Google Gets Dismissal of Lawsuit Over Privacy Policy Integration–In re Google Privacy Policy

Photo credit: Four steel grain silo towers in rural Greece // ShutterStock

Photo credit: Four steel grain silo towers in rural Greece // ShutterStock

This is another potentially important but head-scratching Northern District of California ruling in an Internet privacy lawsuit. This lawsuit involves Google’s integration of its various product-specific databases of user information into one giant across-Google Database of Ruin. It was inevitable that Google would integrate its database; having siloed databases leads to user interaction anomalies for Google, and it prevented Google from unlocking the full profit-maximizing potential of its databases. Unfortunately, I believe at least some of Google’s various privacy policies at some time periods pretty clearly promised to silo users’ data by product, so it took some chutzpah for Google to just blast right the promises it made. In our modern litigious society, Internet company chutzpah = litigation tsunamis, and Google is fighting lawsuits and regulatory investigations about its database integration across the globe.

Earlier this week, Judge Grewal dismissed the putative class action lawsuit for a second time. The opinion nicely summarizes the current trends in both Article III standing and grounds for substantive dismissal. Some of the plaintiffs’ claims are tossed for lack of Article III standing; the remainder are tossed on a 12(b)(6) motion to dismiss. While dismissal is never good for plaintiffs, Judge Grewal gives them another chance (which they will surely take). More importantly, Judge Grewal’s opinion provides a roadmap for future plaintiffs to survive dismissal motions, so I think plaintiffs will find this opinion quite interesting. The opinion doesn’t break a lot of new doctrinal ground, but it’s written in a clear and engaging style that makes it citation-bait. Some of my highlights:

PII and Economic Injury. Citing La Court v. Specific Media, the opinion rejects the argument that privacy violations create an economic injury because the defendant values PII. Check out Judge Grewal’s elegant treatment of the topic:

a plaintiff must allege how the defendant’s use of the information deprived the plaintiff of the information’s economic value. Put another way, a plaintiff must do more than point to the dollars in a defendant’s pocket; he must sufficient allege that in the process he lost dollars of his own. Plaintiffs’ allegations certainly plead that Google made money using information about them for which they were provided no compensation beyond free access to Google’s services. But an allegation that Google profited is not enough equivalent to an allegation that such profiteering deprived Plaintiffs’ of economic value from that same information.

I bolded my favorite part because that I think it perfectly encapsulates most privacy lawsuits: the class action lawyers see money in the defendant’s bank account and they want to move it into their bank accounts. But simply showing up to court and saying “gimme!” isn’t very persuasive.

Judge Grewal also gestures towards the popular meme that if you’re not paying for an online service, you’re the product. He says: “Google still manages to turn a healthy profit by selling advertisements within its products that rely in substantial part on users’ personal identification information (“PII”)….in this model, the users are the real product.” I refer you to Mike Masnick’s teardown of this meme.

Battery Drain as Cognizable Injury. Citing Goodman v. HTC among others, the opinion says that alleging battery drain creates an Article III injury. Note the mobile exceptionalism; increased power consumption of desktop or laptop computers typically doesn’t create Article III standing, but battery consumption of a mobile device apparently can. Expect plaintiffs to allege mobile phone battery drains in every privacy lawsuit going forward.

Reliance on Misrepresentations. Judge Grewal was clearly aware of his chamber-mate Judge Koh’s opinion last week in In re iPhone Application Litigation because he cites it, but his opinion implicitly conflicts with her by finding Article III standing when the plaintiff simply alleges it had overpaid because it relied on Google’s misrepresentations. Judge Koh just reached the opposite conclusion last week. Admittedly, she did so on summary judgment after extensive discovery, while Judge Grewal was ruling on a motion to dismiss. Still, the opinion doesn’t acknowledge the conflict or try to resolve it.

Statutory Violations Automatically Create Cognizable Injury. In the Edwards case, the Supreme Court recently punted on whether a statutory violation automatically creates a cognizable injury for Article III standing purposes. Judge Grewal, applying the Ninth Circuit’s ruling in Edwards, says yes–violations of federal and state statutes automatically create an injury for Article III purposes. Thus, for example, the court finds Article III standing for the California publicity rights violation. In contrast, violations of common law and contract breaches don’t have the same consequences on standing. This wasn’t a new legal conclusion, but Judge Grewal makes the standard very clear. Expect privacy plaintiffs to emphasize statutory violations, rather than common law or contract violations, in future lawsuits.

ECPA and Ordinary Course of Business. Judge Grewal also implicitly tussled with Judge Koh on the “ordinary course of business” exception to ECPA violations. Here, Google integrated some Gmail-related data into its Database of Ruin, which isn’t necessarily in the “ordinary course of business” for an email service provider. Nevertheless, Judge Grewal suggests that the “ordinary course of business” for email service providers may be expansive:

in defining “ordinary course of business” as “necessary” it begs the question of what exactly its means for a given action to be “necessary” to the delivery of Gmail. For example, in delivering Gmail is it really “necessary” do more than just the comply with email protocols such as POP, IMAP and MAPI? What about spam-filtering or indexing? None of these activities have anything specifically to do with transmitting email. And yet not even Plaintiffs suggest that these activities are unnecessary and thus lie outside of the “ordinary course business.”

Recall Judge Koh’s treatment of this issue in her troubling Gmail ads ruling (in a footnote!):

The Court does not find persuasive Google’s slippery slope contention that a narrow interpretation of the ordinary course of business exception will make it impossible for electronic communication service providers to provide basic features, such as email searches or spam control….Some of these may fall within a narrow definition of “ordinary course of business” because they are instrumental to the provision of email service.

Of course, Judge Koh’s “may” means by implication that they “may not.” My take is that Judges Grewal and Koh started from different places. Judge Grewal seems to take a fairly expansive view of what might qualify as “ordinary course of business” for email service providers, while Judge Koh expressly took a “narrow” view. Here’s how Judge Grewal distinguished Judge Koh’s Gmail ruling:

among other things, [Judge Koh’s] thorough analysis addressed allegations that Google’s practices violated its own internal policies, further establishing that its actions are outside the course of its business. In this case, Plaintiffs allege no such violation of any internal policy, rendering Plaintiffs claim insufficiently stated to overcome the hurdle that Rule 12(b)(6) imposes.

Um, OK. Earlier, Judge Grewal’s opinion previously said that Google allegedly promised siloed data and then ignored its promise, so isn’t that a pretty clear “violation of an internal policy”? And even if not, this issue is coming right back to Judge Grewal in the next amended complaint where the plaintiffs will surely make the allegation even more explicit. Then what?

Fortunately, the Grewal-Koh pseudo-conflict isn’t likely to matter for too long. Judge Koh’s opinion is on appeal to the Ninth Circuit, and that ruling will trump these district court data points. I’m hoping that the Ninth Circuit fixes Judge Koh’s Gmail ruling.

There’s plenty more good stuff in the opinion. If you practice in the area, read the whole thing.

So where does this ruling leave us? Google gets a win for now, the plaintiffs will be coming back with another amended complaint, future plaintiffs will be reading this opinion closely for helpful pointers, Judges Grewal and Koh probably have some good topics to chat about during their coffee breaks, and who knows what the next privacy ruling out of the Northern District of California will say.

Case citation: In re Google, Inc. Privacy Policy Litigation, 5:12-cv-01382-PSG (N.D. Cal. Dec. 3, 2013).

Related posts:

Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation

Google Wins Cookie Privacy Lawsuit

IMDB’s Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]