Doe I v. Google LLC
3:23-cv-02431
| N.D. Cal. | Mar 20, 2025Background
- Plaintiffs allege Google collected private health information from patients interacting with healthcare provider websites, using Google products embedded on those pages.
- Plaintiffs focus on Google’s ability to tie this information to identifiable individuals through cookies, especially the “gid” cookie when users are signed into Google accounts.
- Some cookies (like the "cid" cookie) generate identifiers not clearly linked back to real-world individuals, highlighting a gap in plaintiffs’ allegations for non-Google account holders.
- Plaintiffs brought claims under federal and state wiretap laws and for breach of contract, referencing Google's Privacy Policy and HIPAA-related policies.
- The court has requested additional briefing on whether the allegations sufficiently establish Google’s intent and ability to identify individuals under the pertinent statutes, and distinctions pre- and post-Google’s 2023 HIPAA disclosure.
- The court’s preliminary findings distinguish between pre-2023 and post-2023 Google conduct based on changes to Google's HIPAA-related disclosures and guidance to providers.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held (Tentative, pending more briefing) |
|---|---|---|---|
| Applicability of Wiretap Statutes | Google intercepted communications with identifiable health info | No proof info was linked to identifiable users | Plaintiffs may have alleged interception for account users |
| Sufficiency of Connection to Individual | Google could use “gid” cookie to link data to an identified user | Data not always linked to identified person | Sufficient for account holders, not others |
| Breach of Contract | Google promised to collect health info only with consent | Google did not breach Privacy Policy | Claim plausible for health info linked to user/consent |
| Intent Requirement Under Wiretap Laws | Google intended to intercept/receive info tied to identities | No intent to intercept identifying health info | Intent plausible pre-2023, not plausible post-2023 |
Key Cases Cited
- United States v. Christensen, 828 F.3d 763 (9th Cir. 2015) (defines wiretap act’s intent requirement: purposeful and deliberate, not accidental)
- Rojas v. HSBC Card Services Inc., 20 Cal. App. 5th 427 (Cal. Ct. App. 2018) (intent under California wiretap laws centers on desire to record confidential communication)
- People v. Superior Court of Los Angeles County, 70 Cal. 2d 123 (Cal. 1969) (clarifies focus on intent to record confidential communications)