Court Dismisses Google Privacy Policy Case; Data Disclosure Not Enough for Standing

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Consumers who sued because their personal information, formerly scattered across Google Inc.'s products, was combined by the internet giant in 2012 failed to allege concrete harm, dooming a putative class action they brought against the company, the U.S. District Court for the Northern District of California ruled Dec. 28 (In re Google Inc. Privacy Policy Litigation, N.D. Cal., No. 5:12-cv-01382-PSG, dismissed 12/28/12).

On March 1, 2012, Google implemented a new privacy policy that condensed nearly 70 privacy policies into one that shares user data across various Google products, including its search engine, Gmail, and YouTube, the court explained.

Several putative class lawsuits against Google soon followed, which were ultimately consolidated into the present action. The plaintiffs--users of both Gmail and Android mobile phones--alleged that the company's new policy violated its prior policies, which each promised to use a consumer's information only for that particular Google product. In addition, the plaintiffs alleged that the new policy violated consumers' privacy rights.

The plaintiffs specifically alleged that Google violated the federal Wiretap Act, 18 U.S.C. §§ 2510-2522; California's Right of Publicity Statute, Cal. Civ. Code § 3344; California's Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17210; California's Consumer Legal Remedies Act, Cal. Civ. Code §§ 1750-1756; and other state consumer protection laws. The complaint also included claims for breach of contract, intrusion upon seclusion, and commercial misappropriation.

“The court observes that Plaintiffs may have raised serious questions regarding Google's respect for consumers' privacy[,]” U.S. Magistrate Judge Paul S. Grewal remarked. Yet the plaintiffs failed allege an injury in fact sufficient to support Article III standing, the court concluded, granting Google's motion to dismiss the complaint with leave to amend.

'Abstract Concepts' of Harm Insufficient.

“Plaintiffs have not identified a concrete harm from the alleged combination of their personal information across Google's products and contrary to Google's previous policy sufficient to create an injury in fact[,]” the court said.

The court looked to the U.S. District Court for the Central District of California's opinion in La Court v. Specific Media Inc., No. 8:10-cv-01256 (C.D. Cal. Apr. 28, 2011), where it dismissed a putative consumer class action against an online advertising firm that allegedly used flash cookies to circumvent online privacy protections because the plaintiffs did not show specific injury or harm to their computers (10 PVLR 697, 5/9/11). The plaintiffs in La Court, the Northern District explained, “instead offered only abstract concepts” of injury or harm.

Other federal district courts have reached similar conclusions, the Northern District noted, pointing to In re iPhone Application Litig., No.: 11-MD-02250-LHK, 2011 BL 240163 (N.D. Cal. Sept. 20, 2011) (10 PVLR 1370, 9/26/11); Low v. LinkedIn Corp., No.: 11-CV-01468-LHK, 2011 BL 292771 (N.D. Cal. Nov. 11, 2011) (10 PVLR 1681, 11/21/11); and other cases as examples.

“[N]othing in the precedent of the Ninth Circuit or other appellate courts confers standing on a party that has brought statutory or common law claims based on nothing more than the unauthorized disclosure of personal information, let alone an unauthorized disclosure by a defendant to itself[,]” the court remarked.

“[N]othing in the precedent of the Ninth Circuit or other appellate courts confers standing on a party that has brought statutory or common law claims based on nothing more than the unauthorized disclosure of personal information, let alone an unauthorized disclosure by a defendant to itself.”

U.S. Magistrate Judge Paul S. Grewal

Wiretap Act Claim Might Have Survived.

The plaintiffs' failure to allege that they purchased replacement mobile phones for their Android-based phones to escape Google's new policy created an additional obstacle to standing, the court said.

The plaintiffs' Wiretap Act claim might have survived, the court added, noting that a violation of statutory rights may be sufficient to provide standing. But “Plaintiffs utterly fail, however, to cite to any authority that supports either the notion that a provider can intercept information already in its possession by violating limitations imposed by a privacy policy or the inescapably plain language of the Wiretap Act that excludes from the definition of 'device' a provider's own equipment used in the ordinary course of business[,]” the court said.

In addition, the complaint failed to allege that Google used the plaintiffs' names, voices, signatures, photographs, or likenesses without their consent to support their California Right of Publicity Act claim, the court concluded.

L. Timothy Fisher and Sarah N. Westcot of Bursor & Fisher PA, in Walnut Creek, Calif.; Mark C. Gardy, James S. Notis, Kelly A. Noto, and Charles A. Germershausen of Gardy & Notis LLP, in Englewood Cliffs, N.J.; and James J. Sabella of Grant & Eisenhofer PA, in New York City, served as interim lead counsel for the putative class and Android subclass. Michael H. Page, Joshua H. Lerner, and Sonali D. Maitra of Durie Tangri LLP, in San Francisco, represented Google.

Officials Around the World Questioned Changes.

Following Google's January 2012 announcement of the new policy, officials around the world questioned the changes. U.S. lawmakers demanded answers from the company about how the policy change would protect consumer privacy, with some calling for a Federal Trade Commission investigation into whether the changes violated an earlier pact with the company (11 PVLR 189, 1/30/12; 11 PVLR 190, 1/30/12).

In October 2011, Google entered into a final administrative consent agreement with the FTC over its now defunct Google Buzz social network (10 PVLR 1565, 10/31/11). That agreement required the company to obtain “express affirmative consent” from users “prior to any new or additional sharing” of personal information with third parties.

Both France's data protection authority, the CNIL, and the Article 29 Working Party of top European Union data protection officials asked Google to delay implementation of the new policy, but the company declined (11 PVLR 232, 2/6/12). In February, 2012, the CNIL issued a preliminary conclusion that Google's privacy policy changes did not meet requirements under the EU Data Protection Directive (95/46/EC) (11 PVLR 426, 3/5/12).

As recent as October 2012, French and EU data protection officials urged Google to change its new policy by the end of 2012 to fix key areas that they said fail to comply with EU data protection law (11 PVLR 1559, 10/22/12).

Full text of the court's opinion is available at

Request Bloomberg Law: Privacy & Data Security