526 F.Supp.3d 605
N.D. Cal.2021Background:
- Plaintiffs are Chrome users who allege they did not enable Chrome’s Sync feature and therefore did not consent to sending browser data to Google.
- Plaintiffs allege Chrome (via Google code on many websites) transmitted five categories of personal data to Google: persistent cookie identifiers, GET/POST contents (browsing history), IP address and User‑Agent, and the X‑Client‑Data header.
- Chrome’s Privacy Notice stated that data stored locally in Basic/unsynced mode ‘‘won’t be sent to Google unless you choose to store that data…by turning on sync,’’ which Plaintiffs say was misleading.
- Plaintiffs filed a putative class action (July 27, 2020) advancing multiple federal and California claims; the Court limited briefing to ten claims and Google moved to dismiss.
- The Court granted in part and denied in part the motion: it dismissed (with leave to amend) Wiretap Act and SCA unauthorized‑disclosure claims, the SCA unauthorized‑access claim, and the CFAA claim; it denied dismissal of intrusion upon seclusion, breach of contract, breach of implied covenant, statutory larceny, UCL, and CIPA claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Consent to data collection | Plaintiffs contend Chrome/Google representations led users to reasonably expect unsynced data would not be sent to Google. | Google says users consented via Terms/Privacy Policy and websites consented by embedding Google code. | Court: Google did not meet its burden to show actual notice/consent; Chrome notices could reasonably be read to promise unsynced data would not be sent. |
| Websites' consent (for Wiretap/SCA) | Plaintiffs: websites did not consent to Google receiving data from unsynced users (or had no notice). | Google: websites impliedly consented by installing Google code, as in DoubleClick cases. | Court: cannot infer websites consented to interception of the subset of communications from unsynced Chrome users. |
| Statutes of limitations | Plaintiffs: each discrete interception triggers its own limitations period; alleged recent interceptions (July 2020) timely. | Google: broad, ongoing conduct dating back to 2016 is time‑barred. | Court: recurring discrete violations each trigger their own period; allegations of recent interceptions defeat dismissal on statute grounds. |
| Wiretap Act & SCA — unauthorized disclosure | Plaintiffs allege Chrome (an ECS) divulged contents to Google. | Google: disclosed data was to itself (not a third party); ordinary‑course exceptions apply. | Court: Dismissed these unauthorized‑disclosure claims — plaintiffs alleged Google disclosed to itself, not a third party; ordinary course exception does not salvage these disclosure counts. (Leave to amend.) |
| SCA — unauthorized access | Plaintiffs: Google accessed electronic storage without authorization. | Google: the SCA exempts conduct authorized by the ECS provider; users’ devices aren’t “facilities” under the SCA. | Court: Dismissed — Google (provider of Chrome) authorized the access and plaintiffs’ devices are not SCA ‘‘facilities.’’ (Leave to amend.) |
| Intrusion upon seclusion (privacy tort) | Plaintiffs: secret collection of detailed browsing data; reasonable expectation of privacy given Chrome representations; collection offensive. | Google: disclosures and commercial purpose make the conduct not highly offensive. | Court: Denied dismissal — plaintiffs plausibly alleged reasonable expectation of privacy and that the surreptitious collection could be highly offensive. |
| Breach of contract | Plaintiffs: Chrome Privacy Notice and TOS formed contract promises that unsynced data would not be sent to Google; Google breached. | Google: policies are informational, not contractual commitments; plaintiffs altered terms. | Court: Denied dismissal — the Chrome Privacy Notice and TOS could be contractual and plausibly promised no transfer of unsynced personal data. |
| Breach of implied covenant | Plaintiffs: Google acted in bad faith beyond mere contract breach (e.g., circumventing controls). | Google: claim duplicates contract theory and adds nothing. | Court: Denied dismissal — allegations go beyond mere breach and plausibly plead bad faith. |
| CFAA | Plaintiffs: Google ‘‘accessed’’ protected computers and caused damage. | Google: plaintiffs fail to allege $5,000+ loss in a one‑year period (CFAA threshold). | Court: Dismissed (with leave) — complaint does not allege the requisite aggregate $5,000 loss within one year. |
| Statutory larceny (Cal. Penal §§ 484, 496) | Plaintiffs: Google appropriated valuable personal information without consent. | Google: personal information is not ‘‘property’’ and copying is not a taking. | Court: Denied dismissal — courts recognize lost value of personal information and copying can constitute appropriation. |
| UCL (unlawful, unfair, fraudulent) | Plaintiffs: Google’s conduct is unlawful/fraudulent and caused economic injury (loss of info value). | Google: plaintiffs lack UCL standing or predicate violation. | Court: Denied dismissal — plaintiffs allege economic injury (loss of property value), predicate violations (e.g., CIPA, larceny), and fraudulent misrepresentations. |
Key Cases Cited
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (plausibility pleading standard for Rule 8)
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading standards and legal conclusions)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir.) (privacy standing, intrusion analysis, and contract issues in browser GET‑request tracking cases)
- In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir.) (cookie‑placement and highly offensive intrusion analysis)
- Pharmatrak, Inc. v. [case name shortened], 329 F.3d 9 (1st Cir.) (scope of implied consent and limits on consent to subsets of communications)
- Hernandez v. Hillsides, Inc., 47 Cal.4th 272 (Cal. 2009) (elements of intrusion upon seclusion; highly offensive inquiry)
- Bliss v. CoreCivic, Inc., 978 F.3d 1144 (9th Cir.) (each interception is a discrete violation for limitations accrual)
- Andrews v. Sirius XM Radio, 932 F.3d 1253 (9th Cir.) (CFAA ‘‘loss’’ interpretation)