Suit Against Google Unified Privacy Policy Barely Survives Third Motion to Dismiss

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

July 23 — Users of Android mobile devices who alleged that Google Inc. commingled user data across its different products and shared the data with third parties contrary to prior privacy promises have only two claims remaining against the Internet giant after a federal district court July 21 dismissed the majority of their claims .  

The “Plaintiffs' complaint has sustained much damage but just manages to stand,” Magistrate Judge Paul S. Grewal of the U.S. District Court for the Northern District of California wrote.

Although a heightened risk of future harm doesn't confer standing, some of the plaintiffs have standing based on either the replacement of or battery depletion on their Android devices, the court concluded. But only two claims survived Google's third attempt to dismiss the case—a breach of contract claim and a claim under California's Unfair Competition Law (UCL).

Two Complaints Already Dismissed

On March 1, 2012, Google implemented a new privacy policy that condensed multiple privacy policies into one, permitting the sharing of user data across various Google products.

Google's streamlined privacy policy generated some concern in the European Union. France's data protection authority, the CNIL, ruled in January that the unified privacy policy violates the nation's data protection law and fined Google 150,000 euros ($202,015). Most recently, Italy's data protection authority has given the company 18 months to change the way it collects, stores and handles user data in that country.

In the U.S., users of Google's Android mobile devices sued the company on behalf of a proposed class, alleging that company's new policy violated its prior policies, each of which promised to use a consumer's information only for that particular Google product. In addition, the plaintiffs alleged that the new policy violated state and federal consumer privacy rights and statutes.

In December 2012, the court dismissed the plaintiffs' consolidated complaint, concluding that a lack of allegations of concrete harm or statutory or common law violations defeated their standing.

The court in December 2013 found that the plaintiffs' first amended complaint sufficiently pleaded standing, but it still dismissed the complaint on the basis that the plaintiffs didn't plead enough facts to support their claims.

Standing Based on Two Injuries

The court agreed with Google that standing based on an alleged risk of future harm doesn't suffice in this case. Although the U.S. Court of Appeals for the Ninth Circuit has held that the improper disclosure of personal data can support standing on the basis of a threat of future harm, that threat must be “credible, real, and immediate, and not merely conjectural or hypothetical,” the district court said.

In this case the alleged threat of future harm is too conjectural, the court said. Unlike in the Ninth Circuit case, Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the plaintiffs haven't alleged any criminal activity, the district court said.

But two alleged injuries confer standing, the court concluded: one plaintiff's allegation that he incurred costs by purchasing a new phone after the Google policy change, and decreased battery life as a result of the alleged unauthorized transmission of information when applications are downloaded.

Two Claims Survive

The court dismissed the claims of the “Android Device Switch Subclass,” those who switched to non-Android devices after Google's policy change, under California's Consumer Legal Remedies Act (CLRA), Cal. Civ. Code § 1750, and UCL, Cal. Civ. Code § 17200.

Regarding the CLRA claim, the second amended complaint doesn't allege that any subclass member “read, heard, saw or were in any way aware of Google's operative privacy policy” and thus couldn't allege that the subclass relied on Google's misrepresentations, the court said. The UCL unlawful and fraudulent prong claims failed for related reasons.

But the latest complaint sufficiently alleged two claims on behalf of the “Android App Disclosure Subclass,” the Android mobile device users who downloaded an Android application: a breach of contract claim and a UCL fraudulent prong claim.

The court also dismissed the plaintiffs' federal Wiretap Act, Stored Communications Act, breach of contract, UCL unfairness prong and intrusion upon seclusion claims.

Gardy & Notis LLP, Grant & Eisenhofer PA and Bursor & Fisher PA served as interim co-lead counsel for the proposed class and subclass. Durie Tangri LLP represented Google.

Full text of the court's opinion is available at


Request Bloomberg Law Privacy and Data Security