AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
1 2 3 4 5 6 7 UNITED STATES DISTRICT COURT 8 NORTHERN DISTRICT OF CALIFORNIA 9 ANIBAL RODRIGUEZ, et al., 10 Case No. 20-cv-04688-RS Plaintiffs, 11 v. ORDER DENYING GOOGLEâS 12 MOTION FOR SUMMARY GOOGLE LLC, JUDGMENT 13 Defendant. 14 15 I. INTRODUCTION 16 This is a privacy class action brought against Google LLC (âGoogleâ). Plaintiffs are 17 members of two sub-classes, comprising individuals with Android and non-Android mobile 18 devices who had certain privacy-related settings switched off in their Google accounts. In the 19 Fourth Amended Complaint (âFACâ), Plaintiffs aver that Google contravened its user-facing 20 privacy representations regarding its Web App and Activity (âWAAâ) and supplemental Web App 21 and Activity (â(s)WAAâ) settings, advancing three California claims: invasion of privacy under 22 the California Constitution, common law intrusion upon seclusion, and violation of the 23 Comprehensive Computer Data Access and Fraud Act (âCDAFAâ). Google moves for summary 24 judgment on all claims advanced by Plaintiffs in the FAC. For the reasons set forth herein, 25 Googleâs motion is denied. 26 II. BACKGROUND 27 A. WAA and (s)WAA settings 1 (s)WAA setting. The WAA button is a Google account setting that purports to give users privacy 2 control of Googleâs data logging of the userâs web app and activity, such as a userâs searches and 3 activity from other Google services, information associated with the userâs activity, and 4 information about the userâs location and device. The (s)WAA button, which can only be switched 5 on if WAA is also switched on, governs information regarding a userâs â[Google] Chrome history 6 and activity from sites, apps, and devices that use Google services.â Disabling WAA also disables 7 the (s)WAA button. 8 B. Google Analytics for Firebase 9 To aid third-party app developers, Google created software development kits, including 10 Firebase and Google Mobile Ads (âGMAâ). These kits are incorporated into apps by third-party 11 app developers and allow Google to collect user data, including data regarding required fixes or 12 updates. If an app developer seeks information about their app usersâ interactions with ads, they 13 can use Google Analytics for Firebase (âGA4Fâ). GA4F is a free analytical tool that takes user 14 data from the Firebase kit and provides app developers with insight on app usage and user 15 engagement. It is integrated in 60% of the top apps. Dkt. 361-58, Expert Report of Johnathan E. 16 Hochman (âHochman Rep.â) ¶ 2. Functionally, GA4F works by automatically sending to Google 17 a userâs ad interactions and certain identifiers regardless of a userâs (s)WAA settings, and Google 18 will, in turn, provide analysis of that data back to the app developer. GMA logs similar ad-related 19 interactions. 20 Developers can customize their usage of GA4F to receive information uniquely helpful for 21 their app development purposes and must obtain consent from end users to use GA4F. Google 22 argues that its sole purpose for collecting (s)WAA-off data is to provide these analytic services to 23 app developers. This data, per Google, consists only of non-personally identifiable information 24 and is unrelated (or, at least, not directly related) to any profit-making objectives. 25 GA4F specifically allows app developers to track what Google coins âattributionsâ and 26 âconversions.â Attribution/Conversion Tracking permits Google to â(1) log the fact that it has 27 served an ad alongside a device identifier for accounting purposes, and (2) attribute conversion 1 events to those ad serving records.â Google argues that its practice of Attribution/Conversion 2 Tracking does not harm users and instead involves the sharing of just critical pieces of 3 information, namely which device triggered the conversion event, which app sent Google the 4 information, and âother similar pieces of information.â1 5 C. Pseudonymous data 6 When a user toggles (s)WAA off, Google purports to treat their data as âpseudonymous.â2 7 Google creates a randomly-generated identifier when logging a (s)WAA-off userâs analytics and 8 ads data. This identifier permits Google to recognize the particular device and its later ad-related 9 behavior. On Android, the identifier is labeled ad ID (âADIDâ) and on iOS it is referred to as 10 Identifier for Advertiser (âIDFAâ). Through its software development kits, Google collects ADID 11 or IDFA for Googleâs Attribution/Conversion Tracking purposes. 12 Another identifier that is capable of being saved by Google through GA4F is the Google 13 Accounts and ID Administration ID (âGAIA IDâ). The âGAIA ID uniquely identifies a Google 14 account holderââin other words, it links data collected to a specific userâs Google account. 15 Hochman Rep. ¶ 109. Google insists that it has created technical barriers to ensure, for (s)WAA- 16 off users, that pseudonymous data is delinked to a userâs identity by first performing a âconsent 17 checkâ to determine a userâs (s)WAA settings. Specifically, GA4F logs the deviceâs ads 18 personalization opt-out settings. If that check yields a (s)WAA-off result, that data is logged in the 19 âpseudonymous spaceâ that does not contain GAIA IDs, as those correspond to a userâs Google 20 account. When this âconsent checkâ is performed, the retrieved device IDs are encrypted. 21 22 1 As an example, Google provides that âwhile a conversion event could be called 23 âin_app_purchase,â and it could contain for the app developer pseudonymous information about what the device purchased, for Googleâs attribution purposes, it is just the fact that the event 24 occurred that is logged and later used to connect an ad click at Time 1 with a purchase at Time 2.â Googleâs Motion for Summary Judgment (âGoogleâs Mot.â) at 10-11. 25 2 Google uses the term âpseudonymousâ throughout its motion to describe its treatment of the data 26 it collects from (s)WAA-off users. It is not entirely clear what Google intends to denote by use of this term, but it seems to suggest the replacement of identifiable information with a contrived 27 identifier. 1 Likewise, the âGAIA-keyedâ space contains no identifiers that would be in the pseudonymous log. 2 Where there is overlap, Google encrypts that data and throws away the decryption key after six 3 days. Googleâs employees are also purportedly prohibited from âjoiningâ pseudonymous and 4 identifiable data based on internal policies. In other words, per Google, pseudonymous and 5 identifiable data are kept separate. 6 D. Googleâs disclosures 7 Google insists that users knew and consented to its tracking practices. Relying on the 8 WAA and (s)WAA disclosures, the Google Privacy Policy (âPPâ), and language in Googleâs 9 Privacy Portal, Google contends that it disclosed adequately the contours of the WAA and 10 (s)WAA buttons. Specifically, it argues that users knew the WAA and (s)WAA settings controlled 11 only whether a userâs web app and activity was linked to their âpersonal information,â which it 12 contends is synonymous with information âsaved into [the userâs] Google Accountâ and that those 13 settings do not cover non-personally identifiable information (ânon-PIIâ). 14 First, Google points to the language surrounding the WAA and (s)WAA buttons. The 15 WAA setting is located in a Google accountâs page. The subheading for 16 states that a user may â[c]hoose the activities and info [a user] allow[s] 17 Google to saveâ on that page. On the actual page, where WAA is an available 18 setting for a user to toggle on or off, Google indicates that a user may â[c]hoose which settings 19 will save data in your Google Account.â Scrolling lower, the specific language surrounding the 20 WAA button states that switching it on â[s]aves your activity on Google sites and apps, including 21 associated location, to give you faster searches, better recommendations, and more personalized 22 experiences inâŠ[various] Google services.â Finally, (s)WAA, which can only be turned on if 23 WAA is also on, â[i]ncludes Chrome history and activity from sites, apps, and devices that use 24 Google services.â Based on the subheading on the page, Google argues that a 25 user would know turning (s)WAA on or off controlled only whether Google could save certain 26 information âto a userâs Google account.â 27 In support of this interpretation of the phrase âsaved to your Google account,â Google 1 points to language in its PP. The PP states that when a user signs up for a Google Account, Google 2 may âask for personal information, like your name, email address, telephone number, or credit 3 card to store with your account.â Googleâs Mot. Appx. A-7 at 4. Elsewhere, Googleâs PP defines 4 âpersonal informationâ as âinformation which you provide to us which personally identifies you, 5 such as your name, email address, or billing information, or other data which can be reasonably 6 linked to such information by Google, such as information with your Google account.â Id. at 57. 7 Non-PII is defined as âinformation that is recorded about users so that it no longer reflects or 8 references an individually identifiable user.â Id. The PP further explains that depending on a userâs 9 account settings, the userâs âactivity on other sites and apps may be associated with your personal 10 informationâ and Google may still âshare [non-PII] publicly and with our partners.â Id. at 6-7, 11. 11 In other words, based on Googleâs PP and the WAA and (s)WAA disclosures, Google contends 12 that users should have known that any app activity data shared with third-party developers through 13 GA4F was not covered by the WAA and (s)WAA settings because those settings controlled only 14 whether the data was saved in a userâs account. 15 E. The central dispute 16 While Google paints its practice of tracking attributions and conversion via GA4F as basic 17 record-keeping, Plaintiffs view it as considerably less innocuous than Google portrays. This 18 tracking, in Plaintiffsâ view, contravenes Googleâs (s)WAA representations to users because it 19 gathers exactly the data Google denies saving and collecting about (s)WAA-off users. Moreover, 20 Plaintiffs insist that Googleâs practices allow it to personalize ads by linking user ad interactions to 21 any later related behaviorâinformation advertisers are likely to find valuableâleading to 22 Googleâs lucrative advertising enterprise built, in part, on (s)WAA-off data unlawfully retrieved. 23 Accordingly, Plaintiffs contend, Google should be disgorged of all its profits derived from serving 24 any ads to (s)WAA-off users. 25 For its part, Google denies that any (s)WAA-off data is saved to a userâs marketing profile, 26 which precludes it from personalizing advertising to a WAA-off user. Instead, Google insists that 27 it engages simply in unharmful and basic record-keeping of âpseudonymousâ data for (s)WAA-off 1 users, intended to be shared with only developers through GA4F for their own analysis. 2 III. LEGAL STANDARD 3 Summary judgment is appropriate if the pleadings, discovery, and affidavits show âthat 4 there is no genuine dispute as to any material fact and the movant is entitled to judgment as a 5 matter of law.â Fed. R. Civ. P. 56(a). A genuine issue of material fact is one that could reasonably 6 be resolved in favor of the nonmoving party, and which could âaffect the outcome of the suit.â 7 Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). The party moving for summary 8 judgment bears the burden of proof to âmake a showing sufficient to establishâŠthe existence of 9 an element essential to that partyâs case.â Celotex Corp. v. Catrett, 477 U.S. 317 (1986). If the 10 movant succeeds in demonstrating the absence of a genuine issue of material fact, the burden then 11 shifts to the nonmoving party to âset forth specific facts showing that there is a genuine issue for 12 trial.â Id. at 322 n.3; see also Fed. R. Civ. P. 56(c)(1)(B). Evidence must be viewed in the light 13 most favorable to the nonmoving party and all justifiable inferences must be drawn in its favor. 14 See Anderson, 477 U.S. at 255. It is not the task of the court to scour the record in search of a 15 genuine issue of triable fact. Keenan v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996) (citation 16 omitted). Additionally, the non-moving party has the burden of identifying, with reasonable 17 particularity, the evidence that precludes summary judgment. Id. If the nonmoving party fails to 18 make this showing, âthe moving party is entitled to a judgment as a matter of law.â Celotex, 477 19 U.S. at 322. 20 IV. DISCUSSION 21 Google submits several âundisputed factsâ which it insists should resolve this case entirely. 22 These facts, according to Google, reflect that its collection of WAA and (s)WAA-off data was 23 lawful and consistent with its representations to class members. Googleâs Mot. at 16-17. 24 Accepting Googleâs view that these facts are true and undisputed would result in this motion being 25 granted on four grounds: first, Google secured consent from Plaintiffs for its âbasic record-keeping 26 practices.â Second, the language of Googleâs disclosures regarding the WAA and (s)WAA settings 27 unequivocally explained that those settings do not control Googleâs ânon-personal record- 1 keeping.â If the settings were ambiguous, Google insists that each Plaintiff reviewed the Privacy 2 Policy, which defines both personal information and non-PII. Third, Google did not use this 3 information to target or personalize ads to Plaintiffs. Finally, the above leads to the conclusion that 4 Googleâs basic record-keeping practices harms no one. 5 A. What WAA/(s)WAA controls is ambiguous 6 Google does not deny that it collects (s)WAA-off data and tracks user behavior via GA4F 7 but argues that it did so lawfully. However, the argument that users knew the WAA button 8 controls only whether a userâs app activity data is âsaved to [his or her] Google accountâ fails to 9 persuade. 10 On the page and connected interfaces, which include the WAA and 11 (s)WAA settings and their descriptions, Google provides multiple descriptions of what the WAA 12 and (s)WAA settings entail. Nowhere do these disclosures indicate with reasonable clarity that 13 (s)WAA controls not whether Google will collect data about a userâs app activity at all, but only 14 whether Google will delink the collected data from the userâs GAIA-ID. The various 15 interpretations of these disclosures render them ambiguous such that a reasonable user would 16 expect the WAA and (s)WAA settings to control Googleâs collection of a userâs web app and 17 activity on products using Googleâs services. Documents Google produced in discovery only 18 emphasize the WAA settingsâ ambiguity. One such document states that â[a]ds you respond to by 19 clicking the ad itself or buying something on the advertiserâs siteâ constitute what is âsaved as 20 [WAA].â Dkt. 398-8 at 9. At the very least, this could reasonably suggest that a (s)WAA-off user 21 may interpret the exact kind of data Google saves via GA4F to be precluded from Googleâs data 22 logging if they switch (s)WAA off. What is meant by the (s)WAA disclosures is thus a disputed 23 material fact. 24 Googleâs insistence that a user should have known that âsaved to your Google accountâ 25 denotes only personal information is unconvincing, and its reliance on the PP provides no clarity. 26 The (s)WAA disclosures do not distinguish between personal information and non-PII, and the PP, 27 in defining both terms, does not expressly refer to the (s)WAA settings. Even accepting that 1 Googleâs disclosures outside of the WAA/(s)WAA settings context could somehow be relied upon 2 to provide clarity as to those settings, that is not the case here. The PP states that a user must 3 provide Google with their personal information to create a Google account, which is then used to 4 authenticate a user when accessing Googleâs services. This does not foreclose the possibility that 5 information which is not associated with a userâs Google account is personal information. 6 Moreover, Plaintiffsâ interpretation of âpersonal informationâ is consistent with California 7 law. In re Google RTB Consumer Privacy Litigation, 606 F. Supp. 3d 935 (N.D. Cal. 2022) is 8 instructive. There, the court pointed to language in the California Consumer Privacy Act 9 (âCCPAâ) (amended by Stats. 2023, Ch. 551, Sec. 1. (A.B. 947)), where the California legislature 10 defined as personal information the type of data collected by GA4F. See 606 F. Supp. 3d at 944. 11 Specifically, the CCPA defines personal information as that which âidentifies, relates to, 12 describes, is reasonably capable of being associated with, or could reasonably be linked, directly 13 or indirectly, with a particular consumer or household,â including â[g]eolocation dataâ as well as 14 âInternet Protocol addressesâ or âunique personal identifiers [or] online identifiers.â Cal. Civ. 15 Code § 1798.140. While Plaintiffs do not advance a claim under the CCPA, the legislatureâs 16 definition in that statute illustrates that, at the very least, a reasonable juror could view the 17 (s)WAA-off data Google collected via GA4F, including a userâs unique device identifiers, as 18 comprising a userâs personal information. 19 B. Consent 20 Google argues that Plaintiffs consented to the collection of their pseudonymous data, but 21 this too is unconvincing. The recently decided Calhoun v. Google, LLC is apposite. 