Rodriguez et al v. Google LLC et al
Filing
445
ORDER Denying 383 Motion for Summary Judgment; Granting 397 Administrative Motion to Consider Whether Another Party's Material Should Be Sealed; and Granting 407 Administrative Motion to File Under Seal. Signed by Chief Judge Seeborg on January 7, 2025.(rslc3, COURT STAFF) (Filed on 1/7/2025)
1
2
3
4
5
6
7
UNITED STATES DISTRICT COURT
8
NORTHERN DISTRICT OF CALIFORNIA
9
10
ANIBAL RODRIGUEZ, et al.,
Case No. 20-cv-04688-RS
Plaintiffs,
11
ORDER DENYING GOOGLE’S
MOTION FOR SUMMARY
JUDGMENT
United States District Court
Northern District of California
v.
12
13
GOOGLE LLC,
Defendant.
14
I. INTRODUCTION
15
16
This is a privacy class action brought against Google LLC (“Google”). Plaintiffs are
17
members of two sub-classes, comprising individuals with Android and non-Android mobile
18
devices who had certain privacy-related settings switched off in their Google accounts. In the
19
Fourth Amended Complaint (“FAC”), Plaintiffs aver that Google contravened its user-facing
20
privacy representations regarding its Web App and Activity (“WAA”) and supplemental Web App
21
and Activity (“(s)WAA”) settings, advancing three California claims: invasion of privacy under
22
the California Constitution, common law intrusion upon seclusion, and violation of the
23
Comprehensive Computer Data Access and Fraud Act (“CDAFA”). Google moves for summary
24
judgment on all claims advanced by Plaintiffs in the FAC. For the reasons set forth herein,
25
Google’s motion is denied.
II. BACKGROUND
26
27
A.
WAA and (s)WAA settings
28
The relevant technology at issue in this case is Google’s WAA and, more specifically,
United States District Court
Northern District of California
1
(s)WAA setting. The WAA button is a Google account setting that purports to give users privacy
2
control of Google’s data logging of the user’s web app and activity, such as a user’s searches and
3
activity from other Google services, information associated with the user’s activity, and
4
information about the user’s location and device. The (s)WAA button, which can only be switched
5
on if WAA is also switched on, governs information regarding a user’s “[Google] Chrome history
6
and activity from sites, apps, and devices that use Google services.” Disabling WAA also disables
7
the (s)WAA button.
8
B.
9
To aid third-party app developers, Google created software development kits, including
10
Firebase and Google Mobile Ads (“GMA”). These kits are incorporated into apps by third-party
11
app developers and allow Google to collect user data, including data regarding required fixes or
12
updates. If an app developer seeks information about their app users’ interactions with ads, they
13
can use Google Analytics for Firebase (“GA4F”). GA4F is a free analytical tool that takes user
14
data from the Firebase kit and provides app developers with insight on app usage and user
15
engagement. It is integrated in 60% of the top apps. Dkt. 361-58, Expert Report of Johnathan E.
16
Hochman (“Hochman Rep.”) ¶ 2. Functionally, GA4F works by automatically sending to Google
17
a user’s ad interactions and certain identifiers regardless of a user’s (s)WAA settings, and Google
18
will, in turn, provide analysis of that data back to the app developer. GMA logs similar ad-related
19
interactions.
20
Google Analytics for Firebase
Developers can customize their usage of GA4F to receive information uniquely helpful for
21
their app development purposes and must obtain consent from end users to use GA4F. Google
22
argues that its sole purpose for collecting (s)WAA-off data is to provide these analytic services to
23
app developers. This data, per Google, consists only of non-personally identifiable information
24
and is unrelated (or, at least, not directly related) to any profit-making objectives.
25
GA4F specifically allows app developers to track what Google coins “attributions” and
26
“conversions.” Attribution/Conversion Tracking permits Google to “(1) log the fact that it has
27
served an ad alongside a device identifier for accounting purposes, and (2) attribute conversion
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
2
United States District Court
Northern District of California
1
events to those ad serving records.” Google argues that its practice of Attribution/Conversion
2
Tracking does not harm users and instead involves the sharing of just critical pieces of
3
information, namely which device triggered the conversion event, which app sent Google the
4
information, and “other similar pieces of information.”1
5
C.
Pseudonymous data
6
When a user toggles (s)WAA off, Google purports to treat their data as “pseudonymous.”2
7
Google creates a randomly-generated identifier when logging a (s)WAA-off user’s analytics and
8
ads data. This identifier permits Google to recognize the particular device and its later ad-related
9
behavior. On Android, the identifier is labeled ad ID (“ADID”) and on iOS it is referred to as
10
Identifier for Advertiser (“IDFA”). Through its software development kits, Google collects ADID
11
or IDFA for Google’s Attribution/Conversion Tracking purposes.
12
Another identifier that is capable of being saved by Google through GA4F is the Google
13
Accounts and ID Administration ID (“GAIA ID”). The “GAIA ID uniquely identifies a Google
14
account holder”—in other words, it links data collected to a specific user’s Google account.
15
Hochman Rep. ¶ 109. Google insists that it has created technical barriers to ensure, for (s)WAA-
16
off users, that pseudonymous data is delinked to a user’s identity by first performing a “consent
17
check” to determine a user’s (s)WAA settings. Specifically, GA4F logs the device’s ads
18
personalization opt-out settings. If that check yields a (s)WAA-off result, that data is logged in the
19
“pseudonymous space” that does not contain GAIA IDs, as those correspond to a user’s Google
20
account. When this “consent check” is performed, the retrieved device IDs are encrypted.
