Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Jarman J. Smith on June 9, 2021
Technology giant, Google, is struggling to separate itself from yet another high-stakes privacy lawsuit.1 Although Google is also defending itself against other privacy lawsuits focused on Google Analytics and Google Chrome’s “incognito mode,” the instant lawsuit concerns privacy breaches related to confusion around Google’s consumer data processes and the alleged misuse of consumer data in violation of California privacy laws.
The Privacy Breach Lawsuit
The class action suit filed by Google’s mobile app users, Anibal Rodriguez and JulieAnna Muniz, claims that Google secretly tracks users’ activity across the web, even if the users have the setting for “Web & App Activity” tracking turned off or avoid using Google-branded devices and apps entirely. The suit alleges that the software responsible for the improper collection of consumer data, Google’s Analytics for Firebase, is integrated into hundreds of thousands of smartphone apps, including Lyft, Alibaba, and the New York Times mobile application.
Although Google argues that its users were aware of and consented to app developers sharing user information with it, Judge Seeborg of the United States District Court of the Northern District of California found that the plaintiffs have made a plausible argument for why they believed that turning off the “Web & App Activity” tracking setting would stop their personal information from being collected by the Firebase software. Thus, Judge Seeborg kept the lawsuit alive in finding that “on the pleadings, [the] plaintiffs did not consent to the practice they now challenge.”2 The Judge also acknowledged the bewildering nature of Google’s communication regarding its data processes, stating that the public cannot be blamed for being confused by “a company’s public-facing statements that are legitimately confusing.”3
Despite Judge Seeborg’s decision to keep the suit alive, the court did dismiss the plaintiffs’ claims that Google breached the federal Wiretap Act, by finding that the company’s alleged interceptions of data occurred with the third-party app developer’s consent. The court also dismissed claims that Google’s alleged practices violated the Unfair Competition Law of California, by finding that the app users had not made a plausible claim of damages since they did not claim to have lost money or property as a result of Google’s practices.
The Problematic Firebase Software
The privacy lawsuit claims that Google conducts illegal data collection practices through its Firebase database software. Firebase, which is popular amongst third-party app developers, is used by Google for storing data, delivering notifications and ads, and tracking glitches. However, Google also uses Firebase data to improve its products and personalize advertising content in violation of its users’ privacy rights. The process of tracking user data through Firebase takes place silently without users’ or even app developers’ knowledge. Even when consumers follow Google’s official privacy control instructions and turn off app tracking, Google continues to collect consumers’ app usage, app browsing communications and personal information.4 This may be found to be a violation of Google users’ privacy rights because, if taken as true, Google is collecting and monetizing personal consumer information without consent.
Implications of the Lawsuit
This privacy lawsuit contains serious allegations that have the potential to affect more consumers who use other apps developed using the Firebase software. Consequently, this lawsuit could be the first of many more claims to come against the owners, operators, and developers of such applications. Essentially, any app developer who promised to safeguard its users’ privacy without realizing that its apps were leaking personal consumer data to Google through covert app tracking methods may be affected by the outcome of this case.
Considering that Google has been trying to convince the public for years that it has not engaged in illegal tracking, the outcome of this privacy lawsuit may undermine the public trust of the company even more so. Additionally, U.S. antitrust investigators are also looking into whether Google has unlawfully stifled competition in advertising by effectively making the Firebase software unavoidable for many app developers. Thus, we can expect a major shift in the app developer space as this case and the antitrust investigation unfold.
Google’s recent legal troubles should serve as a clear warning to organizations everywhere that collect and process consumer data themselves and to those who contract with other parties who collect, process, store, or transfer any such data. The privacy rights of the consumer are expanding rapidly, meaning organizations must take responsibility for their data processes and ensure that they are fully aware of how data flows throughout their operations so that they can adequately safeguard consumer privacy. Overlooking these privacy rights or failing to account for your organization’s data processes and data sharing practices could result in substantial financial woes for your organization or business in the form of legal expenses and potential fines. Thus, it is best practice to be progressive in your cybersecurity efforts and to be advised on applicable data privacy regulations.
How Brouse Can Help
Privacy regulations are complex pieces of work; therefore, it is difficult for organizations to understand these regulations and implement the policies needed to avoid privacy lawsuits and penalties for noncompliance. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to develop an understanding of basic privacy law principles and to become compliant with regulations like CCPA. Along with providing general guidance through the complexities of data privacy laws and regulations, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
1 Anibal Rodriguez et al. v. Google LLC et al., case number 3:20-cv-04688 (U.S. District Court for the Northern District of California).
4 Alleged claim under the Anibal case.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2021 Brouse McDowell. All rights reserved.