113 F.4th 22 1141 (9th Cir. 2024). In that case, the class members challenged Google Chromeâs sync function, 23 averring that they believed choosing not to sync Chrome with their Google accounts would preclude the collection of their âpersonal informationâ by Google. Id. at *1143â44. While that 24 case included an intrusion upon seclusion claim, the central inquiry on appeal was whether the 25 plaintiffs consented to Googleâs conduct based on the viewpoint of a reasonable user encountering 26 Googleâs disclosures (including the PP). 27 1 The Ninth Circuit confirmed that whether the plaintiffs consented turned on the terms of 2 various disclosures and âwhether a reasonable user reading them would think that he or she was 3 consenting to the data collection, which collection Google has not disputed.â Id. at 1148. The 4 Calhoun court also distinguished Hammerling v. Google, LLC, No. 22-17024, 2024 WL 937247 at 5 *3 (9th Cir. Mar. 5, 2024) (unpublished) and Smith v. Facebook, 745 Fed. Appâx 8, 9 (9th Cir. 6 2018) (unpublished), cases where the âplaintiffsâŠhad not argued that Facebook or Google had 7 service-specific privacy policies that could reasonably be read to say the opposite of what its 8 general privacy policies disclosed.â Calhoun, 113 F.4th at 1149. âBy contrast, and at least in the 9 light most favorable to plaintiffs, Google did make a promise in its Chrome Privacy Policy that it 10 would not collect certain information absent a userâs voluntary decision to sync, so Google may be 11 âbound by [those] promises.ââ Id. (quoting Smith, 745 Fed. Appâx at 9). As in Calhoun, Google 12 provides Plaintiffs with several disclosures, ranging from general privacy disclosures in its PP to 13 more specific disclosures surrounding the WAA/(s)WAA buttons. From the perspective of a 14 reasonable user, it is unclear Plaintiffs were consenting to the data collection at issue. With that 15 background, analysis turns to the specific claims advanced by Plaintiffs in the FAC. 16 C. Invasion of privacy claims 17 While Plaintiffsâ invasion of privacy claims, brought separately under the California 18 constitution and common law, are distinct claims, they consist of substantially similar elements. 19 The inquiry under either is whether â(1) there exists a reasonable expectation of privacy, and (2) 20 [whether] the intrusion was highly offensive.â In re Facebook, Inc. Internet Tracking Litig. 21 (âFacebook Trackingâ), 956 F.3d 589, 601 (9th Cir. 2020). Plaintiffsâ common law tort claim also 22 requires a showing of intent to commit the intrusion on Googleâs part. 23 1. Reasonable expectation of privacy 24 Google argues that Plaintiffs have no reasonable expectation of privacy in anonymized, 25 aggregate data, invoking Campbell v. Facebook, Inc., 951 F.3d 1106, 1119 (9th Cir. 2020). In that 26 case, however, the Ninth Circuit specifically declined to reach the issue: âWe emphasize that this case also does not present the question whether standing could be based entirely on injury from 27 1 anonymized, aggregated uses of data.â Id. at n.9. Indeed, âinformation need not be personally 2 identifying to be private.â In re Google Referrer Header, 465 F. Supp. 3d 999, 1009â10 (N.D. 3 Cal. 2020); see also Brown v. Google LLC, 685 F.Supp.3d 909, 924 (2023) (âPlaintiffs have set 4 forth specific facts demonstrating that the reason Google has access to their anonymous, aggregated data is through the collection and storage of information from usersâ private browsing 5 history without consent.â). Moreover, whether the data collected by Google constitutes personal 6 information is not, as Google suggests, a foregone conclusion. See In re Google RTB Consumer 7 Priv. Litig., 606 F. Supp. 3d at 944. 8 Google invokes Hammerling, where the Ninth Circuit affirmed a district courtâs dismissal 9 of these claims because Googleâs PP âexpressly disclosed Googleâs intention to track [the 10 plaintiffsâ] activity on third-party apps. As a result, [they] have no reasonable expectation of 11 privacy in that data.â 2024 WL 937247 at *3. By contrast, Googleâs disclosures concerning the 12 (s)WAA settings state that it governs a userâs activity âon sites, apps, and devices that use Google 13 servicesââlanguage almost identical as that in Hammerlingâ to describe data that Google will 14 not save when (s)WAA is off. Following Googleâs logic, it is at least disputed here whether 15 Plaintiffs have a reasonable expectation of privacy as to the (s)WAA-off data. 16 2. Highly offensive conduct 17 For Plaintiffs to succeed on their invasion of privacy claims, they need also show that the 18 invasion of privacy was âhighly offensiveâ to a reasonable person and unwarranted âso as to 19 constitute an âegregious breach of social norms.ââ Facebook Tracking, 956 F.3d at 606 (quoting 20 Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 295 (2009)). This inquiry ârequires a holistic 21 consideration of factors such as the likelihood of serious harm to the victim, the degree and setting 22 of the intrusion, the intruderâs motives and objectives, and whether countervailing interests or 23 social norms render the intrusion inoffensive.â Id. 24 To emphasize the offensiveness of Googleâs conduct, Plaintiffs highlight the âvast and 25 sensitiveâ nature of the information collected, see Brown, 685 F. Supp 3d at 941, as well as the 26 significant profits Google makes resulting from its misconduct. Specifically, Plaintiffs suggest that 27 Google can personalize ads based on (s)WAA-off data because Attribution/Conversion Tracking 1 is highly profitable for Google. In support, Plaintiffâs technical expert, Jonathan Hochman, looks 2 to the GA4F Help Center. There, Google indicates that a GA4F automatically collects certain 3 âUser Properties,â including a userâs IP address, age, gender, geolocation, âpotentially even 4 âfavorite food.ââ Hochman Rep. 89, 99. Google also supposedly performs its (s)WAA âconsent checksâ only after it has collected and saved a myriad of unique and sensitive information from 5 users, rendering the distinction between identifying and pseudonymous data (i.e., GAIA and non- 6 GAIA identifiers) meaningless. Id. at 86, 87. 7 This inquiry of Googleâs conduct turns on the nature of the information collected and 8 whether a reasonable person would consider its collection to be an offensive intrusion. While 9 Hochmanâs report indicates that Google creates these extensive and detailed marketing profiles of 10 (s)WAA-off users which it then uses to gain high profits, those arguments are founded on a 11 hypothetical scenario, rather than Googleâs actual conduct. Plaintiffs have provided no evidence 12 that Google uses (s)WAA-off data to build highly targeted and invasive marketing profiles of 13 (s)WAA-off users, only that Google has the technical capabilities of joining the identifiers it 14 collects with more sensitive and personal data about the user. In fact, Google takes significant 15 efforts to separate a (s)WAA-off usersâ GAIA-IDs from its device identifiers. Furthermore, 16 âroutine commercial behaviorâ is not a âhighly offensiveâ invasion of privacy. Low v. LinkedIn 17 Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012). 18 That Google can use this information to make money or improve its products or services is 19 of little relevance. That principle applies a fortiori here as Google collects the (s)WAA-off data 20 not simply to line its pockets, but for a free analytics tool intended to aid developers in 21 understanding their apps and usage. Moreover, Plaintiffs have not explained how the (s)WAA-off 22 data that Google collects constitute sensitive information that would offend a reasonable person 23 and social norms. See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 24 2012) (â[T]he information allegedly disclosed to third parties included the unique device identifier 25 number, personal data, and geolocation information from [p]laintiffsâ iDevices. Even assuming 26 this information was transmitted without Plaintiffsâ knowledge and consent, a fact disputed by 27 Defendants, such disclosure does not constitute an egregious breach of social norms.â). 1 Ultimately, however, viewing the facts in the light most favorable to Plaintiffs, Googleâs 2 conduct is at least arguably offensive because it collects (s)WAA-off data despite concerns raised 3 by its employees and with the knowledge that its disclosures are ambiguous and deficient. In 2019, 4 an employee who worked on Gmail shared internally that Google âwould need to modify the [WAA disclosures] to indicate that WAA off is identical to being not logged into your account 5 (data logged, but not tied to your account).â Later that year, he wrote again, highlighting that the 6 WAA page indicates that WAA-off data should not be logged at all. Another employee wrote that 7 âteams should not use user data at all if WAA is off,â to align with what âmost users expect.â 8 Several Google employees between 2017 and 2020 wrote that WAA was confusing and unclear to 9 everyday users. See Plaintiffsâ Opposition to Motion for Summary Judgment (âPlaintiffsâ Opp.â) 10 at 12-13. Internal Google communications also indicate that Google knew it was being 11 âintentionally vagueâ about the technical distinction between data collected within a Google 12 account and that which is collected outside of it because the truth âcould sound alarming to users.â 13 Google argues that these comments are innocuous because they seek largely to identify 14 potential technical improvements for Google services, and several of the employees making such 15 remarks are unfamiliar with WAA. The concerns raised by Google employees are relevant, 16 however, at the very least for tending to show that the WAA disclosures are subject to multiple 17 interpretations. What is more, the remarks and Googleâs internal statements reflect a conscious 18 decision to keep the WAA disclosures vague, which could suggest that Google acted in a highly 19 offensive manner, thereby satisfying the intent element of the tort claim. Then again, these 20 comments could also be ascribed to the unremarkable culture in large technology enterprises 21 where employees simply offer improvements of the companyâs products or services. Whether 22 Google or Plaintiffsâ interpretation prevails is a triable issue of fact. 23 3. Harm 24 Google insists that Plaintiffsâ invasion of privacy claims fail because Plaintiffs cannot 25 establish that a âbare privacy harmâ is actionable, as Article III injury alone cannot constitute 26 harm to sustain the invasion of privacy claims (as well as CDAFA, discussed further below). In 27 TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the Supreme Court held that, for purposes of 1 Article III standing, âonly those plaintiffs who have been concretely harmed by a defendantâs 2 statutory violation may sue that private defendant over that violation in federal court.â Id. at 427 3 (emphasis in original). The Court also noted that â[c]entral to assessing concreteness is whether 4 the asserted harm has a 'close relationship to a harm traditionally recognized as providing a basis 5 for lawsuits in American courts.â Id. at 417 (internal quotations omitted); Facebook Tracking, 956 6 F.3d at 598 (â[V]iolations of the right to privacy have long been actionable at common law.â). 7 Additionally, as the Ninth Circuit indicated when discussing certain California privacy statutes, 8 âunder the privacy torts that form the backdrop for these modern statutes, the intrusion itself 9 makes the defendant subject to liability . . . In other words, privacy torts do not always require 10 additional consequences to be actionable.â Campbell, 951 F.3d at 1117 (internal citations 11 omitted). 