21
22
23
24
25
26
27
As an example, Google provides that “while a conversion event could be called
‘in_app_purchase,’ and it could contain for the app developer pseudonymous information about
what the device purchased, for Google’s attribution purposes, it is just the fact that the event
occurred that is logged and later used to connect an ad click at Time 1 with a purchase at Time 2.”
Google’s Motion for Summary Judgment (“Google’s Mot.”) at 10-11.
1
Google uses the term “pseudonymous” throughout its motion to describe its treatment of the data
it collects from (s)WAA-off users. It is not entirely clear what Google intends to denote by use of
this term, but it seems to suggest the replacement of identifiable information with a contrived
identifier.
2
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
3
United States District Court
Northern District of California
1
Likewise, the “GAIA-keyed” space contains no identifiers that would be in the pseudonymous log.
2
Where there is overlap, Google encrypts that data and throws away the decryption key after six
3
days. Google’s employees are also purportedly prohibited from “joining” pseudonymous and
4
identifiable data based on internal policies. In other words, per Google, pseudonymous and
5
identifiable data are kept separate.
Google’s disclosures
6
D.
7
Google insists that users knew and consented to its tracking practices. Relying on the
8
WAA and (s)WAA disclosures, the Google Privacy Policy (“PP”), and language in Google’s
9
Privacy Portal, Google contends that it disclosed adequately the contours of the WAA and
10
(s)WAA buttons. Specifically, it argues that users knew the WAA and (s)WAA settings controlled
11
only whether a user’s web app and activity was linked to their “personal information,” which it
12
contends is synonymous with information “saved into [the user’s] Google Account” and that those
13
settings do not cover non-personally identifiable information (“non-PII”).
14
First, Google points to the language surrounding the WAA and (s)WAA buttons. The
15
WAA setting is located in a Google account’s page. The subheading for
16
states that a user may “[c]hoose the activities and info [a user] allow[s]
17
Google to save” on that page. On the actual page, where WAA is an available
18
setting for a user to toggle on or off, Google indicates that a user may “[c]hoose which settings
19
will save data in your Google Account.” Scrolling lower, the specific language surrounding the
20
WAA button states that switching it on “[s]aves your activity on Google sites and apps, including
21
associated location, to give you faster searches, better recommendations, and more personalized
22
experiences in…[various] Google services.” Finally, (s)WAA, which can only be turned on if
23
WAA is also on, “[i]ncludes Chrome history and activity from sites, apps, and devices that use
24
Google services.” Based on the subheading on the page, Google argues that a
25
user would know turning (s)WAA on or off controlled only whether Google could save certain
26
information “to a user’s Google account.”
27
In support of this interpretation of the phrase “saved to your Google account,” Google
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
4
United States District Court
Northern District of California
1
points to language in its PP. The PP states that when a user signs up for a Google Account, Google
2
may “ask for personal information, like your name, email address, telephone number, or credit
3
card to store with your account.” Google’s Mot. Appx. A-7 at 4. Elsewhere, Google’s PP defines
4
“personal information” as “information which you provide to us which personally identifies you,
5
such as your name, email address, or billing information, or other data which can be reasonably
6
linked to such information by Google, such as information with your Google account.” Id. at 57.
7
Non-PII is defined as “information that is recorded about users so that it no longer reflects or
8
references an individually identifiable user.” Id. The PP further explains that depending on a user’s
9
account settings, the user’s “activity on other sites and apps may be associated with your personal
10
information” and Google may still “share [non-PII] publicly and with our partners.” Id. at 6-7, 11.
11
In other words, based on Google’s PP and the WAA and (s)WAA disclosures, Google contends
12
that users should have known that any app activity data shared with third-party developers through
13
GA4F was not covered by the WAA and (s)WAA settings because those settings controlled only
14
whether the data was saved in a user’s account.
15
E.
The central dispute
16
While Google paints its practice of tracking attributions and conversion via GA4F as basic
17
record-keeping, Plaintiffs view it as considerably less innocuous than Google portrays. This
18
tracking, in Plaintiffs’ view, contravenes Google’s (s)WAA representations to users because it
19
gathers exactly the data Google denies saving and collecting about (s)WAA-off users. Moreover,
20
Plaintiffs insist that Google’s practices allow it to personalize ads by linking user ad interactions to
21
any later related behavior—information advertisers are likely to find valuable—leading to
22
Google’s lucrative advertising enterprise built, in part, on (s)WAA-off data unlawfully retrieved.
23
Accordingly, Plaintiffs contend, Google should be disgorged of all its profits derived from serving
24
any ads to (s)WAA-off users.
25
For its part, Google denies that any (s)WAA-off data is saved to a user’s marketing profile,
26
which precludes it from personalizing advertising to a WAA-off user. Instead, Google insists that
27
it engages simply in unharmful and basic record-keeping of “pseudonymous” data for (s)WAA-off
28
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
5
United States District Court
Northern District of California
1
users, intended to be shared with only developers through GA4F for their own analysis.
2
III. LEGAL STANDARD
3
Summary judgment is appropriate if the pleadings, discovery, and affidavits show “that
4
there is no genuine dispute as to any material fact and the movant is entitled to judgment as a
5
matter of law.” Fed. R. Civ. P. 56(a). A genuine issue of material fact is one that could reasonably
6
be resolved in favor of the nonmoving party, and which could “affect the outcome of the suit.”
7
Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). The party moving for summary
8
judgment bears the burden of proof to “make a showing sufficient to establish…the existence of
9
an element essential to that party’s case.” Celotex Corp. v. Catrett, 477 U.S. 317 (1986). If the
10
movant succeeds in demonstrating the absence of a genuine issue of material fact, the burden then
11
shifts to the nonmoving party to “set forth specific facts showing that there is a genuine issue for
12
trial.” Id. at 322 n.3; see also Fed. R. Civ. P. 56(c)(1)(B). Evidence must be viewed in the light
13
most favorable to the nonmoving party and all justifiable inferences must be drawn in its favor.
14
See Anderson, 477 U.S. at 255. It is not the task of the court to scour the record in search of a
15
genuine issue of triable fact. Keenan v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996) (citation
16
omitted). Additionally, the non-moving party has the burden of identifying, with reasonable
17
particularity, the evidence that precludes summary judgment. Id. If the nonmoving party fails to
18
make this showing, “the moving party is entitled to a judgment as a matter of law.” Celotex, 477
19
U.S. at 322.
20
21
IV. DISCUSSION
Google submits several “undisputed facts” which it insists should resolve this case entirely.
22
These facts, according to Google, reflect that its collection of WAA and (s)WAA-off data was
23
lawful and consistent with its representations to class members. Google’s Mot. at 16-17.
24
Accepting Google’s view that these facts are true and undisputed would result in this motion being
25
granted on four grounds: first, Google secured consent from Plaintiffs for its “basic record-keeping
26
practices.” Second, the language of Google’s disclosures regarding the WAA and (s)WAA settings
27
unequivocally explained that those settings do not control Google’s “non-personal recordORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
6
United States District Court
Northern District of California
1
keeping.” If the settings were ambiguous, Google insists that each Plaintiff reviewed the Privacy
2
Policy, which defines both personal information and non-PII. Third, Google did not use this
3
information to target or personalize ads to Plaintiffs. Finally, the above leads to the conclusion that
4
Google’s basic record-keeping practices harms no one.
5
A.
What WAA/(s)WAA controls is ambiguous
6
Google does not deny that it collects (s)WAA-off data and tracks user behavior via GA4F
7
but argues that it did so lawfully. However, the argument that users knew the WAA button
8
controls only whether a user’s app activity data is “saved to [his or her] Google account” fails to
9
persuade.
10
On the page and connected interfaces, which include the WAA and
11
(s)WAA settings and their descriptions, Google provides multiple descriptions of what the WAA
12
and (s)WAA settings entail. Nowhere do these disclosures indicate with reasonable clarity that
13
(s)WAA controls not whether Google will collect data about a user’s app activity at all, but only
14
whether Google will delink the collected data from the user’s GAIA-ID. The various
15
interpretations of these disclosures render them ambiguous such that a reasonable user would
16
expect the WAA and (s)WAA settings to control Google’s collection of a user’s web app and
17
activity on products using Google’s services. Documents Google produced in discovery only
18
emphasize the WAA settings’ ambiguity. One such document states that “[a]ds you respond to by
19
clicking the ad itself or buying something on the advertiser’s site” constitute what is “saved as
20
[WAA].” Dkt. 398-8 at 9. At the very least, this could reasonably suggest that a (s)WAA-off user
21
may interpret the exact kind of data Google saves via GA4F to be precluded from Google’s data
22
logging if they switch (s)WAA off. What is meant by the (s)WAA disclosures is thus a disputed
23
material fact.
24
Google’s insistence that a user should have known that “saved to your Google account”
25
denotes only personal information is unconvincing, and its reliance on the PP provides no clarity.
26
The (s)WAA disclosures do not distinguish between personal information and non-PII, and the PP,
27
in defining both terms, does not expressly refer to the (s)WAA settings. Even accepting that
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
7
1
Google’s disclosures outside of the WAA/(s)WAA settings context could somehow be relied upon
2
to provide clarity as to those settings, that is not the case here. The PP states that a user must
3
provide Google with their personal information to create a Google account, which is then used to
4
authenticate a user when accessing Google’s services. This does not foreclose the possibility that
5
information which is not associated with a user’s Google account is personal information.
United States District Court
Northern District of California
6
Moreover, Plaintiffs’ interpretation of “personal information” is consistent with California
7
law. In re Google RTB Consumer Privacy Litigation, 606 F. Supp. 3d 935 (N.D. Cal. 2022) is
8
instructive. There, the court pointed to language in the California Consumer Privacy Act
9
(“CCPA”) (amended by Stats. 2023, Ch. 551, Sec. 1. (A.B. 947)), where the California legislature
10
defined as personal information the type of data collected by GA4F. See 606 F. Supp. 3d at 944.
11
Specifically, the CCPA defines personal information as that which “identifies, relates to,
12
describes, is reasonably capable of being associated with, or could reasonably be linked, directly
13
or indirectly, with a particular consumer or household,” including “[g]eolocation data” as well as
14
“Internet Protocol addresses” or “unique personal identifiers [or] online identifiers.” Cal. Civ.
15
Code § 1798.140. While Plaintiffs do not advance a claim under the CCPA, the legislature’s
16
definition in that statute illustrates that, at the very least, a reasonable juror could view the
17
(s)WAA-off data Google collected via GA4F, including a user’s unique device identifiers, as
18
comprising a user’s personal information.
19
B.
Consent
20
Google argues that Plaintiffs consented to the collection of their pseudonymous data, but
21
this too is unconvincing. The recently decided Calhoun v. Google, LLC is apposite. 113 F.4th
22
1141 (9th Cir. 2024). In that case, the class members challenged Google Chrome’s sync function,
23
averring that they believed choosing not to sync Chrome with their Google accounts would
24
preclude the collection of their “personal information” by Google. Id. at *1143–44. While that
25
case included an intrusion upon seclusion claim, the central inquiry on appeal was whether the
26
27
plaintiffs consented to Google’s conduct based on the viewpoint of a reasonable user encountering
Google’s disclosures (including the PP).
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
8
United States District Court
Northern District of California
1
The Ninth Circuit confirmed that whether the plaintiffs consented turned on the terms of
2
various disclosures and “whether a reasonable user reading them would think that he or she was
3
consenting to the data collection, which collection Google has not disputed.” Id. at 1148. The
4
Calhoun court also distinguished Hammerling v. Google, LLC, No. 22-17024, 2024 WL 937247 at
5
*3 (9th Cir. Mar. 5, 2024) (unpublished) and Smith v. Facebook, 745 Fed. App’x 8, 9 (9th Cir.
6
2018) (unpublished), cases where the “plaintiffs…had not argued that Facebook or Google had
7
service-specific privacy policies that could reasonably be read to say the opposite of what its
8
general privacy policies disclosed.” Calhoun, 113 F.4th at 1149. “By contrast, and at least in the
9
light most favorable to plaintiffs, Google did make a promise in its Chrome Privacy Policy that it
10
would not collect certain information absent a user’s voluntary decision to sync, so Google may be
11
‘bound by [those] promises.’” Id. (quoting Smith, 745 Fed. App’x at 9). As in Calhoun, Google
12
provides Plaintiffs with several disclosures, ranging from general privacy disclosures in its PP to
13
more specific disclosures surrounding the WAA/(s)WAA buttons. From the perspective of a
14
reasonable user, it is unclear Plaintiffs were consenting to the data collection at issue. With that
15
background, analysis turns to the specific claims advanced by Plaintiffs in the FAC.
16
C.
17
While Plaintiffs’ invasion of privacy claims, brought separately under the California
18
constitution and common law, are distinct claims, they consist of substantially similar elements.
19
The inquiry under either is whether “(1) there exists a reasonable expectation of privacy, and (2)
20
[whether] the intrusion was highly offensive.” In re Facebook, Inc. Internet Tracking Litig.
21
(“Facebook Tracking”), 956 F.3d 589, 601 (9th Cir. 2020). Plaintiffs’ common law tort claim also
22
requires a showing of intent to commit the intrusion on Google’s part.
Invasion of privacy claims
23
1. Reasonable expectation of privacy
24
Google argues that Plaintiffs have no reasonable expectation of privacy in anonymized,
25
aggregate data, invoking Campbell v. Facebook, Inc., 951 F.3d 1106, 1119 (9th Cir. 2020). In that
26
case, however, the Ninth Circuit specifically declined to reach the issue: “We emphasize that this
27
case also does not present the question whether standing could be based entirely on injury from
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
9
1
anonymized, aggregated uses of data.” Id. at n.9. Indeed, “information need not be personally
2
identifying to be private.” In re Google Referrer Header, 465 F. Supp. 3d 999, 1009–10 (N.D.
3
Cal. 2020); see also Brown v. Google LLC, 685 F.Supp.3d 909, 924 (2023) (“Plaintiffs have set
4
forth specific facts demonstrating that the reason Google has access to their anonymous,
5
aggregated data is through the collection and storage of information from users’ private browsing
6
history without consent.”). Moreover, whether the data collected by Google constitutes personal
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
information is not, as Google suggests, a foregone conclusion. See In re Google RTB Consumer
Priv. Litig., 606 F. Supp. 3d at 944.
Google invokes Hammerling, where the Ninth Circuit affirmed a district court’s dismissal
of these claims because Google’s PP “expressly disclosed Google’s intention to track [the
plaintiffs’] activity on third-party apps. As a result, [they] have no reasonable expectation of
privacy in that data.” 2024 WL 937247 at *3. By contrast, Google’s disclosures concerning the
(s)WAA settings state that it governs a user’s activity “on sites, apps, and devices that use Google
services”—language almost identical as that in Hammerling— to describe data that Google will
not save when (s)WAA is off. Following Google’s logic, it is at least disputed here whether
Plaintiffs have a reasonable expectation of privacy as to the (s)WAA-off data.
2. Highly offensive conduct
For Plaintiffs to succeed on their invasion of privacy claims, they need also show that the
18
invasion of privacy was “highly offensive” to a reasonable person and unwarranted “so as to
19
constitute an ‘egregious breach of social norms.’” Facebook Tracking, 956 F.3d at 606 (quoting
20
Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 295 (2009)). This inquiry “requires a holistic
21
consideration of factors such as the likelihood of serious harm to the victim, the degree and setting
22
of the intrusion, the intruder’s motives and objectives, and whether countervailing interests or
23
social norms render the intrusion inoffensive.” Id.
24
To emphasize the offensiveness of Google’s conduct, Plaintiffs highlight the “vast and
25
sensitive” nature of the information collected, see Brown, 685 F. Supp 3d at 941, as well as the
26
significant profits Google makes resulting from its misconduct. Specifically, Plaintiffs suggest that
27
Google can personalize ads based on (s)WAA-off data because Attribution/Conversion Tracking
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
10
1
is highly profitable for Google. In support, Plaintiff’s technical expert, Jonathan Hochman, looks
2
to the GA4F Help Center. There, Google indicates that a GA4F automatically collects certain
3
“User Properties,” including a user’s IP address, age, gender, geolocation, “potentially even
4
‘favorite food.’” Hochman Rep. 89, 99. Google also supposedly performs its (s)WAA “consent
5
checks” only after it has collected and saved a myriad of unique and sensitive information from
6
users, rendering the distinction between identifying and pseudonymous data (i.e., GAIA and non-
7
8
9
10
GAIA identifiers) meaningless. Id. at 86, 87.
