsuit, which sought $5 billion.
In late December 2023, Google agreed to settle out of court. In January 2024, Google changed the privacy disclosure in newly opened Incognito windows. Previously, it read:
“Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved. Learn more”
After the change, it now reads (emphasis added):
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks and reading list items will be saved. Learn more”
The settlement also provides relief for Google’s past collection of private browsing data, by means of data deletion and remediation.
According to a court filing this week:
Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members’ private browsing activities.
For the data-remediation process, Google must delete information that makes private browsing data personally identifying. Google will mitigate this data by partially redacting IP addresses and generalizing user agent strings.
That may not sound particularly difficult. But Google claimed during litigation that it was impossible to identify (and therefore delete) private browsing data, because of how the data was stored. The company also emphasized that Incognito browsing traffic fluctuated around just three percent of the data that Google collects and stores. With this settlement, plaintiffs successfully obtained Google’s agreement to remediate 100% of the dataset at issue.
And so, it appears that when there are billions of dollars on the line, the impossible can become possible.
Most people don’t associate the Google name with user privacy—and for good reason. Their bread and butter is the collection of as much user data as possible across all its services and products, and then selling that data. The fact that Google continued to collect user data, even in Incognito browser windows, should therefore come as no shock to those familiar with the company.
The court filing (PDF) claimed:
“This Settlement ensures real accountability and transparency from the world’s largest data collector and marks an important step toward improving and upholding our right to privacy on the Internet.”
Other changes resulting from this settlement include:
One of the main takeaways from the case is that many people largely misunderstand private browsing; it does not offer the protections that most people assume it does.
Your website traffic is generally the same regardless of whether or not you’re using a private browser session. For this reason, the term “private browsing” is somewhat of a misnomer; it can provide a false sense of security. And companies like Google are happy to take advantage of that, while continuing to collect valuable data.
So is there such thing as perfectly private browsing, so it would be completely impossible to uniquely identify you? In short: no, not really.
Sure, in theory, one could set up a dedicated computer for the sole purpose of browsing the Web. You could even set up a VPN or Tor on that computer. And you could choose to never use that computer to visit a site that one might associate with you in any way (which means you’d never be able to log into a site). But even then, perhaps you might be concerned that someone could figure out that you have that unique setup. If that bothers you, then you would need lots of other people to have an identical setup, and visit the same sites, so all parties would be virtually indistinguishable from one another. At that point, it becomes impractical and unrealistic.
But don’t fret just yet. Sure, absolutely perfect privacy may be virtually unattainable. However, you can reduce the amount of information you expose about yourself. Here are some tips that can help you maintain a more private posture online:
Did you learn something from this article? Share it with your friends and family so they can learn how to improve their privacy, too!
We discussed the Google settlement on episode 338 of the Intego Mac Podcast.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: