Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION CHASOM BROWN, et al., Case No. 20-CV-03664-LHK Plaintiffs, ORDER DENYING MOTION TO DISMISS v. Re: Dkt. No. 82 GOOGLE LLC, Defendant.
Plaintiffs Chasom Brown, Maria Nguyen, William Byatt, Jeremy Davis, and Christopher Castillo (collectively, “Plaintiffs”), individually and on behalf of all others similarly situated, sue Defendant Google LLC (“Google”). Before the Court is Google’s motion to dismiss Plaintiffs’ first amended complaint. ECF No. 82. Having considered the parties’ submissions and oral arguments, the relevant law, and the record in this case, the Court DENIES Google’s motion to dismiss.
I. BACKGROUND
A. Factual Background
Plaintiffs are Google account holders who used their browser in “private browsing mode.” ECF No. 68 (“FAC”) ¶ 11. Plaintiffs challenge Google’s alleged collection of their data while they were in private browsing mode. Id . ¶ 5.
1. Plaintiffs’ Use of Private Browsing Mode
Plaintiffs are Google account holders who used their browser in “private browsing mode.” Id . ¶ 11. In Google’s Chrome browser (“Chrome”), private browsing mode is referred to as “Incognito mode.” All Plaintiffs used Google’s Chrome browser in Incognito mode. Id . ¶¶ 168, 173, 178, 183, 188 (stating that Plaintiffs used Chrome in Incognito mode). However, one plaintiff also used a different browser, Apple’s Safari browser, in private browsing mode. Id . ¶ 173 (stating that Plaintiff Nguyen used Safari in private browsing mode). Furthermore, Plaintiffs seek to represent a class of users of private browsing mode without regard to the specific browser used. Id . ¶ 192.
Plaintiffs allege that “users of the Internet enable ‘private browsing mode’ for the purpose of preventing others . . . from finding out what the users are viewing on the Internet.” Id . ¶ 162. For example, users often enable private browsing mode in order to visit especially sensitive websites. Id . Accordingly, “users’ Internet activity, while in ‘private browsing mode,’ may reveal: a user’s dating history, a user’s sexual interests and/or orientation, a user’s political or religious views, a user’s travel plans, a user’s private plans for the future (e.g., purchasing of an engagement ring).” . 2. Google’s Alleged Collection of Plaintiffs’ Data
Plaintiffs allege that Google collects data from them while they are in private browsing mode “through means that include Google Analytics, Google ‘fingerprinting’ techniques, concurrent Google applications and processes on a consumer’s device, and Google’s Ad Manager.” . ¶ 8. According to Plaintiffs, “[m]ore than 70% of all online publishers (websites) use one or more of these Google services.”
Specifically, Plaintiffs allege that, whenever a user, including a user in private browsing mode, visits a website that is running Google Analytics or Google Ad Manager, “Google’s software scripts on the website surreptitiously direct the user’s browser to send a secret, separate message to Google’s servers in California.” Id . ¶ 63. This message includes six elements, each of which is discussed below.
First, Plaintiffs allege that Google collects duplicate GET requests. Whenever a user visits a webpage, his or her browser sends a message to the webpage’s server, called a GET request. Id . The GET request “tells the website what information is being requested and then instructs the website to send the information to the user.” Id . Accordingly, when Google obtains a duplicate GET request, the duplicate GET request “enables Google to learn exactly what content the user’s browsing software was asking the website to display.” Id . The duplicate GET request “also transmits a . . . header containing the URL information of what the user has been viewing and requesting from websites online.” Id . [1]
Second, Plaintiffs allege that Google collects the IP address of the user’s connection tо the Internet, which is unique to the user’s device. Id . When a device is connected to the Internet, the Internet Service Provider (ISP) that is providing the internet connection will assign the device a unique IP address. Id . at 18 n.16. Although IP addresses can change over time, the ISP often continues to assign the same IP address to the same device. Id . Third, Plaintiffs allege that Google collects information identifying the browser software that the user is using, including “fingerprint” data. Id . Because every unique device and installed application has small differences, images, digital pixels, and fonts display slightly differently for every device and application. . ¶ 100. Plaintiffs allege that, “[b]y forcing a consumer to display one of its images, pixels, or fonts, online companies such as Google are able to ‘fingerprint’ their users.” .
Fourth, Plaintiffs allege that Google collects user IDs issued by the website to the user. Id . ¶ 63. According to Plaintiffs, “Google offers an upgraded feature called ‘Google Analytics User- ID,’ which allows Google to map and match the user . . . to a specific unique identifier that Google can track across the web.” Id . ¶ 69. Plaintiffs allege that “[b]ecause of Google’s omnipresence on the web, the use of User-IDs can be so powerful that the IDs ‘identify related actions and devices and connect these seemingly independent data points.’” Id .
Fifth, Plaintiffs allege that Google collects the geolocation of the user. Id . ¶ 63. According to Plaintiffs, Google collects “geolocation data from (1) the Android operating system running on users’ phones or tablets and (b) Google applications running on phones (e.g. Chrome and Maps), Google Assistant, Google Home, and other Google applications and services. Id . ¶ 105. Finally, Plaintiffs allege that Google collects information contained in Google cookies, which were saved by the user’s browser. Id . ¶ 63. [2] According to Plaintiffs, “Google Analytics contains a script that causes the user’s . . . browser to transmit, to Google, information from each of the Google Cookies already existing on the browser’s cache.” Id . ¶ 70. These cookies “typically show, at a minimum, the prior websites the user has viewed.” Id . Thus, Google can obtain a user’s browsing history from the current browsing session. In addition, Plaintiffs allege that, for users using Chrome without Incognito Mode, Chrome constantly transmits “a unique digital string of characters called Google’s ‘X-Client-Data Header,’ such that Google uniquely identifies the device and user thereafter.” . ¶ 95. However, Plaintiffs allege that the X-Client Data Header is not present when a Chrome user has enabled Incognito Mode. . ¶ 96. Accordingly, Plaintiffs allege that Google is able to tell when a Chrome user has enabled Incognito Mode. Id . ¶ 96.
3. Google’s Representations to Plaintiffs
Plaintiffs allege that they “reasonably believed that their data would not be collected by Google and that Google would not intercept their communications when they were in ‘private browsing mode’” because of Google’s representations regarding private browsing mode. Id . ¶ 3. Conversely, Google contends that it disclosed the alleged data collection. ECF No. 82 (“Mot.”) at 5–6. Five Google documents are of particular relevance regarding Google’s representations to users: [3] (1) Google’s Privacy Policy; (2) Chrome’s Privacy Notice; (3) a Google webpage entitled “Search & browse privately”; (4) a Google webpage entitled “How private browsing works in Chrome”; and (5) the Incognito Splash Screen. The Court discusses each document in turn.
First, Google’s Privacy Policy states: “As you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy.” Schapiro Decl. Exh. 1. Google’s Privacy Policy states:
Our Privacy Policy explains: • What information we collect and why we collect it. • How we use that information. • The choices we offer, including how to access and update information. . Google’s Privacy Policy in effect from March 25, 2016 to June 28, 2016 made the following disclosures regarding Google’s collection of data from users:
We collect information about the services that you use and how you use them, like when you . . . visit a website that uses our advertising services, or view and interact with our ads and content.
This information includes: . . . device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). When you use our services or view content provided by Google, we automatically collect and store certain information in server logs, [including] details of how you used our service, such as your search queries . . . Internet protocol address . . . device event information such as . . . the date and time of your request and referral URL [and] cookies that may uniquely identify your browser or your Google Account. . Subsequent versions of Google’s Privacy Policy made similar disсlosures.
Starting on May 25, 2018, Google’s Privacy Policy made statements regarding Chrome’s Incognito Mode:
You can use our services in a variety of ways to manage your privacy. For example, you can sign up for a Google Account if you want to create and manage content like email or photos, or see more relevant search results. . . . You can also choose to browse the web privately using Chrome in Incognito mode. And across our services, you can adjust your privacy settings to control what we collect and how your information is used.
Schapiro Decl. Exh. 8. Subsequent versions of Google’s Privacy Policy made similar statements. Second, Google’s Chrome Privacy Notice dated June 21, 2016 also made statements regarding Chrome’s Incognito Mode: You can limit the information Chrome stores on your system by using incognito mode or guest mode. In these modes, Chrome won’t store certain information, such as: • Basic browsing history information like URLs, cached paged text, or IP addresses of pages linked from the websites you visit.
• Snapshots of pages that you visit . . . . How Chrome handles your incognito or guest information Cookies. Chrome won’t share existing cookies with sites you visit in incognito or guest mode. Sites may deposit new cookies on your system while you are in these modes, but they’ll only be stored and transmitted until you close the incognito or guest window.
Schapiro Decl. Exh. 17.
Third, Google’s webpage entitled “Search & browse privately” makes the following statements regarding private browsing:
You’re in control of what information you share with Google when you search. To browse the web privately, you can use private browsing, sign out of your account, change your custom results settings, or delete past activity. If you want to search the web without saving your search activity to your account, you can use private browsing mode in a browser (like Chrome or Safari). How private browsing works
Private browsing works differently depending on which browser you use. Browsing in private usually means:
• The searches you do or sites you visit won’t be saved to your device or browsing history.
• Files you download or bookmarks you create might be kept on your device.
• Cookies are deleted after you close your private browsing window or tab.
• You might see search results and suggestions based on your location or other searches you’ve done during your current browsing session. Schapiro Decl. Exh. 18. Fourth, Google’s webpage entitled “How private browsing works in Chrome” makes the following statements regarding private browsing: When you browse privately, other people who use the device won’t see your history . . . Cookies and site data are remembered while you’re browsing, but deleted when you exit Incognito mode. Your activity might still be visible.
Incognito mode stops Chrome from saving your browsing activity to your local history. Your activity . . . might still be visible to: • Websites you visit, including the ads and resources used on those sites
• Websites you sign in to
• Your employer, school, or whoever runs the network you’re using
• Your internet service provider
• Search engines o Search engines may show search suggestions based on your location or activity in your current Incognito browsing session.
Some of your info might still be visible. A web service, website, search engine, or provider may be able to see:
• Your IP address, which can be used to identify your general location `
• Your activity when you use a web service . . . .
Schapiro Decl. Exh. 19.
Fifth, when a user enables Incognito Mode in the Chrome Browser, the following “Splash Screen” is displayed to the user with similar statements regarding private browsing mode: FAC ¶ 52.
Finally, Plaintiffs’ complaint alleges that Google and its officials made additional statements regarding private browsing. For instance, Plaintiffs allege that, on September 27, 2016, Google’s Director of Product Management Unni Narayana published an article in which he explained that Google was giving users “more control with incognito mode.” FAC ¶ 146. The article stated the following: “Your searches are your business . . . When you have incognito mode turned on in your settings, your search and browsing history will not be saved.” Id . ¶¶ 42, 146. Moreover, Plaintiffs allege that, on May 7, 2019, the New York Times published an opinion article written by Google’s CEO, Sudar Pichai, who explained that Google focuses on “features that make privacy a reality.” Id . ¶ 146. The article stated: “For example, we recently brought Incognito mode, the popular feature in Chrome that lets you browse the web without linking any activity to you, to YouTube.” .
B. Procedural History On June 2, 2020, Plaintiffs filed the instant case against Alphabet, Inc. and Google LLC. ECF No. 1. Plaintiffs bring five claims: (1) unauthorized interception under the Wiretap Act, 18 U.S.C. § 2510 et seq. ; (2) violation of the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 631 and 632; (3) violation of the California Computer Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502; (4) invasion of privacy; and (5) intrusion upon seclusion. FAC ¶¶ 202–266. Plaintiffs seek to represent two classes: (1) “All Android device owners who accessed a website containing Google Analytics or Ad Manager using such a device and who were (a) in “private browsing mode” on that device’s browser and (b) were not logged into their Google account on that device’s browser, but whose communications, including identifying information and online browsing history, Google nevertheless intercepted, received, or collected from June 1, 2016 through the present” and (2) “All individuals with a Google account who accessed a website containing Google Analytics or Ad Manager using any non-Android device and who were (a) in “private browsing mode” in that device’s browser, and (b) were not logged into their Google account on that device’s browser, but whose communications, including identifying information and online browsing history, Google nevertheless intercepted, received, or collected from June 1, 2016 through the present.” . ¶ 192.
On August 20, 2020, Plaintiffs and Alphabet stipulated to voluntarily dismiss Alphabet from the case without prejudice. ECF No. 51. On August 24, 2020, the Court granted the stipulation and voluntarily dismissed Alphabet, leaving Google as the only defendant. ECF No. 57.
On August 20, 2020, Google filed a motion to dismiss the complaint. ECF No. 53. On September 21, 2020, Plaintiffs filed a first amended complaint in lieu of opposing the motion to dismiss. ECF No. 68. On October 6, 2020, the Court denied as moot the motion to dismiss. ECF No. 74.
On October 21, 2020, Google filed the instant motion to dismiss the first amended
complaint, ECF No. 82 (“Mot.”) and a request for judicial notice, ECF No. 84. On November 18,
2020, Plaintiffs filed an opposition to Google’s motion, ECF No. 87 (“Opp’n”), a response to
Google’s request for judicial notice, ECF No. 88, and their own request for judicial notice, ECF
No. 89. On December 7, 2020, Google filed a reply in support of its motion to dismiss, ECF No.
92 (“Reply”), and a response to Plaintiffs’ response regarding Google’s request for judicial notice,
ECF No. 93.
The Court may take judicial noticе of matters that are either “generally known within the
trial court’s territorial jurisdiction” or “can be accurately and readily determined from sources
whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b). However, to the extent
any facts in documents subject to judicial notice are subject to reasonable dispute, the Court will
not take judicial notice of those facts.
See Lee v. City of Los Angeles
,
Google requests that the Court take judicial notice of twenty-seven documents, which
include Google’s Terms of Service, fifteen versions of Google’s Privacy Policy, two versions of
Google’s Chrome Privacy Notice, and nine publicly available Google webpages. ECF No. 84.
Plaintiffs request that the Court take judicial notice of Google’s Privacy Policy in effect between
March 31, 2020 and July 1, 2020, which is one of the fifteen versions of Google’s Privacy Policy
of which Google requests the Court take judicial notice. ECF No. 89. These documents appear on
publicly available websites and are thus proper subjects for judicial notice.
See, e.g.
,
In re Google
Assistant Privacy Litig.
,
Plaintiffs contend that, as to six of the webpages presented by Google (Exhibits 19, 20, 22,
23, 24, and 25 to the Schapiro Declaration), Google does not identify the dates on which they
became publicly available, so the Court should take judicial notice of these webpages only as to
their existence on the date the webpage was last accessed. ECF No. 88 at 1. However, Google
demonstrates using the Internet Archive’s “Wayback Machine” that Exhibits 19 and 20 have been
publicly available since August 18, 2018, and substantively identical versions of Exhibits 22 to 25
have been publicly available since March 25, 2015 (Exhibit 22); June 13, 2014 (Exhibit 23);
November 12, 2012 (Exhibit 24); and January 28, 2015 (Exhibit 25). ECF No. 93 at 3–4. “Courts
have taken judicial notice of the contents of web pages available through the Wayback Machine as
facts that can be accurately and readily determined from sources whose accuracy cannot
reasonably be questioned.”
See, e.g.
,
Erickson v. Nebraska Mach. Co.
,
Finally, at the hearing on the instant motion, Google raised for the first time arguments
regarding the Court’s website.
See
Tr. of Feb. 25, 2021 Hearing at 47:13–16, ECF No. 104. In its
decision on the instant motion, the Court will not consider Google’s untimely arguments.
See In re
Apple Inc. Securities Litigation
,
II. LEGAL STANDARD
A. Dismissal Pursuant to Federal Rule of Civil Procedure 12(b)(6)
Rule 8(a) of the Federal Rules of Civil Procedure requires a complaint to include “a short
and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a).
A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil
Procedure 12(b)(6). Rule 8(a) requires a plaintiff to plead “enough facts to state a claim to relief
that is plausible on its face.”
Bell Atlantic Corp. v. Twombly
,
The Court, however, need not accept as true allegations contradicted by judicially
noticeable facts,
see Shwarz v. United States
,
B. Leave to Amend
If the Court determines that a complaint should be dismissed, it must then decide whether
to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend
“shall be freely given when justice so requires,” bearing in mind “the underlying purpose of Rule
15 to facilitate decisions on the merits, rather than on the pleadings or technicalities.”
Lopez v.
Smith
,
In the instant motion, Google first contends that Plaintiffs’ claims should be dismissed because Plaintiffs and the websites consented to Google’s receipt of the data. Mot. at 9–13. Google later argues that Plaintiffs’ claims should be dismissed under the statutes of limitations. . at 23–25. Google also argues that Plaintiffs have failed to state their claims for additional reasons. . at 13–23. The Court addresses in turn: (1) consent; (2) the statutes of limitations; and (3) Google’s other arguments for dismissal.
A. Consent
Google contends that (1) all claims should be dismissed because Plaintiffs consented to Google’s receipt of the data, and (2) Plaintiffs’ Wiretap Act claims should be dismissed because the websites consented to Google’s receipt of the data. . at 9–13. The Court addresses each argument in turn.
1. Google has not shown that Plaintiffs consented.
Consent is a defense to Plaintiffs’ claims.
See
18 U.S.C. § 2511(2)(d) (Wiretap Act)
(providing that it is not “unlawful . . . for a person . . . to intercept a[n] . . . electronic
communication . . . where one of the parties to the communication has given prior consent to such
interception”); Cal. Pen. Code §§ 631(a), 632(a) (CIPA) (prohibiting wiretapping and
eavesdropping “without the consent of all parties to the communication”); Cal. Pen. Code §
502(c)(2) (CDAFA) (providing that a person who “knowingly accesses and without permission
takes, copies, or makes use of any data” is guilty of a public offense);
Smith v. Facebook, Inc.
, 262
F. Supp. 3d 943, 955–56 (N.D. Cal. 2017),
aff’d
,
In the instant motion, Google contends that users expressly consented to Google’s alleged
data collection while they were in private browsing mode. Mot. at 10–11. In
In re Google, Inc.
,
this Court rejected a similar argument made by Google.
First, Google cannot demonstrate that Google notified Plaintiffs that Google would engage in the аlleged data collection while Plaintiffs were in private browsing mode. Google argues that Plaintiffs expressly consented to Google’s Terms of Service, which incorporated Google’s Privacy Policy, and Google’s Privacy Policy disclosed that Google would receive the data from its third- party services. Mot. at 10–11. However, Google’s Privacy Policy does not disclose Google’s alleged data collection while Plaintiffs were in private browsing mode. Google’s Privacy Policy provides:
We collect information about the services that you use and how you use them, like when you . . . visit a website that uses our advertising services, or view and interact with our ads and content.
This information includes: . . . device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number. When you use our services or view content provided by Google, we automatically collect and store certain information in server logs, [including] details of how you used our service, such as your search queries . . . Internet protocol address . . . device event information such as . . . the date and time of your request and referral URL [and] cookies that may uniquely identify your browser or your Google Account.
Schapiro Decl. Exh. 1. This general disclosure never mentions private browsing. Nor does it explain that Google collects this data from users in private browsing mode. Google’s Privacy Policy states: Our Privacy Policy explains: • What information we collect and why we collect it. • How we use that information. • The choices we offer, including how to access and update information. . Accordingly, a Google user reading the general disclosure above, which never mentions private browsing mode, might have reasonably concluded that Google does not collect this data from users in private browsing mode.
In addition to Google’s failure to mention private browsing, Google’s representations regarding private browsing present private browsing as a way that users can manage their privacy and omit Google as an entity that can view users’ activity while in private browsing mode. The Court addresses in turn five documents that contain Google’s representations regarding private browsing: (1) the Incognito Splash Screen; (2) the “How private browsing works in Chrome” webpage; (3) the “Search and browse privately” webpage; (4) the Chrome Privacy Notice; and (5) Google’s Privacy Policy.
First, the Incognito Splash Screen appeared to every user each time they enabled Incognito mode, immediately before they began their private browsing session:
FAC ¶ 52.
The Incognito Splash Screen makes three relevant representations regarding private
browsing mode. One, the Incognito Splash Screen omits Google from the list of entities that can
view a user’s activity in private browsing mode: “Your activity might still be visible to: Websites
you visit[;] Your employer or school[;] Your internet service provider.” FAC ¶ 52. Although the
Splash Screen states that websites may be able to see a user’s activity, the Splash Screen does not
state that Google sees a user’s activity. . Based on the omission of Google from the list of
entities that can see a user’s activity, a user might have reasonably concluded that Google would
not see his or her activity. Moreover, the omission of Google from the list of entities “obscure[s]
Google’s intent to engage in such interceptions.”
Two, the Incognito Splash Screen states: “Now you can browse privately, and other people who use this device won’t see your activity[.]” FAC ¶ 52. According to Google, this sentence clarifies that Incognito mode is about privacy from other users of the same device, not privacy from Google. Specifically, Google reads the second phrase of this sentence (“other people who use this device won’t see your activity”) to provide more specification to the first phrase (“Now you can browse privately.”). FAC ¶ 52. However, the Court concludes that a reasonable user could have read the two phrases as being independent of each other: “Now you can browse privately, and other people who use this device won’t see your activity[.]” . (emphasis added). Accordingly, a reasonable user could have read this sentence to state that Incognito mode provided privacy from Google and privacy from other people who use the same device.
Three, the Incognito Splash Screen states “Chrome won’t save . . . [y]our browsing history [or] [c]ookies and site data.” Id . Google argues that this sentence is accurate because, when Google collects the alleged data, Chrome is not storing the data; rather, the user’s browser is transmitting the data to Google’s server. However, the Court concludes that a reasonable user could read this statement to mean that their browsing history and cookies and site data would not be saved. Moreover, the Court notes that a user might reasonably associate Chrome with Google because Chrome is Google’s browser. Second, like the Incognito Splash Screen, the Google webpage entitled “How private browsing works in Chrome” omits Google from the entities to which a user’s private browsing activity may be visible. That webpage discloses that a user’s private browsing activity might be visible to “websites [she] visit[s], including the ads and resources used on those sites .” Schapiro Decl. Exh. 19 (emphasis added). However, this webpage never references Google.
Third, Google’s webpage entitled “Search & browse privately” states: “You’re in control of what information you share with Google when you search. To browse the web privately, you can use private browsing . . . .” Schapiro Decl. Exh. 18. However, Plaintiffs allege that, in reality, users are not in control of what information they share with Google when they use private browsing mode. Rather, Google engages in the alleged data collection regardless of whether users are in private browsing mode.
Fourth, Google’s Chrome Privacy Notice dated June 21, 2016 similarly stated that: “You can limit the information Chrome stores on your system by using incognito mode or guest mode. In these modes, Chrome won’t store certain information, such as: . . . Basic browsing history information like URLs, cached paged text, or IP addresses of pages linked from the websites you visit [and] Snapshots of pages that you visit . . . .” Schapiro Decl. Exh. 17. As with the Incognito Splash Screen, a reasonable user could read this statеment to mean that their browsing history and IP address would not be saved.
Fifth, since May 25, 2018, Google’s Privacy Policy has presented Incognito mode as a way that users can control the information that Google collects: “You can use our services in a variety of ways to manage your privacy. For example, . . . You can . . . choose to browse the web privately using Chrome in Incognito mode. And across our services, you can adjust your privacy settings to control what we collect and how your information is used.” Schapiro Decl. Exh. 8. Google’s Privacy Policy makes clear that “Our services include . . . Products that are integrated into third-party apps and sites, like ads . . . .” Id . However, Plaintiffs allege that, in reality, private browsing does not permit them to manage their privacy or control what Google collects because Google collects this information even when they use private browsing mode. In addition, Plaintiffs’ complaint alleges that Google and its officials made additional statements regarding private browsing. For instance, Plaintiffs allege that, on September 27, 2016, Google’s Director of Product Management Unni Narayana published an article in which he explained that Google was giving users “more control with incognito mode.” FAC ¶ 146. The article stated the following: “Your searches are your business . . . When you have incognito mode turned on in your settings, your search and browsing history will not be saved.” Id . ¶¶ 42, 146. Moreover, Plaintiffs allege that, on May 7, 2019, the New York Times published an opinion article written by Google’s CEO, Sudar Pichai, who explained that Google focuses on “features that make privacy a reality.” . ¶ 146. The article stated: “For example, we recently brought Incognito mode, the popular feature in Chrome that lets you browse the web without linking any activity to you, to YouTube.” . These statements suggest that a user’s activity in private browsing mode is not saved or linked to the user.
Reviewing these disclosures, the Court concludes that Google did not notify users that
Google engages in the alleged data collection while the user is in private browsing mode.
Accordingly, Google cannot show that Plaintiffs expressly consented to Google’s collection of
data while Plaintiffs were in private browsing mode.
See In re Google
,
Second, as to Plaintiffs’ Wiretap Act claim, consent is not a defense where the
“communication is intercepted for the purpose of committing any criminal or tortious act in
violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d).
Under this exception, Plaintiffs must allege that either the “primary motivation or a determining
factor in [the interceptor’s] actions has been to injure plaintiffs tortiously.”
In re Google Inc.,
Gmail Litig
.,
2. Google has not shown that the websites consented. Google next contends that Plaintiffs’ Wiretap Act claims should be dismissed because the websites provided implied consent to Google’s receipt of the data. Mot. at 11–13. The Wiretap Act provides an exception to liability where “one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). Accordingly, Google contends that the websites impliedly consented to Google’s alleged data collection by embedding Google’s code on their webpages. Mot. at 11–13.
“[A]s ‘the party seeking the benefit of the exception,’ it is Google’s burden to prove
consent.”
Matera v. Google Inc.
,
However, the Court concludes that Google has not met its burden to establish consent
because, even assuming that Google has established that websites generally consented to the
interception of their communications with users, Google does not demonstrate that websites
consented to, or even knew about, the interception оf their communications with users who were
in private browsing mode. Indeed, Google’s own resources for “[s]ite or app owners using Google
Analytics” state that “[t]he Google privacy policy & principles describes how we treat personal
information when you use Google’s products and services, including Google Analytics.” Schapiro
Decl. Exh. 21. Similarly, Google represents to consumers and websites that use Google Ad
Manager that Google will adhere to Google’s Privacy Policy. FAC ¶ 83.
As the Court explained above, neither Google’s Privacy Policy nor any other disclosure to
which Google points states that Google engages in the alleged data collection while users are in
private browsing mode.
See
Section III(A)(1),
supra
. To the contrary, Google’s disclosures
present private browsing as a way users can manage their privacy and omits Google from the list
of entities to which a user’s private browsing activity may be visible.
Id
. Thus, Google has not
provided evidence that websites consented to, or even knew about, the interception of the subset of
their communications that are with users who were in a private browsing mode.
See Pharmatrak
,
Furthermore, as explained above, consent is not a defense to Plaintiffs’ Wiretap Act claim because their communications were allegedly intercepted for the purpose of associating their data with user profiles, which is a criminal or tortious act in viоlation of the Constitution or laws of the United States or of any State. See Section III(A)(1), supra . The Court thus rejects Google’s consent-based arguments.
B. Statutes of Limitations
Google next argues that Plaintiffs’ complaint should be dismissed because each of
Plaintiffs’ claims exceed the applicable statutes of limitations. Mot. at 23–25. “A claim may be
dismissed under Rule 12(b)(6) on the ground that it is barred by the applicable statute of
limitations only when ‘the running of the statute is apparent on the face of the complaint.’”
Von
Saher v. Norton Simon Museum of Art at Pasadena
,
Google contends that Plaintiffs’ claims are barrеd by the applicable statutes of limitations because Plaintiffs allege that Google has been intercepting their communications since June 1, 2016—over four years before Plaintiffs filed their complaint on June 2, 2020. Mot. at 23. The Court concludes that Plaintiffs’ complaint is timely for two reasons. First, each interception is a separate violation, and Plaintiffs allege that Google intercepted their communications between February 28, 2020 and May 31, 2020, just months or weeks before Plaintiffs’ complaint was filed. Second, the fraudulent concealment doctrine tolled the statutes of limitations. The Court addresses each issue in turn.
1. Each interception is a separate violation.
First, the Ninth Circuit and California Supreme Court have held that separate, recurring
invasions of the same right each trigger their own separate statute of limitations. The Ninth Circuit
has held that, for Wiretap Act claims, “each interception is a discrete violation” with its own
statute of limitations.
Bliss v. CoreCivic, Inc.
,
In the instant case, Plaintiffs allege that Google engaged in interceptions of their communications between February 28, 2020 and May 31, 2020. FAC ¶¶ 168, 173, 178, 183, 188. Plaintiffs filed their complaint on June 2, 2020. ECF No. 1. Because Google’s alleged interceptions took place just months or days before Plaintiffs filed their complaint, Plaintiffs’ claims are not barred by the statutes of limitations.
2. The statutes of limitations were tolled by the fraudulent concealment doctrine.
“The purpose of the fraudulent concealment doctrine is to prevent a defendant from
‘concealing a fraud . . . until such a time as the party committing the fraud could plead the statute
of limitations to protect it.’”
In re Animation Workers Antitrust Litig.
,
“To plead fraudulent concealment, the plaintiff must allege that: (1) the defendant took
affirmative acts to mislead the plaintiff; (2) the plaintiff did not have ‘actual or constructive
knowledge оf the facts giving rise to its claim’; and (3) the plaintiff acted diligently in trying to
uncover the facts giving rise to its claim.” . (quoting
Hexcel
,
First, Plaintiffs have alleged that Google took affirmative acts to mislead Plaintiffs. As
explained above, Google’s representations regarding private browsing specifically omitted Google
from the entities that could see a user’s private browsing activity and presented private browsing
as a way that users could maintain their privacy and control what Google collects.
See
Section
III(A)(1),
supra
. Accordingly, Google’s representations regarding private browsing “obscure[d]
Google’s intent to engage in such interceptions.”
In re Google
,
Second, Plaintiffs have alleged that they did not have adequate or constructive notice of
their claims. “[T]he question of constructive knowledge and inquiry notice generally ‘presents a
question for the trier of fact.’”
In re Animation Workers
,
Because each of Google’s interception is a separate violation and because the statutes of limitations were tolled under the fraudulent concealment doctrine, the Court DENIES Google’s motion to dismiss Plaintiffs’ claims based on the statutes of limitations.
C. Other Arguments for Dismissal
Finally, Google makes additional arguments that Plaintiffs have failed to state each of their claims. Mot. at 13–23. The Court addresses the following claims in turn: (1) unauthorized interception under the Wiretap Act; (2) CIPA; (3) CDAFA; and (4) intrusion upon seclusion and invasion of privacy.
1. Plaintiffs have stated a claim for unauthorized interception under the Wiretap Act.
The Wiretap Act, as amended by the Electronic Communications Privacy Act (“ECPA”), generally prohibits the interception of “wire, oral, or electronic communications.” 18 U.S.C. § 2511(1). Specifically, the Wiretap Act provides a private right of action against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic сommunication.” 18 U.S.C. § 2511(1)(a); see id. § 2520 (providing a private right of action for violations of § 2511). The Act defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Id. § 2510(4). 16 Plaintiffs allege that Google violated the Wiretap Act by intercepting internet 17 communications that Plaintiffs were sending and receiving while they were browsing the internet 18
in private browsing mode. FAC ¶¶ 206, 207, 208. Google contends that Plaintiffs have not stated a 19
Wiretap Act claim because its alleged interceptions fall within the Wiretap Act’s ordinary course 20 of business exception to liability. Mot. at 13–14. Under that exception, “any telephone or 21 telegraph instrument, equipment or facility, or any component thereof . . . being used by a provider 22 of wire or electronic communication service in the ordinary course of its business” is not a 23 “device,” and the use of such an instrument accordingly falls outside of the definition of 24 “intercept.” 18 U.S.C. § 2510(5)(a)(ii).
25
However, Google’s argument is unpersuasive for two reasons. First, Google has not shown 26
that its interception facilitates or is incidental to the transmission of the communication at issue.
27
Second, Plaintiffs have alleged that Google violated its own internal policies. The Court addresses each reason in turn.
First, Google has not shown that its interception facilitates or is incidental to the
transmission of the communication at issue. “[T]he ordinary course of business exception is
narrow . . . . and offers protection from liability only where an electronic cоmmunication service
provider’s interception facilitates the transmission of
the communication at issue
or is incidental to
the transmission of such communication.”
In re Google
,
browser sends a GET request to the website’s server, which “tells the website what information is
being requested and then instructs the website to send the information to the user.” FAC ¶ 63.
Plaintiffs further allege that Google’s code causes the user’s browser to send a duplicate GET
request from the user’s computer to Google’s servers, which “enables Google to learn exactly
what content the user’s browsing software was asking the website to display” and “transmits a . . .
header containing the URL information of what the user has been viewing and requesting from
websites online.” . ¶¶ 63, 65. Sending a duplicate GET request to Google neither facilitates nor
is incidental to the transmission of “the communication at issue,” which is the communication that
Plaintiffs allege was intercepted — in this case, the communication between the user’s computer
and the website.
In re Google
,
In an attempt to refute this conclusion, Google contends that the ordinary course of
business exception applies because there is a “nexus between the need to engage in the alleged
interception and . . . the ability to provide the underlying service or good.”
In re Google
, 2013 WL
5423918, at *11. In making this argument, Google contends that the “‘underlying service or good’
. . . in this case is [Google’s] analytics and ad services,” not the communication between the user’s
computer and the website. Mot. at 13. However, “the communication at issue” is the allegedly
intercepted communication, which, in this case, is the communication between the user’s
computer and the website.
In re Google
,
2. Plaintiffs have stated a CIPA claim.
Plaintiffs bring claims under Sections 631 and 632 of the CIPA. Section 631 prohibits the unauthorized interception of “any message, report or communication.” See Cal. Penal Code § 631(a). Section 632 prohibits the interception of any “confidential communication.” . § 632(a). Google does not argue that the Section 631 claim is subject to dismissal, except based on the consent arguments that the Court has addressed above. See Section III(A), supra .
Instead, Google contends that Plaintiffs cannot state a Section 632 claim because the
communications at issue in this case were not confidential. Mot. at 14–15. A communication is
confidential under Section 632 if a party “has an objectively reasonable expectation that the
conversation is not being overheard or recorded.”
Flanagan v. Flanagan
,
on authority stemming from California appellate courts. “California appeals courts have generally
found that Internet-based communications are not ‘confidential’ within the meaning of [S]ection
632, because such communications can easily be shared by . . . the recipient(s) of the
communications.”
Campbell v. Facebook, Inc
.,
Relying on
Nakai
, some cases have held that other Internet messaging services or emails
are not confidential under Section 632. For example, in
In re Google
, this Court concluded that
email communications were not confidential under Section 632 because “email services are by
their very nature recorded on the computer of at least the recipient, who may then easily transmit
thе communication to anyone else who has access to the internet or print the communications.”
Second, unlike Nakai , where Yahoo’s policies disclosed that the messages could be shared, Google’s policies did not indicate that data would be collected from users in private browsing mode and shared with Google. See Section III(A)(1), supra . Because the Court concludes that Nakai and In re Google are distinguishable from the instant case, the Court concludes that the communications at issue in this case were confidential. [5] Accordingly, the Court DENIES Google’s motion to dismiss Plaintiffs’ CIPA claim.
3. Plaintiffs have stated a CDAFA claim.
CDAFA [6] imposes liability on any person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.” Cal. Penal Code § 502(c)(2).
Plaintiffs allege that Google violated CDAFA “by knowingly accessing and without
permission taking, copying, analyzing, and using Plaintiffs’ and Class members’ data.” FAC ¶
232. Google contends that this claim should be dismissed because Plaintiffs fail to plausibly allege
that Google’s Analytics and Ad Manager code circumvented any barrier for Google to receive the
data. Mot. at 16.
[7]
However, courts have held that plaintiffs can state a CDAFA claim where a software
system “was designed in such a way to render ineffective any barriers that [the plaintiffs] must
wish to use to prevent access to their information.”
Brodsky v. Apple, Inc.