This inquiry of Google’s conduct turns on the nature of the information collected and
whether a reasonable person would consider its collection to be an offensive intrusion. While
Hochman’s report indicates that Google creates these extensive and detailed marketing profiles of
(s)WAA-off users which it then uses to gain high profits, those arguments are founded on a
United States District Court
Northern District of California
11
hypothetical scenario, rather than Google’s actual conduct. Plaintiffs have provided no evidence
12
that Google uses (s)WAA-off data to build highly targeted and invasive marketing profiles of
13
14
(s)WAA-off users, only that Google has the technical capabilities of joining the identifiers it
collects with more sensitive and personal data about the user. In fact, Google takes significant
15
efforts to separate a (s)WAA-off users’ GAIA-IDs from its device identifiers. Furthermore,
16
“routine commercial behavior” is not a “highly offensive” invasion of privacy. Low v. LinkedIn
17
Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012).
18
That Google can use this information to make money or improve its products or services is
19
of little relevance. That principle applies a fortiori here as Google collects the (s)WAA-off data
20
not simply to line its pockets, but for a free analytics tool intended to aid developers in
21
understanding their apps and usage. Moreover, Plaintiffs have not explained how the (s)WAA-off
22
data that Google collects constitute sensitive information that would offend a reasonable person
23
and social norms. See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal.
24
2012) (“[T]he information allegedly disclosed to third parties included the unique device identifier
25
number, personal data, and geolocation information from [p]laintiffs’ iDevices. Even assuming
26
this information was transmitted without Plaintiffs’ knowledge and consent, a fact disputed by
27
Defendants, such disclosure does not constitute an egregious breach of social norms.”).
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
11
1
Ultimately, however, viewing the facts in the light most favorable to Plaintiffs, Google’s
2
conduct is at least arguably offensive because it collects (s)WAA-off data despite concerns raised
3
by its employees and with the knowledge that its disclosures are ambiguous and deficient. In 2019,
4
an employee who worked on Gmail shared internally that Google “would need to modify the
5
[WAA disclosures] to indicate that WAA off is identical to being not logged into your account
6
(data logged, but not tied to your account).” Later that year, he wrote again, highlighting that the
7
8
9
10
WAA page indicates that WAA-off data should not be logged at all. Another employee wrote that
“teams should not use user data at all if WAA is off,” to align with what “most users expect.”
Several Google employees between 2017 and 2020 wrote that WAA was confusing and unclear to
everyday users. See Plaintiffs’ Opposition to Motion for Summary Judgment (“Plaintiffs’ Opp.”)
at 12-13. Internal Google communications also indicate that Google knew it was being
United States District Court
Northern District of California
11
12
13
14
15
16
“intentionally vague” about the technical distinction between data collected within a Google
account and that which is collected outside of it because the truth “could sound alarming to users.”
Google argues that these comments are innocuous because they seek largely to identify
potential technical improvements for Google services, and several of the employees making such
remarks are unfamiliar with WAA. The concerns raised by Google employees are relevant,
however, at the very least for tending to show that the WAA disclosures are subject to multiple
17
interpretations. What is more, the remarks and Google’s internal statements reflect a conscious
18
decision to keep the WAA disclosures vague, which could suggest that Google acted in a highly
19
offensive manner, thereby satisfying the intent element of the tort claim. Then again, these
20
comments could also be ascribed to the unremarkable culture in large technology enterprises
21
where employees simply offer improvements of the company’s products or services. Whether
22
Google or Plaintiffs’ interpretation prevails is a triable issue of fact.
23
3. Harm
24
Google insists that Plaintiffs’ invasion of privacy claims fail because Plaintiffs cannot
25
establish that a “bare privacy harm” is actionable, as Article III injury alone cannot constitute
26
27
harm to sustain the invasion of privacy claims (as well as CDAFA, discussed further below). In
TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the Supreme Court held that, for purposes of
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
12
United States District Court
Northern District of California
1
Article III standing, “only those plaintiffs who have been concretely harmed by a defendant’s
2
statutory violation may sue that private defendant over that violation in federal court.” Id. at 427
3
(emphasis in original). The Court also noted that “[c]entral to assessing concreteness is whether
4
the asserted harm has a 'close relationship to a harm traditionally recognized as providing a basis
5
for lawsuits in American courts.” Id. at 417 (internal quotations omitted); Facebook Tracking, 956
6
F.3d at 598 (“[V]iolations of the right to privacy have long been actionable at common law.”).
7
Additionally, as the Ninth Circuit indicated when discussing certain California privacy statutes,
8
“under the privacy torts that form the backdrop for these modern statutes, the intrusion itself
9
makes the defendant subject to liability . . . In other words, privacy torts do not always require
10
additional consequences to be actionable.” Campbell, 951 F.3d at 1117 (internal citations
11
omitted).
