Claims were also brought on behalf of those who acquired an Android-powered device while the old policy was in effect and switched to a non-Android device after March 2012, and people who acquired an Android-powered device and who downloaded an app on the Android market.
As to the UCL claims on behalf of those who switched devices, the UCL claim under the unlawful prong was premised on the CLRA violation, so this fails. The claims under the unfair prong fail as well. Those claims are premised on a violation of plaintiffs’ right to privacy granted under the California constitution. Pleading a constitutional violation requires a serious or egregious violation of social norms, and the type of disclosure alleged by plaintiffs here does not cut it. As the court notes:
courts in this district have consistently refused to characterize the disclosure of common, basic digital information to third parties as serious or egregious violations of social norms.
The court dismisses the intrusion upon seclusion claim brought by this sub-class, noting that there is a “high bar” for such a claim and it’s not satisfied here.
Finally, the app disclosure subclass claim brought UCL claims. The claims under the unfairness prong were dismissed in the previous order and the court says the rationale from that order applies equally to the revised complaint. However, the UCL complaint under the fraudulent prong survives. Whatever its fate at the summary judgment phase, at the pleading stage, plaintiffs’ allegations—that Google had a policy in place that access to information would be limited to certain groups and it knew it planned to distribute data outside these groups—were sufficient.
Ultimately, two claims remain: the breach of contract and UCL claims brought by the app disclosure sub-class.
Overall, the ruling illustrates that bringing a privacy claim based on a network’s allegedly improper use of consumer information faces continues to be a challenging endeavor. Numerous lawsuits, ranging from those involving flash or persistent cookies to the incidental passing of personal information, may survive a motion to dismiss but only after they are whittled down significantly. This case is no exception. The claims that survive interestingly are tied to a device, which means that the average Google account-holder unhappy about Google combining her YouTube data with her Gmail data is out of luck. Cf. Rodriguez v. Instagram, discussed in this post: “Court Blesses Instagram’s Right to Unilaterally Amend Its User Agreement–Rodriguez v. Instagram“.
There are some interesting factual allegations in the complaint that the court recounts in the order. One that caught my eye involved Google’s “Emerald Sea” plan to allegedly “reinvent [Google] as a social-media advertising company,” and “creating cross-platform dossiers of user data that would allow third-parties to tailor advertisements to specific customers.” In general, although the court is recounting the allegations in the pleadings, the order contains a healthy dose of cynicism towards Google’s actions.
[As a sidenote, I should mention that I find the process of navigating Google's privacy settings and trying to avoid accessing material while logged in to an account (or controlling which account I'm logged in through) needlessly confusing. Consumer friendly from a privacy standpoint is certainly not a selling point for Google.]