525 F.Supp.3d 1049
N.D. Cal.2021Background
- Plaintiffs are Google account holders who used browsers in private/Incognito mode and allege Google collected their browsing data despite that mode.
- Plaintiffs describe Google’s collection as occurring when websites embed Google Analytics/Ad Manager code that causes a browser to send a duplicate GET request to Google; data allegedly collected includes duplicate GET/referrer, IP address, browser fingerprinting, site-issued user IDs, geolocation, and cookies.
- Plaintiffs contend Google’s public materials (Incognito splash screen, Chrome pages, Privacy Policy, executive statements) presented private browsing as a way to avoid linking activity to the user and omitted notice that Google would collect such data.
- Plaintiffs asserted Wiretap Act, CIPA (Cal. Penal Code §§631 & 632), CDAFA, intrusion upon seclusion, and invasion-of-privacy claims and sought class treatment; Google moved to dismiss.
- The district court (Judge Koh) denied Google’s motion to dismiss, holding Plaintiffs plausibly alleged lack of consent, timely claims (recent interceptions and tolling by fraudulent concealment), and sufficient factual allegations to survive dismissal on Wiretap Act, CIPA, CDAFA, and privacy tort claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Consent to collection | Plaintiffs did not consent; Google’s disclosures omitted that Google would collect data in private mode and affirmatively represented otherwise | Google pointed to Privacy Policy, Terms, and site owners’ use of Google services to show users/websites consented | Court: Google failed to prove actual or adequate implied consent; disclosures did not explicitly notify about collection in private mode; consent defense rejected (and Wiretap consent exception inapplicable when interception is for tortious/criminal purpose). |
| Statute of limitations | Recent interceptions occurred (Feb–May 2020); fraudulent concealment by Google’s misleading disclosures tolled earlier claims | Google argued many alleged acts predated limitations periods (since 2016) so claims time-barred | Court: each interception is a discrete violation (timely claims for recent acts) and fraudulent concealment plausibly alleged; SOL defense denied. |
| Wiretap Act — "ordinary course of business" exception | Plaintiffs: duplicate GET to Google is not incidental to the user-website communication and thus is an interception | Google: its collection is ordinary/incidental to providing analytics/ads and so not an intercepting "device" under the exception | Court: exception construed narrowly; Google did not show duplication was incidental to the communication at issue and Plaintiffs alleged violations of Google’s privacy promises; Wiretap claim survives. |
| CIPA/CDAFA/privacy torts sufficiency | Plaintiffs: private browsing users reasonably expect privacy; Google’s secret collection defeats that expectation and circumvents user protections | Google: Internet communications are not "confidential"; no barrier was circumvented for CDAFA; lack of actionable intrusion | Court: distinguished cases finding no confidentiality (emails/chats) because here users used private browsing and Google’s disclosures suggested privacy; Plaintiffs plausibly alleged confidentiality, circumvention/hidden code, and a highly offensive intrusion; claims survive. |
Key Cases Cited
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (establishes Rule 12(b)(6) plausibility standard)
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading must permit reasonable inference of liability)
- Bliss v. CoreCivic, Inc., 978 F.3d 1144 (each interception is a discrete violation for limitations purposes)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir.) (analogous treatment of duplicate GET/referrer-based tracking and reasonable privacy expectations)
- In re Google Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir.) (tracking that overrides user settings can support privacy claims)
- Aryeh v. Canon Bus. Sols., Inc., 292 P.3d 871 (Cal. 2013) (recurring invasions each trigger limitations periods)
- Hexcel Corp. v. Ineos Polymers, Inc., 681 F.3d 1055 (fraudulent concealment tolling doctrine)
- Hernandez v. Hillsides, Inc., 47 Cal.4th 272 (privacy tort elements; reasonable expectation and offensiveness)
- Bailey v. Glover, 88 U.S. 342 (equitable/fraudulent concealment principle)
- United States v. Christensen, 828 F.3d 763 (9th Cir.) (interpreting CDAFA access/unauthorized access concepts)