12 Google insists that while Plaintiffs may have suffered Article III injury, they cannot show, 13 class-wide, that they suffered harm under the invasion of privacy claims because the âemotional 14 harmsâ associated with those claims are only available on an individual basis. Plaintiffs have 15 offered no models or explanations for how these harms apply across the classes, and at the 16 hearing, Plaintiffsâ counsel admitted that if emotional harm was Plaintiffsâ sole theory of harm, 17 only nominal damages would be available to the class. Contrary to Googleâs view, however, that 18 only nominal damages are available class-wide does not defeat Plaintiffsâ invasion of privacy 19 claims. 20 D. CDAFA 21 Plaintiffs aver, in their third claim, that Googleâs collection and use of (s)WAA-off data 22 violates CDAFA, Cal. Penal Code § 502, et seq. CDAFA imposes liability on whoever 23 â[k]nowingly accesses and without permission takes . . . any data from a computer.â Cal. Penal 24 Code § 502(c)(2). The statute allows an individual who âsuffers damage or loss by reason of a 25 violationâ of the statute to bring a private civil action. Cal. Penal Code § 502(e)(1). Google seeks 26 summary judgment for Plaintiffsâ CDAFA claim on the grounds that it had permission to use 27 (s)WAA-off data and that Plaintiffs suffered no damage or loss. 1 1. Permission3 2 CDAFA does not define âpermissionâ within the text of the statute. Several cases in this 3 district and the Ninth Circuit provide guidance as to the termâs meaning for the purposes of 4 CDAFA analysis, focusing on the plain meaning of the term and what the defendant knew while 5 using the data. See, e.g., In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1100 (N.D. Cal. 2015) 6 (ââPermissionâ is defined as the âact of permittingâ or âa license or liberty to do something; 7 authorization.ââ) (quoting Blackâs Law Dictionary (8th ed. 2004)); Facebook, Inc. v. Power 8 Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016) (in concluding that the defendant violated 9 CDAFA, holding that it âknew that it no longer had permission to access [the plaintiffâs] 10 computers at allâ). Much of the authority on this issue comes from courts reviewing Computer 11 Fraud and Abuse Act (CFAA) claims, 18 U.S.C. § 1030(a)(2). Courts in this district have held that 12 CDAFA claims generally ârise or fall with . . . CFAA claims because the necessary elements of 13 Section 502 do not differ materially from the necessary elements of the CFAA, except in terms of 14 damages.â Meta Platforms, Inc. v. BrandTotal Ltd., 605 F. Supp. 3d 1218, 1260 (N.D. Cal. 2022) 15 (citing Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 129 (N.D. Cal. 2020)). In the CFAA context, 16 the Ninth Circuit defines âauthorizationâ as âpermission or power granted by an authority.â LVRC 17 Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). 18 First, Google argues that, as a matter of law, Plaintiffs explicitly consented because the 19 default setting for (s)WAA gave Google permission to use their data, and toggling (s)WAA off did 20 not revoke permission. Even if Plaintiffs impliedly granted Google permission to use their data 21 prior to toggling (s)WAA off, this argument is lacking. See Power Ventures, 844 F.3d at 1069 22 (acknowledging that permission may be granted by implication in the context of CDAFA). What 23 is relevant is whether toggling (s)WAA off revoked permission.4 Googleâs generic disclosures in 24 25 3 The parties interchangeably refer to this element under CDAFA as âpermissionâ and âconsent.â 26 4 If Google is correct that the WAA settings are of no import as to the data Google collected via GA4F, it is unclear how else a user may give Google consent to log that information to begin with 27 (short of not signing up for a Google account), much less withdraw it. 1 the PP fail to show express or implied consent to the data use at issue because consent is only 2 effective if directed âto the particular conduct, or to substantially the same conduct.â Tsao v. 3 Desert Palace, Inc., 698 F.3d 1128, 1149 (9th Cir. 2012) (internal quotations omitted). Here, the 4 permission prong of Plaintiffsâ CDAFA claim turns on whether class members revoked 5 permission when they toggled (s)WAA off. 6 When evaluating whether a party revoked permission in the context of CDAFA or CFAA, 7 courts focus on the perspective of the defendant at the time they used the data. See Power 8 Ventures, 844 F.3d at 1069. In Power Ventures, the Ninth Circuit held that a cease-and-desist 9 letter sent by the plaintiff revoked any implied permission for the defendant to continue accessing 10 their computers and using their data. The Ninth Circuit held that previously permitted use runs 11 afoul of the CFAA (and therefore the CDAFA) âwhen such permission has been revoked 12 explicitly.â Id. at 1067. The Ninth Circuit did not hold that a cease-and-desist letter was required 13 or articulate a specific test for revocation, instead focusing on what a defendant knew or should 14 have known at the time of use. Id. at 1069 (âBut when Facebook sent the cease-and-desist letter, 15 Power, as it conceded, knew that it no longer had permission to access Facebookâs computers at 16 all . . . Power violated [the CDAFA].â). 17 In this case, it is genuinely disputed whether Google knew or should have known that class 18 members revoked permission to use (s)WAA-off data. Google contends that the description of the 19 (s)WAA switch and what it controlled was plain and straightforward, clearly communicating that 20 the access and use now at issue was beyond the scope of the setting. Plaintiffs disagree, arguing 21 that they reasonably thought turning off (s)WAA meant that âGoogle would not collect or save 22 their app activity.â As explained above, evidence produced by Google during discovery, including 23 deposition testimony by Google employees, indicates that the description of (s)WAA was 24 ambiguous. Although Google disputes the applicability of that evidence, a reasonable juror could 25 be convinced by either partyâs argument regarding the (s)WAA setting and Googleâs PP. 26 Furthermore, Google has not explained how it received âconsentâ by (s)WAA-off users to collect 27 the data if there was no meaningful way for users to provide that consent. Indeed, âconsent is only 1 effective if the person alleging harm consented to the particular conduct, or to substantially the 2 same conduct and if the alleged tortfeasor did not exceed the scope of that consent.