Google Dodges a Bullet: Plaintiffs Lack Standing to Sue Over Co-Mingled Data

According to the US District Court for the Northern District of California, Google’s co-mingling of the personal identification information (PII) it collects from users across multiple product platforms does not create an injury sufficient to grant standing to sue in federal court.

Merely alleging that Google profited off users’ data is not enough. Rather, plaintiffs must allege some specific economic deprivation resulting from the use of the data. As stated by the Court: “a plaintiff must do more than point to the dollars in a defendant’s pocket; he must sufficient allege [sic] that in the process he lost dollars of his own.”

Tell Me More

The case, In re Google Inc. Privacy Policy Litigation, No. 5:12-cv-01382-PSG (N.D. Cal. Dec. 3, 2013), stems from changes that Google made in 2012 to its privacy policies. Prior to the changes, Google maintained separate privacy policies for each of its products. As of March 1, 2012, however, Google eliminated most of the separate policies in favor of a single, universal privacy policy that applies across multiple Google products. Under the new policy, Google may combine the PII it collects on users from one Google product, such as Gmail, with the PII it collects from another Google product, such as Google search. Google contends that combining all of the data it collects on its users will allow for a “simpler, more intuitive Google experience.” The plaintiffs in In re Google Inc., however, contend that the new privacy policy violates their privacy rights as well as Google’s own prior privacy policies.

In reaching its determination that the plaintiffs were not sufficiently injured by Google’s data co-mingling to grant standing, the Court noted that the question of injury-in-fact has become a central focus in data privacy cases, despite generating little or no discussion in most other cases. Specifically, the Court noted that it was “hard-pressed to find even one recent data privacy case, at least in [the Northern District of California], in which injury-in-fact has not been challenged.” It also noted that “injury-in-fact has proven to be a significant barrier” to plaintiffs in these cases even though it is a fairly forgiving legal standard for plaintiffs.

Notably, although the Court found no standing on the basis of data co-mingling, it did find that the plaintiffs had standing on the basis of direct economic harm from unauthorized sharing of user data and violation of users’ statutory rights. Specifically, by alleging that Google’s unauthorized transfer of users’ data reduced their mobile phone battery life and led users to switch from Google’s Android phones to Apple’s iPhones, the Court said that there was a sufficient showing of economic harm. It also found that the plaintiffs could establish standing on the basis of violations of statutory rights that do not require a showing of damages to prove injury. Nonetheless, the Court still dismissed all the claims against Google, finding that the plaintiffs had failed to adequately state claims upon which relief could be granted.

Take Note

This case is important for any companies that collect users’ PII online, demonstrating some of the potential barriers that plaintiffs and class action attorneys face in bringing data privacy lawsuits. But it is also a warning that even as it may be difficult for a plaintiff to allege an injury as a result of data privacy issues, there are alternatives available that could allow lawsuits to proceed under alternative theories of injury. Consequently, it is critical that online data collectors carefully consider their privacy policies before collecting users’ data and ensure that they are compliant with all relevant federal and state privacy laws.

Contacts

Continue Reading