12
Google insists that while Plaintiffs may have suffered Article III injury, they cannot show,
13
class-wide, that they suffered harm under the invasion of privacy claims because the “emotional
14
harms” associated with those claims are only available on an individual basis. Plaintiffs have
15
offered no models or explanations for how these harms apply across the classes, and at the
16
hearing, Plaintiffs’ counsel admitted that if emotional harm was Plaintiffs’ sole theory of harm,
17
only nominal damages would be available to the class. Contrary to Google’s view, however, that
18
only nominal damages are available class-wide does not defeat Plaintiffs’ invasion of privacy
19
claims.
20
D. CDAFA
21
Plaintiffs aver, in their third claim, that Google’s collection and use of (s)WAA-off data
22
violates CDAFA, Cal. Penal Code § 502, et seq. CDAFA imposes liability on whoever
23
“[k]nowingly accesses and without permission takes . . . any data from a computer.” Cal. Penal
24
Code § 502(c)(2). The statute allows an individual who “suffers damage or loss by reason of a
25
violation” of the statute to bring a private civil action. Cal. Penal Code § 502(e)(1). Google seeks
26
summary judgment for Plaintiffs’ CDAFA claim on the grounds that it had permission to use
27
(s)WAA-off data and that Plaintiffs suffered no damage or loss.
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
13
United States District Court
Northern District of California
1
1. Permission3
2
CDAFA does not define “permission” within the text of the statute. Several cases in this
3
district and the Ninth Circuit provide guidance as to the term’s meaning for the purposes of
4
CDAFA analysis, focusing on the plain meaning of the term and what the defendant knew while
5
using the data. See, e.g., In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1100 (N.D. Cal. 2015)
6
(“‘Permission’ is defined as the ‘act of permitting’ or ‘a license or liberty to do something;
7
authorization.’”) (quoting Black’s Law Dictionary (8th ed. 2004)); Facebook, Inc. v. Power
8
Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016) (in concluding that the defendant violated
9
CDAFA, holding that it “knew that it no longer had permission to access [the plaintiff’s]
10
computers at all”). Much of the authority on this issue comes from courts reviewing Computer
11
Fraud and Abuse Act (CFAA) claims, 18 U.S.C. § 1030(a)(2). Courts in this district have held that
12
CDAFA claims generally “rise or fall with . . . CFAA claims because the necessary elements of
13
Section 502 do not differ materially from the necessary elements of the CFAA, except in terms of
14
damages.” Meta Platforms, Inc. v. BrandTotal Ltd., 605 F. Supp. 3d 1218, 1260 (N.D. Cal. 2022)
15
(citing Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 129 (N.D. Cal. 2020)). In the CFAA context,
16
the Ninth Circuit defines “authorization” as “permission or power granted by an authority.” LVRC
17
Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009).
18
First, Google argues that, as a matter of law, Plaintiffs explicitly consented because the
19
default setting for (s)WAA gave Google permission to use their data, and toggling (s)WAA off did
20
not revoke permission. Even if Plaintiffs impliedly granted Google permission to use their data
21
prior to toggling (s)WAA off, this argument is lacking. See Power Ventures, 844 F.3d at 1069
22
(acknowledging that permission may be granted by implication in the context of CDAFA). What
23
is relevant is whether toggling (s)WAA off revoked permission.4 Google’s generic disclosures in
24
25
26
27
3
The parties interchangeably refer to this element under CDAFA as “permission” and “consent.”
4
If Google is correct that the WAA settings are of no import as to the data Google collected via
GA4F, it is unclear how else a user may give Google consent to log that information to begin with
(short of not signing up for a Google account), much less withdraw it.
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
14
1
the PP fail to show express or implied consent to the data use at issue because consent is only
2
effective if directed “to the particular conduct, or to substantially the same conduct.” Tsao v.
3
Desert Palace, Inc., 698 F.3d 1128, 1149 (9th Cir. 2012) (internal quotations omitted). Here, the
4
permission prong of Plaintiffs’ CDAFA claim turns on whether class members revoked
5
permission when they toggled (s)WAA off.
United States District Court
Northern District of California
6
When evaluating whether a party revoked permission in the context of CDAFA or CFAA,
7
courts focus on the perspective of the defendant at the time they used the data. See Power
8
Ventures, 844 F.3d at 1069. In Power Ventures, the Ninth Circuit held that a cease-and-desist
9
letter sent by the plaintiff revoked any implied permission for the defendant to continue accessing
10
their computers and using their data. The Ninth Circuit held that previously permitted use runs
11
afoul of the CFAA (and therefore the CDAFA) “when such permission has been revoked
12
explicitly.” Id. at 1067. The Ninth Circuit did not hold that a cease-and-desist letter was required
13
or articulate a specific test for revocation, instead focusing on what a defendant knew or should
14
have known at the time of use. Id. at 1069 (“But when Facebook sent the cease-and-desist letter,
15
Power, as it conceded, knew that it no longer had permission to access Facebook’s computers at
16
all . . . Power violated [the CDAFA].”).
17
In this case, it is genuinely disputed whether Google knew or should have known that class
18
members revoked permission to use (s)WAA-off data. Google contends that the description of the
19
(s)WAA switch and what it controlled was plain and straightforward, clearly communicating that
20
the access and use now at issue was beyond the scope of the setting. Plaintiffs disagree, arguing
21
that they reasonably thought turning off (s)WAA meant that “Google would not collect or save
22
their app activity.” As explained above, evidence produced by Google during discovery, including
23
deposition testimony by Google employees, indicates that the description of (s)WAA was
24
ambiguous. Although Google disputes the applicability of that evidence, a reasonable juror could
25
be convinced by either party’s argument regarding the (s)WAA setting and Google’s PP.
