[car_analogy]

This gives me an idea - if you bury deep in your website clickthrough EULA that, by clicking accept, users authorize you to hack their phone and exfiltrate the same information that Google took, would you be legally in the clear?

And why not? One could argue that users weren't meaningfully informed, or that such a clause isn't expected for a website, or that you have no legitimate interest in that information.. but all of these arguments apply to what Google did as well!

The only difference seems to be that people are accustomed Google's spying, so they couldn't have been too surprised by this. But that's totally backwards - habitually and publicly breaking the law should result in harsher penalties, not milder!