Lawsuit Over Google’s Unified Privacy Policy Pared Down, But Two Claims Survive

This is a lawsuit against Google for “commingling user data across different Google products.” Under the policy in effect before March 2012, information collected in one particular Google product was not automatically combined with information from another product. This changed when Google implemented a “unified privacy policy” in 2012, which made clear that Google could combine information collected from different products. The claims were brought on behalf of a class who acquired a Google account prior to February 2012 and who maintained that account after March 2012, when Google’s new privacy policy went into effect.

Claims were also brought on behalf of those who acquired an Android-powered device while the old policy was in effect and switched to a non-Android device after March 2012, and people who acquired an Android-powered device and who downloaded an app on the Android market.

Standing: the court finds that any harm associated with Google’s disclosure of consumers’ information alone does not satisfy standing. The court distinguishes Krottner v. Starbucks, a case where the Ninth Circuit did find standing, and says that mere disclosure (as opposed to a data breach along with access of the data via criminal activity) brings this case closer to Low v. LinkedIn and Yunker v. Pandora Media, two cases where courts said mere improper disclosures are insufficient for standing. As the court has said before, the court again concludes that being forced to switch phones (due to dissatisfaction with Google’s privacy policy) confers standing, as does depletion of battery life.

Claims Asserted by the Device Replacement Subclass: Plaintiffs brought a CLRA claim based on the theory that an older Android privacy policy misled consumers into buying those devices on the premise that Google would not associate device-related information with the person’s account. Plaintiffs alleged that Google never intended to honor this promise. Google asserted a variety of bases for dismissal of this claim, most of which the court disagrees with. However, the court still finds a core problem with plaintiffs’ claim: plaintiffs never allege they saw the older version of the privacy policy. Plaintiffs made a variety of arguments as to why they need not plead exposure specifically, but the court is not persuaded by any of these arguments. This claim fails.

As to the UCL claims on behalf of those who switched devices, the UCL claim under the unlawful prong was premised on the CLRA violation, so this fails. The claims under the unfair prong fail as well. Those claims are premised on a violation of plaintiffs’ right to privacy granted under the California constitution. Pleading a constitutional violation requires a serious or egregious violation of social norms, and the type of disclosure alleged by plaintiffs here does not cut it. As the court notes:

courts in this district have consistently refused to characterize the disclosure of common, basic digital information to third parties as serious or egregious violations of social norms.

Claims Asserted by the App Disclosure Subclass: The app disclosure subclass alleged that Google breached the terms Android users agreed to, by disclosing user data to third parties following download or purchase of an app. Google argued that the complaint was vague as to when the class members made their app purchases and what privacy policies they supposedly relied on, but the court says that absolute specificity is not required, and given that this claim isn’t a fraud-based claim, it need only satisfy Rule 8’s pleading requirement. Google also tried to argue that plaintiffs are not parties to Google’s general privacy policy but instead agreed to specific policies applicable to the Android and app store. The court rejects this argument because of a dispute over the authenticity of the older version of the policy. (The court struck a portion of a Google declaration that attached this policy.) Finally, Google argued that the complaint failed to allege what terms specifically Google breached, and the court says this argument is “simply false” – the Android device policy assured customers that although Google may share aggregated non-personal information, the information shared “[would] not identify [users] personally.” The court points to a few other examples of limitations in operative privacy policies that Google appears to have later disregarded.

The court dismisses the intrusion upon seclusion claim brought by this sub-class, noting that there is a “high bar” for such a claim and it’s not satisfied here.

Finally, the app disclosure subclass claim brought UCL claims. The claims under the unfairness prong were dismissed in the previous order and the court says the rationale from that order applies equally to the revised complaint. However, the UCL complaint under the fraudulent prong survives. Whatever its fate at the summary judgment phase, at the pleading stage, plaintiffs’ allegations—that Google had a policy in place that access to information would be limited to certain groups and it knew it planned to distribute data outside these groups—were sufficient.

Ultimately, two claims remain: the breach of contract and UCL claims brought by the app disclosure sub-class.

__

Judge Grewal (like Judge Koh) tends to issue thoughtful and readable opinions, and this one is no exception. (Bonus cite to Rocky rising from Apollo’s uppercut in the 14th round.) Both sides will probably tout this as somewhat of a victory, although there is plenty to be unhappy about for both sides. For Google, the fallout from combining its privacy policy continues. Meanwhile, for plaintiffs, a pair of claims for a small subclass survive, but those claims face uncertain prospects at best as the case continues. Among other problems, the class claims may not lend themselves to class-wide resolution, not to mention the fact that reliance on a privacy policy in legally sufficient terms is not something plaintiffs should take for granted. (See “Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation.”)

Overall, the ruling illustrates that bringing a privacy claim based on a network’s allegedly improper use of consumer information faces continues to be a challenging endeavor. Numerous lawsuits, ranging from those involving flash or persistent cookies to the incidental passing of personal information, may survive a motion to dismiss but only after they are whittled down significantly. This case is no exception. The claims that survive interestingly are tied to a device, which means that the average Google account-holder unhappy about Google combining her YouTube data with her Gmail data is out of luck. Cf. Rodriguez v. Instagram, discussed in this post: “Court Blesses Instagram’s Right to Unilaterally Amend Its User Agreement–Rodriguez v. Instagram“.

There are some interesting factual allegations in the complaint that the court recounts in the order. One that caught my eye involved Google’s “Emerald Sea” plan to allegedly “reinvent [Google] as a social-media advertising company,” and “creating cross-platform dossiers of user data that would allow third-parties to tailor advertisements to specific customers.” In general, although the court is recounting the allegations in the pleadings, the order contains a healthy dose of cynicism towards Google’s actions.

[As a sidenote, I should mention that I find the process of navigating Google’s privacy settings and trying to avoid accessing material while logged in to an account (or controlling which account I’m logged in through) needlessly confusing. Consumer friendly from a privacy standpoint is certainly not a selling point for Google.]

Case citation: In re Google, Inc. Privacy Policy Litigation, 2014 WL 3707508 (N.D. Cal. July 21, 2014)

Related posts:

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]