If, like most people, you thought Google stopped tracking your location once you turned off Location History in your account settings, you were wrong. According to an AP investigation published Monday, even if you disable Location History, the search giant still tracks you every time you open Google Maps, get certain automatic weather updates, or search for things in your browser. There’s a way to stop it—but it takes some digging.

The problem affects anyone with an Android phone and iPhone users running Google Maps on their devices, according to the AP report, which researchers at Princeton University verified. That’s more than two billion people.

The Google support page for managing and deleting your Location History says that once you turn it off, “the places you go are no longer stored. When you turn off Location History for your Google Account, it’s off for all devices associated with that Google Account.” The AP’s investigation found that’s not true. In fact, turning off your Location History only stops Google from creating a timeline of your location that you can view. Some apps will still track you and store time-stamped location data from your devices.

More specifically, the AP was able to track Princeton researcher Gunes Acar’s home address, as well as his daily activities, using just Google Web & App activity, which he had shared with the news agency.

“If Google is representing to its users that they can turn off or pause location tracking but it’s nevertheless tracking their location, that seems like textbook deception to me,” says Alan Butler, senior council at the Electronic Privacy Information Center.

To actually turn off location tracking, Google says you have to navigate to a setting buried deep in your Google Account called Web & App Activity, which is set by default to share your information, including not just location but IP address and more. Finding that setting isn’t easy. At all.

Sign in to your Google account on a browser on iOS or your desktop, or through the Android settings menu. In the browser, access your account settings by finding Google Account in the dropdown in the upper right-hand corner, then head to Personal Info & Privacy, choose Go to My Activity, then in the left-hand nav click Activity Controls. Once there you’ll see the setting called Web & App Activity, which you can toggle off.

On your Android phone, go from Google settings to Google Account, then tap on Data & personalization. You’ll find Web & App Activity there.

Google further buries the notion that Web & App Activity has anything to do with location. In fact, the setting sits right above the Location History option, suggesting at a glance that the two things are quite distinct. And Google’s vanilla description of Web & App Activity is that it “Saves your activity on Google sites and apps to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services.” From there, you have to tap Learn more, then scroll to What’s saved as Web & App Activity, and tap again on Info about your searches & more before Google says anything about location whatsoever.

To stop that tracking, toggle the blue Web & App Activity slider to off. Google will then give you a popup warning: “Pausing Web & App Activity may limit or disable more personalized experiences across Google services. For example, you may stop seeing more relevant search results or recommendations about places you care about. Even when this setting is paused, Google may temporarily use information from recent searches in order to improve the quality of the active search session.”

‘This really reads like a classic case of an unfairly deceptive business practice. I really think that the FTC needs to investigate right away.’

Alan Butler, EPIC

Google told the AP that it provides “clear descriptions of these tools,” but it takes eight taps on an Android phone—if you know exactly where you’re going—to even access that description to begin with. As the AP notes, most people who explicitly turned off their Location History tracking, as WIRED and many other privacy conscious publications have advised people to do, would have assumed they had already taken all steps necessary to keep their location private.

As well they should. Google itself offers at least three support pages on location: Manage or delete your Location History, Turn location on or off for your Android device, and Manage location settings for Android apps. None of these makes any mention of Web & App Activity.

In spite of this, a Google spokesperson told WIRED that “we make sure Location History users know that when they disable the product, we continue to use location to improve the Google experience when they do things like perform a Google search or use Google for driving directions.” This apparently refers to a warning that appears if you turn off Location History, which says that it “does not affect other location services on your device.” However, nowhere in that popup does it indicate that you can turn off other forms of location tracking by pausing Web & App Activity.

“Tracking people without their consent and without proper controls in place is creepy and wrong,” wrote UC Berkeley graduate researcher K Shankar in a blog post that first alerted the AP to the problem.

Beyond creepiness, though, Google’s location-tracking may also violate the Federal Trade Commission’s consumer protection statutes against deceptive privacy practices. “This really reads like a classic case of an unfairly deceptive business practice. I really think that the FTC needs to investigate right away,” says Butler.

Google’s Location History situation is reminiscent of Facebook’s various runnings with the FTC. In 2011, the agency famously settled with Facebook over the social media giant’s inability to keep privacy promises to consumers. As part of that deal, Facebook agreed to a consent decree in which it promised to reform how it tracked and shared user data. That decree has been in the news lately, after the FTC opened a new investigation this spring into whether Facebook’s data sharing with Cambridge Analytica violated its 2011 settlement. The FTC has more recently penalized Uber, Vizio, the phone maker Blu, and many others for misleading customers about how their data was collected, stored, and shared.

Former FTC chief technologist Ashkan Soltani noted in a tweet that Google’s “confusing privacy dialogue” may merit a closer look from the agency.

“Google’s reaction—that users can delete individual data points, or users can go deep down in settings and turn off certain web settings that appear to have nothing to do with location, therefore it should be okay, I think fundamentally misunderstands what they’re dealing with,” says Butler. “When you’re creating a historical log of someone’s movements over time, that’s information that’s uniquely sensitive and needs to be handled accordingly.”

The revelations are likely to touch off a firestorm for Google. For now, the best thing you can do is navigate through your labyrinthine settings, and hit “pause” on something you likely thought you’d already stopped.

More Great WIRED Stories