,
For example, another court in this district concluded that the plaintiffs had stated a
CDAFA claim about “hidden” software that transmitted data without notice and without providing
an opportunity to opt out of its functionality.
See In re Carrier IQ
,
4. Plaintiffs have stated claims for intrusion upon seclusion and invasion of privacy.
“To state a claim for intrusion upon seclusion under California common law, a plaintiff
must plead that (1) a defendant ‘intentionally intrude[d] into a place, conversation, or matter as to
which the plaintiff has a reasonable expectation of privacy[,]’ and (2) the intrusion ‘occur[red] in a
manner highly offensive to a reasonable person.”
Facebook Tracking
,
a. Plaintiffs have adequately alleged that they had a reasonable expectation of privacy. To meet the first element, the plaintiff must have had an “objectively reasonable
expectation of seclusion or solitude in the place, conversation, or data source.”
Shulman v. Group
W. Prods., Inc.
,
The Ninth Circuit concluded that the plaintiffs had adequately pleaded that they had a
reasonable expectation of privacy based on: (1) the amount of the data collected, the sensitivity of
the data collected, and the nature of the data collection, and (2) Facebook’s representations to
users.
Facebook Tracking
,
The Ninth Circuit assessed the amount of the data collected, the sensitivity of the data collected, and the nature of the data collection. Id . at 603. The Ninth Circuit concluded that “the amount of data allegedly collected was significant”; Plaintiffs alleged that “Facebook obtained a comprehensive browsing history of an individual” and “then correlated that history with the time of day and other user actions on the websites visited,” resulting in “an enormous amount of individualized data.” Id . Additionally, the Ninth Circuit emphasized that some of the alleged data collected was sensitive, such as information about a user’s visits to sensitive websites. Id . Finally, the Ninth Circuit found it significant “[t]hat this amount of information can be easily collected without user knowledge.” Id .
In addition, the Ninth Circuit examined Facebook’s representations to users. Id . According to the Ninth Circuit, “Plaintiffs . . . plausibly alleged that an individual reading Facebook’s promise to ‘make important privacy disclosures’ could have reasonably concluded that the basics of Facebook’s tracking—when, why, and how it tracks user information—would be provided.” Id . However, “Facebook’s privacy disclosures at the time allegedly failed to acknowledge its tracking of logged-out users, suggesting that users’ information would not be tracked.” Id . Accordingly, “Plaintiffs . . . plausibly alleged that, upon reading Facebook’s statements in the applicable Data Use Policy, a user might assume that only logged-in user data would be collected.” Id .
Other cases have come to similar conclusions. For example, in
Google Cookie
, the Third
Circuit considered whether the plaintiffs had stated intrusion upon seclusion and invasion of
privacy claims under California law.
Similarly, in In re Nickelodeon Consumer Privacy Litigation , the Third Circuit considered whether the plaintiffs had stated a claim for intrusion upon seclusion under New Jersey law. 27 F.3d 262, 293–94 (3d. Cir. 2016). The plaintiffs alleged that Nickelodeon had placed cookies on users’ browsers despite promising that it would not collect information from the users of its website. . The Third Circuit held that users had a reasonable expectation of privacy when Nickelodeon promised that it would not collect information from users of its website, but then did. .
In the instant case, Court concludes that Plaintiffs have adequately alleged that they had a reasonable expectation of privacy in the data allegedly collected for two reasons. First, the amount of data collected, the sensitivity of the data collected, and the nature of the data collection demonstrate that Plaintiffs have a reasonable expectation of privacy. Second, based on Google’s representations regarding private browsing, Plaintiffs could have reasonably assumed that Google would not receive their data while they were in private browsing mode. The Court discusses each reason in turn. First, Plaintiffs have adequately alleged that they had a reasonable expectation of privacy based on the amount of data collected, the sensitivity of the data collected, and the nature of the data collection. Indeed, the instant case involves the same data and the same process by which the data was collected as Facebook Tracking . Compare id . at 607 (describing how Facebook’s code directs the user’s browser to copy the referrer header and sends a duplicate request to Facebook) with FAC ¶ 63 (describing how Google’s code directs the user’s browser to send a duplicate request to Google). Even Google acknowledges the similarities between the two cases. See Tr. of Feb. 25, 2021 Hearing at 9:16–21, ECF No. 104 (The Court: “Let me ask Google’s counsel, do you agree that the data [at] issue in this case is the same as the data at issue in Facebook Tracking like Plaintiffs’ counsel just said?” Counsel: “Yes, much of the - - I would say yes, most of the data, probably all of it, is the same if we take [Plaintiffs] at their word for what we’ve just heard from [Plaintiff’s counsel].”).
The amount of data collected, the sensitivity of the data collected, and the nature of the data collection demonstrate that Plaintiffs had a reasonable expectation of privacy. Like in Facebook Tracking , Plaintiffs allege that the amount of data collected was vast. See FAC ¶ 8 (alleging that “[m]ore than 70% of all online рublishers (websites) use one or more of [the] Google services” that collect data); id . ¶ 93 (alleging that “Google has gained a complete, cradle- to-grave profile of users”). Moreover, Plaintiffs’ allegations regarding the sensitivity of the data collected are arguably even stronger in the instant case than in Facebook Tracking . Indeed, the instant case concerns data collected by users in private browsing mode, which users often enable in order to visit especially sensitive websites. . ¶ 162 (“Users of the Internet enable ‘private browsing mode’ for the purpose of preventing others . . . from finding out what the users are viewing on the Internet. For example, users’ Internet activity, while in ‘private browsing mode,’ may reveal: a user’s dating history, a user’s sexual interests and/or orientation, a user’s political or religious views, a user’s travel plans, a user’s private plans for the future (e.g., purchasing of an engagement ring).”). Finally, like in Facebook Tracking , Plaintiffs allege that a vast amount of data was collected secretly, without any notice to users. . ¶¶ 63 (describing how “Google’s software scripts on the website surreptitiously direct the user’s browser to send a secret, separate message to Google’s servers”); 87 (describing how “Google’s secret Javascript code” causes duplicate GET requests to be sent).
