Google’s Privacy Policy Integration Initially Defeats Legal Challenge — In re Google Privacy Policy Litigation

[Post by Venkat Balasubramani with comments from Eric]

In re Google, Inc. Privacy Policy Litigation, C 12-01382 PSG (N.D. Cal.; Dec. 28, 2012)

In a decision that should be closely watched by the Instagram plaintiffs who are complaining about Instagram’s terms of use changes, Magistrate Judge Grewal initially rebuffed plaintiffs’ efforts to challenge Google’s privacy policy changes.

Plaintiffs are unhappy about Google combining its 70 odd privacy policies into a single policy, which Google explains has the following effects:

The main change is for consumers with Google Accounts . . . Our new Privacy Policy makes clear that, if you’re signed in, we may combine information that you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean simpler, more intuitive Google experience.

The complaint alleges “violations of the Wiretap Act, 18 U.S.C. 2511 et seq., California’s Right of Publicity Statute, Cal. Civ. Code 3344, California’s Unfair Competition Law, Cal. Bus. & Prof. Code 17200 et seq., California’s Consumer Legal Remedies Act, Cal. Civ. Code 1750 et seq., common law breach of contract, common law intrusion upon seclusion, common law commercial misappropriation, and violation of consumer protection laws of the various states.”

The court does not get to the merits, and instead rebuffs plaintiffs on the basis that they do not satisfy the requisite (Article III) standards for standing.

The first argument for standing was that the privacy policy changes would force plaintiffs to replace their Android-powered devices. However, no plaintiff actually alleged that he or she actually was “forced” to replace their phone on the basis of the privacy policy changes.

Second, the court also takes issue that the combining of personal information by Google causes any (compensable) harm at all. Citing to Specific Media, a cookie case, the court says that vague ideas of “opportunity costs,” “value-for-value exchanges,” “consumer choice,” and “diminished performance,” are not enough for standing.

Finally, the court grapples with the issue of whether an alleged statutory violation is enough for standing. Although the court’s resolution of this issue is not entirely clear, the court expresses doubt regarding plaintiffs’ ability to get past a Rule 12b6 motion on at least two causes of action: the Wiretap Act and California’s right of publicity statute. The Wiretap Act claim probably fails because the definition of “device” excludes any equipment used by Google in the ordinary course of its business (and the statute contains a carve-out for interceptions by providers). The publicity rights claim fails because the plaintiffs simply do not allege any use of their “name, voice, signature, photograph, or likeness . . . .”

__

As I mentioned initially, Instagram plaintiffs take note! I think they will have an even harder time than the plaintiffs in this case, but they are sure to face an initial standing hurdle (regardless of how they fare on the merits).

Here is a big question that’s left unaddressed, at least in the order: are Google’s changes prospective only or do they apply to previously collected data. I’m guessing the answer has to be the latter, because it seems foolish to challenge a prospective-only change. A follow-up question would be whether Google gives people the ability to wipe their old data. I don’t have a ton of confidence for the FTC to resolve these issues (although the confidence level is slightly higher than in the class action system), but this all makes you wonder whether these changes have to go through the FTC hoop. My understanding was that any material changes of privacy policies have to be submitted to the FTC (or something like this)?

It’s interesting to see courts continue to grapple with the question of whether a statutory violation is enough to create standing.

Also interesting to see the continuing viability of the Specific Media opinion, which did a nice job of breaking down plaintiff’s abstract contentions around the loss of value to personal information arguments. I wonder if other arguments will take their place (e.g., price discrimination based on tracking) but in any event, we’ve seen enough cases reject this argument to know its viability is seriously in doubt.

______

Eric’s Comments

What a fitting way to end 2012, much like it began: with yet another bogus privacy lawsuit against an Internet company being tossed from court early. I don’t know whether I’m heartened by the way the judicial system has handled the onslaught of privacy lawsuits in 2012, or saddened by the fact that privacy plaintiffs lawyers don’t seem to be getting the message. Maybe that horse has left the barn; perhaps for the rest of our careers, we’re destined to see a never-ending flow of bottom-feeding lawsuits every time an Internet company sneezes. Oh joy.

Even though Judge Grewal properly flushes this P.O.S. down the toilet, it’s not all hugs and kisses to Google, especially when he says:

The court observes that Plaintiffs have raised serious questions regarding Google’s respect for consumers’ privacy.

He’s right, and we should have an intelligent and cogent discussion about that. I sometimes wonder about Google’s practices myself. Still, no matter how angry you are with Google’s privacy practices, you should be even angrier about junk privacy lawsuits that aren’t intended to, and won’t, advance our interests as consumers.

Related posts:

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]