26
Furthermore, Google has not explained how it received “consent” by (s)WAA-off users to collect
27
the data if there was no meaningful way for users to provide that consent. Indeed, “consent is only
28
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
15
1
effective if the person alleging harm consented to the particular conduct, or to substantially the
2
same conduct and if the alleged tortfeasor did not exceed the scope of that consent.” Brown, 685
3
F. Supp. 3d at 926 (internal quotations omitted). Accordingly, it cannot be determined as a matter
4
of law that Google had Plaintiffs’ permission to use their data.
United States District Court
Northern District of California
5
Google next argues that even if Plaintiffs did not give Google permission to use their
6
(s)WAA-off data, the third-party app developers obtained consent from users as a condition of
7
GA4F, so Google had permission to collect the data and its use did not violate CDAFA. Google
8
says that it acted only as a “vendor” to those third-party apps and permission granted by users to a
9
technology company extends to vendors who process such data. Even assuming Google acted as a
10
vendor, no court has endorsed the position that when one technology company acts as a vendor for
11
another, consent for the purposes of CDAFA analysis is coextensive with the party that obtained
12
it. Google cites only to inapposite California Invasion of Privacy Act (“CIPA”) cases in support of
13
their position on this point. See, e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal.
14
2021). Unlike CFAA, CIPA has never been deemed substantially similar to CDAFA. Therefore,
15
Google presents no relevant authority to show that under CDAFA, permission given by third
16
parties to use (s)WAA-off data satisfies the statute’s permission requirement.
17
Google’s third-party permission argument is not only unsupported by any applicable
18
caselaw but also in tension with relevant Ninth Circuit precedent. In United States v. Nosal, the
19
Ninth Circuit held that “once authorization to access a computer has been affirmatively revoked,
20
[a defendant] cannot sidestep the statute by going through the back door and accessing the
21
computer through a third party. Unequivocal revocation of computer access closes both the front
22
door and the back door.” 844 F.3d 1024, 1028 (9th Cir. 2016) (discussing the authorization prong
23
of the CFAA). Assuming, then, that Plaintiffs did revoke permission when they toggled (s)WAA
24
off, whether a third party granted permission is irrelevant. Instead, what matters is whether Google
25
knew or should have known that Plaintiffs revoked permission to use their data, a material fact
26
that is genuinely disputed.
27
Google also contends that if a plaintiff was indeed confused about the limitations of the
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
16
United States District Court
Northern District of California
1
WAA or (s)WAA settings, that confusion would undermine Plaintiffs’ class-wide claims because
2
it otherwise received clear consent for pseudonymous record-keeping. As explained, whether
3
Google received consent for its conduct is not a sure-fire proposition. More critically, Google
4
confuses the issue here: viewing the facts in the light most favorable to Plaintiffs, it is a disputed
5
fact, not an individualized inquiry, whether the class members’ uniform conduct of turning
6
(s)WAA off withdrew their consent for Google to “save app activity data.” This identical conduct,
7
as explained in the class certification order, still warrants class treatment. Moreover, Google’s
8
disclosures were uniform to all class members and its treatment of the classes’ data was also
9
identical. Its own imprecision does not undermine predominance.
10
2. Damage or Loss
11
CDAFA neither defines nor sets a monetary threshold for “damage or loss.” Cottle v. Plaid
12
Inc., 536 F. Supp. 3d 461, 487 (N.D. Cal. 2021). Rather, “under the plain language of the statute,
13
any amount of damage or loss may be sufficient.” Facebook, Inc. v. Power Ventures, Inc., No. 08-
14
cv-05780-JW, 2010 WL 3291750, at *4 (N.D. Cal. July 20, 2010). Plaintiffs argue that at least
15
five injuries establish “damage or loss” under CDAFA.
16
a.
Deprivation of privacy
17
This damage theory rests entirely on the viability of Plaintiffs’ other two claims and
18
requires a showing of harm. As discussed above, Plaintiffs are unable to show that they are
19
entitled to more than nominal damages resulting from the emotional harms associated with their
20
deprivation of privacy. They offer no concrete models or theories that this harm constitutes more
21
than simply an emotional injury. However, Plaintiffs have other damage or loss theories that
22
provide a basis to satisfy this element of CDAFA.
23
b.
Disgorgement of profits
24
Plaintiffs argue that they experienced damage or loss because Google illegally profited
25
from the use of their data. Plaintiffs rely on Facebook Tracking, where the Ninth Circuit held that
26
“California law recognizes a right to disgorgement of profits resulting from unjust enrichment,
27
even where an individual has not suffered a corresponding loss.” 956 F.3d at 599. Google
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
17
1
responds that, in light of TransUnion, Plaintiff’s disgorgement of profits theory of damage or loss
2
is untenable under CDAFA. 594 U.S at 417.
3
Plaintiffs’ disgorgement theory is compatible with TransUnion, which held that, when
4
determining which injuries are sufficiently concrete, “history and tradition offer a meaningful
5
guide.” Id. at 424 (citation omitted). Certain harms “readily qualify as concrete injuries under
6
Article III. The most obvious are traditional tangible harms, such as physical harms and monetary
7
harms.” Id. at 425. Intangible harms, such as “disclosure of private information” or “intrusion
8
upon seclusion”, have also been traditionally recognized. Id. Google argues that its “harmless data
9
collection” does not serve as a basis to disgorge its profits because it does not constitute a concrete
10
injury.