Second, like the plaintiffs in Facebook Tracking , Plaintiffs in the instant case could have reasonably assumed that Google would not receive their data while they were in private browsing mode based on Google’s representations. Since May 25, 2018, Google’s Privacy Policy itself has presented private browsing as a way that users can manage their privacy: “You can use our services in a variety of ways to manage your privacy. For example, . . . [y]ou can . . . choose to browse the web privately using Chrome in Incognito mode. And across our services, you can adjust your privacy settings to control what we collect and how your information is used.” Schapiro Decl. Exh. 8. Similarly, the Incognito Splash Screen states: “You’ve gone incognito[.] Now you can browse privately, and other people who use this device won’t see your activity[.]” FAC ¶ 52. Furthermore, on the Incognito Splash Screen and in other webpages, Google discloses that a user’s activity in private browsing might be visible to certain entities, but Google does not identify itself as an entity to which a user’s activity might be visible. Schapiro Decl. Exh. 19; FAC ¶ 52.
Despite the similarities between Facebook Tracking and the instant case, Google attempts to distinguish Facebook Tracking on two grounds. First, Google contends that Plaintiffs in the instant case consented to the alleged data collection. Second, Google contends that Plaintiffs have not adequately alleged that Google is associating data with personal profiles. Both arguments are unpersuasive.
First, Google contends that, unlike the plaintiffs in
Facebook Tracking
, Plaintiffs in the
instant case consented to the alleged data collection. However, as the Court explained above,
Plaintiffs did not consent to the alleged data collection.
See
Section III(A)(1),
supra
. Rather than
disclosing the alleged data collection to users, Google made representations that could suggest to a
reasonable user that the data would not be shared with Google while the user was in private
browsing mode. .
Second, Google argues that, unlike in
Facebook Tracking
, Plaintiffs here have not
adequately alleged that Google is associating data with personal рrofiles. However, like the
Plaintiffs in
Facebook Tracking
, Plaintiffs have alleged that Google “obtained a comprehensive
browsing history of an individual, no matter how sensitive the websites visited.”
6 b. Plaintiffs have adequately alleged that the alleged intrusion was highly
offensive.
7
“Determining whether a defendant’s actions were ‘highly offensive to a reasonable person’ 8
requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the 9 degree and setting of the intrusion, the intruder’s motives and objectives, and whether
10
countervailing interests or social norms render the intrusion inoffensive.”
Facebook Tracking
, 956
F.3d at 606 (quoting
Hernandez
,
As explained above, Plaintiffs in this case allege that Google was surreptitiously collecting the same type of data through the same process that was at issue in Facebook Tracking . See Section III(C)(4)(a), supra . Furthermore, Plaintiffs in the instant case have an even stronger argument that Google’s intrusion was highly offensive because, at the time Google collected the data, they were using private browsing mode, which is often used to prevent others from learning the user’s most private and personal interests. FAC ¶ 162 (“Users of the Internet enable ‘private browsing mode’ for the purpose of preventing others . . . from finding out what the users are viewing on the Internet. For example, users’ Internet activity, while in ‘private browsing mode,’ may reveal: a user’s dating history, a user’s sexuаl interests and/or orientation, a user’s political or religious views, a user’s travel plans, a user’s private plans for the future (e.g., purchasing of an engagement ring).”).
Moreover, as explained above, Google’s representations regarding private browsing mode
could have led users to assume that Google would not view their activity while in private
browsing mode.
See
Section III(A)(1),
supra
. Furthermore, like the plaintiffs in
Facebook
Tracking
, Plaintiffs also allege that internal Google communications show that the company’s
employees recognized that its privacy disclosures were problematic. FAC ¶ 36 (alleging that
“Google’s employees made numerous admissions in internal communications, recognizing that
Google’s privacy disclosures are a ‘mess’ with regards to obtaining ‘consent’ for its data
collection practices and other issues relevant in this lawsuit”).
Google argues that its conduct is not “highly offensive” because its interceptions “served a
legitimate commercial purpose.” Mot. at 22. However, whether an intrusion is highly offensive
requires a holistic consideration of a multitude of factors, only one of which is the “countervailing
interests . . . [that] render the intrusion inoffensive,” such as the intrusion’s commercial purpose.
See Facebook Tracking
,
Thus, Plaintiffs have alleged sufficient facts to survive a motion to dismiss on the issue of whether the intrusion was highly offensive. Accordingly, Plaintiffs have stated intrusion upon seclusion and invasion of privacy claims. Therefore, the Court DENIES Google’s motion to dismiss these claims.
IV. CONCLUSION
For the foregoing reasons, the Court DENIES Google’s motion to dismiss.
IT IS SO ORDERED.
Dated: March 12, 2021 ___________________________________ LUCY H. KOH United States District Judge
Notes
[1] Other courts have similarly described the process by which duplicate GET requests are sent to
servers.
See In re Facebook, Inc. Internet Tracking Litigation
,
[2] Cookies are “small text files stored on the user’s device.”
Facebook Tracking
,
[3] At the hearing on Google’s motion to dismiss, the Court asked the parties to identify the key 25 documents for this motion. Tr. of Feb. 25, 2021 Hearing at 12:23–13:03, ECF No. 104. The parties directed the Court’s attention to eight documents, five of which are relevant to the representations 26 Google made to users regarding private browsing and data collection. . at 15:10–14. 27 Accordingly, the Court focuses on these documents.
[4] Plaintiffs allege that, after they filed the instant case, Google launched a “Consent Mode” for Google Analytics and Google Ad Manager, “which would help Websites identify whether a 26 particular user . . . knows and has consented to the use of Google Analytics and other Google 27 services, in ‘Beta’ or testing mode.” FAC ¶¶ 73, 140.
18 17
[5] “clicks” on clothing items were not confidential communications.
[6] The CDAFA is also sometimes referred to as the California Computer Crime Law (CCCL).
See
Brodsky
,
[7] In response to Google’s argument, Plaintiffs argue that there is no circumvention requirement. In
22
making this argument, Plaintiffs rely on the Ninth Circuit’s decision in
United States v.
23
Christensen
, which concluded that the “term ‘access’ as defined in the [CDAFA] includes logging
into a database with a valid password and subsequently taking, copying, or using the information
24
in the database improperly. Otherwise, the words ‘without permission’ would be redundant, since
by definition hackers lack permission to access a database.”