â Brown, 685 3 F. Supp. 3d at 926 (internal quotations omitted). Accordingly, it cannot be determined as a matter 4 of law that Google had Plaintiffsâ permission to use their data. 5 Google next argues that even if Plaintiffs did not give Google permission to use their 6 (s)WAA-off data, the third-party app developers obtained consent from users as a condition of 7 GA4F, so Google had permission to collect the data and its use did not violate CDAFA. Google 8 says that it acted only as a âvendorâ to those third-party apps and permission granted by users to a 9 technology company extends to vendors who process such data. Even assuming Google acted as a 10 vendor, no court has endorsed the position that when one technology company acts as a vendor for 11 another, consent for the purposes of CDAFA analysis is coextensive with the party that obtained 12 it. Google cites only to inapposite California Invasion of Privacy Act (âCIPAâ) cases in support of 13 their position on this point. See, e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 14 2021). Unlike CFAA, CIPA has never been deemed substantially similar to CDAFA. Therefore, 15 Google presents no relevant authority to show that under CDAFA, permission given by third 16 parties to use (s)WAA-off data satisfies the statuteâs permission requirement. 17 Googleâs third-party permission argument is not only unsupported by any applicable 18 caselaw but also in tension with relevant Ninth Circuit precedent. In United States v. Nosal, the 19 Ninth Circuit held that âonce authorization to access a computer has been affirmatively revoked, 20 [a defendant] cannot sidestep the statute by going through the back door and accessing the 21 computer through a third party. Unequivocal revocation of computer access closes both the front 22 door and the back door.â 844 F.3d 1024, 1028 (9th Cir. 2016) (discussing the authorization prong 23 of the CFAA). Assuming, then, that Plaintiffs did revoke permission when they toggled (s)WAA 24 off, whether a third party granted permission is irrelevant. Instead, what matters is whether Google 25 knew or should have known that Plaintiffs revoked permission to use their data, a material fact 26 that is genuinely disputed. 27 Google also contends that if a plaintiff was indeed confused about the limitations of the 1 WAA or (s)WAA settings, that confusion would undermine Plaintiffsâ class-wide claims because 2 it otherwise received clear consent for pseudonymous record-keeping. As explained, whether 3 Google received consent for its conduct is not a sure-fire proposition. More critically, Google 4 confuses the issue here: viewing the facts in the light most favorable to Plaintiffs, it is a disputed 5 fact, not an individualized inquiry, whether the class membersâ uniform conduct of turning 6 (s)WAA off withdrew their consent for Google to âsave app activity data.â This identical conduct, 7 as explained in the class certification order, still warrants class treatment. Moreover, Googleâs 8 disclosures were uniform to all class members and its treatment of the classesâ data was also 9 identical. Its own imprecision does not undermine predominance. 10 2. Damage or Loss 11 CDAFA neither defines nor sets a monetary threshold for âdamage or loss.â Cottle v. Plaid 12 Inc., 536 F. Supp. 3d 461, 487 (N.D. Cal. 2021). Rather, âunder the plain language of the statute, 13 any amount of damage or loss may be sufficient.â Facebook, Inc. v. Power Ventures, Inc., No. 08- 14 cv-05780-JW, 2010 WL 3291750, at *4 (N.D. Cal. July 20, 2010). Plaintiffs argue that at least 15 five injuries establish âdamage or lossâ under CDAFA. 16 a. Deprivation of privacy 17 This damage theory rests entirely on the viability of Plaintiffsâ other two claims and 18 requires a showing of harm. As discussed above, Plaintiffs are unable to show that they are 19 entitled to more than nominal damages resulting from the emotional harms associated with their 20 deprivation of privacy. They offer no concrete models or theories that this harm constitutes more 21 than simply an emotional injury. However, Plaintiffs have other damage or loss theories that 22 provide a basis to satisfy this element of CDAFA. 23 b. Disgorgement of profits 24 Plaintiffs argue that they experienced damage or loss because Google illegally profited 25 from the use of their data. Plaintiffs rely on Facebook Tracking, where the Ninth Circuit held that 26 âCalifornia law recognizes a right to disgorgement of profits resulting from unjust enrichment, 27 even where an individual has not suffered a corresponding loss.â 956 F.3d at 599. Google 1 responds that, in light of TransUnion, Plaintiffâs disgorgement of profits theory of damage or loss 2 is untenable under CDAFA. 594 U.S at 417. 3 Plaintiffsâ disgorgement theory is compatible with TransUnion, which held that, when 4 determining which injuries are sufficiently concrete, âhistory and tradition offer a meaningful 5 guide.â Id. at 424 (citation omitted). Certain harms âreadily qualify as concrete injuries under 6 Article III. The most obvious are traditional tangible harms, such as physical harms and monetary 7 harms.â Id. at 425. Intangible harms, such as âdisclosure of private informationâ or âintrusion 8 upon seclusionâ, have also been traditionally recognized. Id. Google argues that its âharmless data 9 collectionâ does not serve as a basis to disgorge its profits because it does not constitute a concrete 10 injury. 