Notwithstanding that it is disputed whether Google’s data collection was “harmless,”
United States District Court
Northern District of California
11
12
Brown v. Google LLC is instructive in showing why Plaintiffs’ intangible harms are sufficiently
13
concrete to constitute damage or loss under current law. 685 F. Supp. 3d 909 (N.D. Cal. 2023). In
14
that case, decided after TransUnion, the court held that the plaintiffs satisfied CDAFA’s damage
15
or loss requirement because they had “a stake in the value of their misappropriated data.” Id. at
16
940. Relying on Facebook Tracking, the court held that the plaintiffs could state an economic
17
injury for their misappropriated data. Id.; Facebook Tracking, 956 F.3d 589 at 600. The court also
18
denied summary judgment as to the defendant’s argument that plaintiffs lacked standing to seek an
19
unjust enrichment remedy, holding that Facebook Tracking was still good law. Brown, 685 F.
20
Supp. 3d at 926. Here, Plaintiffs have a stake in the value of their data. As in Brown, where the
21
court denied summary judgment on the issue of damage or loss “because plaintiffs proffer[ed]
22
evidence that there [was] a market for their data,” Plaintiffs here similarly present evidence that
23
their data has economic value. 685 F. Supp. 3d at 940. Accordingly, a reasonable juror could find
24
that Plaintiffs suffered damage or loss because Google profited from the misappropriation of their
25
data.
26
c.
Failure to pay for collected data
27
Third, Plaintiffs argue that they suffered damage or loss because Google failed to pay for
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
18
United States District Court
Northern District of California
1
the data it collected despite there being a market for it. This theory of damage or loss is closely
2
related to Plaintiffs second theory. See Brown, 685 F. Supp. 3d at 925-26, 940 (discussing unjust
3
enrichment and economic injury for misappropriated data). Plaintiffs argue that they suffered
4
damage or loss because Google took something of economic value from them without their
5
permission. Google insists that this theory fails because Plaintiffs did not wish to sell their data
6
and, even if they did, their data did not diminish in value because of its conduct. However, “under
7
California law, [a] stake in unjustly earned profits exists regardless of whether an individual
8
planned to sell his or her data or whether the individual’s data is made less valuable.” Facebook
9
Tracking, 956 F.3d at 600. It remains disputed whether Plaintiffs suffered damage or loss because
10
Google failed to pay for their data despite the existence of a market.
11
d.
12
Fourth, Plaintiffs proffer evidence that Google’s unauthorized access depleted their
13
devices’ battery and bandwidth, causing damage or loss. Courts recognize depletion of battery and
14
computing resources as acceptable forms of damage or loss for the purposes of a CDAFA claim.
15
In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1065 (N.D. Cal. 2015); Williams v. Facebook, Inc.,
16
498 F. Supp. 3d 1189, 1199 (N.D. Cal. 2019). While Plaintiffs have provided no evidence about
17
how much device battery life and bandwidth was depleted, they point to internal Google
18
documents that suggest Google Analytics impacts battery-life of a device. Google points out that
19
Plaintiffs failed to present a damage model at class certification based on this harm, and Plaintiffs
20
concede that only nominal damages would be available to them under this theory of liability. As
21
the statute sets no minimum threshold for damage or loss, even small harms due to depletion of
22
battery and bandwidth satisfy CDAFA’s requirements. At this stage, Plaintiffs have provided
23
sufficient evidence to show harm for at least nominal damages under this theory.
Depletion of battery and bandwidth
24
e.
25
Finally, Plaintiffs argue that they suffered damage or loss because class members did not
26
receive the “benefit of their bargain” with Google, a concept linked to their now dismissed breach
27
of contract claim. Dkt. 127, 209. Plaintiffs have offered no authority that denial of the benefit of
Denial of benefit of the bargain
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
19
1
2
E. Motions to Seal
3
The parties have filed administrative motions to seal portions of their briefing. Plaintiffs
4
move to seal highlighted portions of Exhibit 4 of its Opposition on the grounds that it contains
5
personally identifiable information, which is deemed private pursuant to the Protective Order.
6
United States District Court
Northern District of California
the bargain constitutes damage for CDAFA absent a contract claim.
Google has moved to seal no portion of the Opposition or its Reply brief (and its Motion
7
for Summary Judgment was filed publicly). Instead, Google seeks only to seal portions of 16
8
exhibits submitted alongside the Opposition and Reply briefs and 6 exhibits in full. Google
9
subsequently withdrew its request to seal one sentence from Exhibit 34. Google raises several
10
grounds as the basis for its motion to seal: first, it seeks to seal commercially sensitive
11
information, including its internal research methodologies and forward-looking strategies and
12
deliberations. It also seeks to seal private documents regarding the technical details of Google’s
13
internal systems, references to internal code names, and non-public email addresses.
14
The parties’ motions to seal have satisfied the “compelling reasons” standard for
15
dispositive motions. See Ctr. for Auto Safety v. Chrysler Grp., 809 F.3d 1092, 1098–1099 (9th Cir.
16
2016). The sealing questions are tailored narrowly in order to avoid impacting the public’s
17
understanding of this case. Accordingly, the motions to seal are granted.
18
V. CONCLUSION
19
For the reasons explained above, Google’s motion for summary judgment is denied and the
20
pending motions to seal are granted. The parties shall file public versions of their briefs and
21
related exhibits in accordance with the sealing order within one week of the date of this order.
22
IT IS SO ORDERED.
23
24
Dated: January 7, 2025
25
______________________________________
26
RICHARD SEEBORG
27
Chief United States District Judge
ORDER DENYING MOTION FOR SUMMARY JUDGMENT
CASE NO. 20-cv-04688-RS
28
20
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?