11 Notwithstanding that it is disputed whether Googleâs data collection was âharmless,â 12 Brown v. Google LLC is instructive in showing why Plaintiffsâ intangible harms are sufficiently 13 concrete to constitute damage or loss under current law. 685 F. Supp. 3d 909 (N.D. Cal. 2023). In 14 that case, decided after TransUnion, the court held that the plaintiffs satisfied CDAFAâs damage 15 or loss requirement because they had âa stake in the value of their misappropriated data.â Id. at 16 940. Relying on Facebook Tracking, the court held that the plaintiffs could state an economic 17 injury for their misappropriated data. Id.; Facebook Tracking, 956 F.3d 589 at 600. The court also 18 denied summary judgment as to the defendantâs argument that plaintiffs lacked standing to seek an 19 unjust enrichment remedy, holding that Facebook Tracking was still good law. Brown, 685 F. 20 Supp. 3d at 926. Here, Plaintiffs have a stake in the value of their data. As in Brown, where the 21 court denied summary judgment on the issue of damage or loss âbecause plaintiffs proffer[ed] 22 evidence that there [was] a market for their data,â Plaintiffs here similarly present evidence that 23 their data has economic value. 685 F. Supp. 3d at 940. Accordingly, a reasonable juror could find 24 that Plaintiffs suffered damage or loss because Google profited from the misappropriation of their 25 data. 26 c. Failure to pay for collected data 27 Third, Plaintiffs argue that they suffered damage or loss because Google failed to pay for 1 the data it collected despite there being a market for it. This theory of damage or loss is closely 2 related to Plaintiffs second theory. See Brown, 685 F. Supp. 3d at 925-26, 940 (discussing unjust 3 enrichment and economic injury for misappropriated data). Plaintiffs argue that they suffered 4 damage or loss because Google took something of economic value from them without their 5 permission. Google insists that this theory fails because Plaintiffs did not wish to sell their data 6 and, even if they did, their data did not diminish in value because of its conduct. However, âunder 7 California law, [a] stake in unjustly earned profits exists regardless of whether an individual 8 planned to sell his or her data or whether the individualâs data is made less valuable.â Facebook 9 Tracking, 956 F.3d at 600. It remains disputed whether Plaintiffs suffered damage or loss because 10 Google failed to pay for their data despite the existence of a market. 11 d. Depletion of battery and bandwidth 12 Fourth, Plaintiffs proffer evidence that Googleâs unauthorized access depleted their 13 devicesâ battery and bandwidth, causing damage or loss. Courts recognize depletion of battery and 14 computing resources as acceptable forms of damage or loss for the purposes of a CDAFA claim. 15 In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1065 (N.D. Cal. 2015); Williams v. Facebook, Inc., 16 498 F. Supp. 3d 1189, 1199 (N.D. Cal. 2019). While Plaintiffs have provided no evidence about 17 how much device battery life and bandwidth was depleted, they point to internal Google 18 documents that suggest Google Analytics impacts battery-life of a device. Google points out that 19 Plaintiffs failed to present a damage model at class certification based on this harm, and Plaintiffs 20 concede that only nominal damages would be available to them under this theory of liability. As 21 the statute sets no minimum threshold for damage or loss, even small harms due to depletion of 22 battery and bandwidth satisfy CDAFAâs requirements. At this stage, Plaintiffs have provided 23 sufficient evidence to show harm for at least nominal damages under this theory. 24 e. Denial of benefit of the bargain 25 Finally, Plaintiffs argue that they suffered damage or loss because class members did not 26 receive the âbenefit of their bargainâ with Google, a concept linked to their now dismissed breach 27 of contract claim. Dkt. 127, 209. Plaintiffs have offered no authority that denial of the benefit of 1 the bargain constitutes damage for CDAFA absent a contract claim. 2 E. Motions to Seal 3 The parties have filed administrative motions to seal portions of their briefing. Plaintiffs 4 || move to seal highlighted portions of Exhibit 4 of its Opposition on the grounds that it contains 5 personally identifiable information, which is deemed private pursuant to the Protective Order. 6 Google has moved to seal no portion of the Opposition or its Reply brief (and its Motion 7 for Summary Judgment was filed publicly). Instead, Google seeks only to seal portions of 16 8 exhibits submitted alongside the Opposition and Reply briefs and 6 exhibits in full. Google 9 subsequently withdrew its request to seal one sentence from Exhibit 34. Google raises several 10 grounds as the basis for its motion to seal: first, it seeks to seal commercially sensitive 11 information, including its internal research methodologies and forward-looking strategies and g 12 || deliberations. It also seeks to seal private documents regarding the technical details of Googleâs 13 internal systems, references to internal code names, and non-public email addresses. 14 The partiesâ motions to seal have satisfied the âcompelling reasonsâ standard for 2 15 || dispositive motions. See Ctr. for Auto Safety v. Chrysler Grp., 809 F.3d 1092, 1098-1099 (9th Cir. 16 || 2016). The sealing questions are tailored narrowly in order to avoid impacting the publicâs 2 17 understanding of this case. Accordingly, the motions to seal are granted. Z 18 V. CONCLUSION 19 For the reasons explained above, Googleâs motion for summary judgment is denied and the 20 || pending motions to seal are granted. The parties shall file public versions of their briefs and 21 related exhibits in accordance with the sealing order within one week of the date of this order. 22 || ITISSO ORDERED. 23 24 || Dated: January 7, 2025 25 / 26 RICHARD SEEBORG 27 Chief United States District Judge 98 ORDER DENYING MOTION FOR SUMMARY JUDGMENT CASE No. 20-cv-04688-RS
Case Information
- Court
- N.D. Cal.
- Decision Date
- January 7, 2025
- Status
- Precedential