1 2 3 4 5 6 7 UNITED STATES DISTRICT COURT 8 NORTHERN DISTRICT OF CALIFORNIA 9 ANIBAL RODRIGUEZ, et al., 10 Case No. 20-cv-04688-RS Plaintiffs, 11 v. ORDER DENYING GOOGLE’S 12 MOTION FOR SUMMARY GOOGLE LLC, JUDGMENT 13 Defendant. 14
15 I. INTRODUCTION 16 This is a privacy class action brought against Google LLC (“Google”). Plaintiffs are 17 members of two sub-classes, comprising individuals with Android and non-Android mobile 18 devices who had certain privacy-related settings switched off in their Google accounts. In the 19 Fourth Amended Complaint (“FAC”), Plaintiffs aver that Google contravened its user-facing 20 privacy representations regarding its Web App and Activity (“WAA”) and supplemental Web App 21 and Activity (“(s)WAA”) settings, advancing three California claims: invasion of privacy under 22 the California Constitution, common law intrusion upon seclusion, and violation of the 23 Comprehensive Computer Data Access and Fraud Act (“CDAFA”). Google moves for summary 24 judgment on all claims advanced by Plaintiffs in the FAC. For the reasons set forth herein, 25 Google’s motion is denied. 26 II. BACKGROUND 27 A. WAA and (s)WAA settings 1 (s)WAA setting. The WAA button is a Google account setting that purports to give users privacy 2 control of Google’s data logging of the user’s web app and activity, such as a user’s searches and 3 activity from other Google services, information associated with the user’s activity, and 4 information about the user’s location and device. The (s)WAA button, which can only be switched 5 on if WAA is also switched on, governs information regarding a user’s “[Google] Chrome history 6 and activity from sites, apps, and devices that use Google services.” Disabling WAA also disables 7 the (s)WAA button. 8 B. Google Analytics for Firebase 9 To aid third-party app developers, Google created software development kits, including 10 Firebase and Google Mobile Ads (“GMA”). These kits are incorporated into apps by third-party 11 app developers and allow Google to collect user data, including data regarding required fixes or 12 updates. If an app developer seeks information about their app users’ interactions with ads, they 13 can use Google Analytics for Firebase (“GA4F”). GA4F is a free analytical tool that takes user 14 data from the Firebase kit and provides app developers with insight on app usage and user 15 engagement. It is integrated in 60% of the top apps. Dkt. 361-58, Expert Report of Johnathan E. 16 Hochman (“Hochman Rep.”) ¶ 2. Functionally, GA4F works by automatically sending to Google 17 a user’s ad interactions and certain identifiers regardless of a user’s (s)WAA settings, and Google 18 will, in turn, provide analysis of that data back to the app developer. GMA logs similar ad-related 19 interactions. 20 Developers can customize their usage of GA4F to receive information uniquely helpful for 21 their app development purposes and must obtain consent from end users to use GA4F. Google 22 argues that its sole purpose for collecting (s)WAA-off data is to provide these analytic services to 23 app developers. This data, per Google, consists only of non-personally identifiable information 24 and is unrelated (or, at least, not directly related) to any profit-making objectives. 25 GA4F specifically allows app developers to track what Google coins “attributions” and 26 “conversions.” Attribution/Conversion Tracking permits Google to “(1) log the fact that it has 27 served an ad alongside a device identifier for accounting purposes, and (2) attribute conversion 1 events to those ad serving records.” Google argues that its practice of Attribution/Conversion 2 Tracking does not harm users and instead involves the sharing of just critical pieces of 3 information, namely which device triggered the conversion event, which app sent Google the 4 information, and “other similar pieces of information.”1 5 C. Pseudonymous data 6 When a user toggles (s)WAA off, Google purports to treat their data as “pseudonymous.”2 7 Google creates a randomly-generated identifier when logging a (s)WAA-off user’s analytics and 8 ads data. This identifier permits Google to recognize the particular device and its later ad-related 9 behavior. On Android, the identifier is labeled ad ID (“ADID”) and on iOS it is referred to as 10 Identifier for Advertiser (“IDFA”). Through its software development kits, Google collects ADID 11 or IDFA for Google’s Attribution/Conversion Tracking purposes. 12 Another identifier that is capable of being saved by Google through GA4F is the Google 13 Accounts and ID Administration ID (“GAIA ID”). The “GAIA ID uniquely identifies a Google 14 account holder”—in other words, it links data collected to a specific user’s Google account. 15 Hochman Rep. ¶ 109. Google insists that it has created technical barriers to ensure, for (s)WAA- 16 off users, that pseudonymous data is delinked to a user’s identity by first performing a “consent 17 check” to determine a user’s (s)WAA settings. Specifically, GA4F logs the device’s ads 18 personalization opt-out settings. If that check yields a (s)WAA-off result, that data is logged in the 19 “pseudonymous space” that does not contain GAIA IDs, as those correspond to a user’s Google 20 account. When this “consent check” is performed, the retrieved device IDs are encrypted. 21
22 1 As an example, Google provides that “while a conversion event could be called 23 ‘in_app_purchase,’ and it could contain for the app developer pseudonymous information about what the device purchased, for Google’s attribution purposes, it is just the fact that the event 24 occurred that is logged and later used to connect an ad click at Time 1 with a purchase at Time 2.” Google’s Motion for Summary Judgment (“Google’s Mot.”) at 10-11. 25 2 Google uses the term “pseudonymous” throughout its motion to describe its treatment of the data 26 it collects from (s)WAA-off users. It is not entirely clear what Google intends to denote by use of this term, but it seems to suggest the replacement of identifiable information with a contrived 27 identifier. 1 Likewise, the “GAIA-keyed” space contains no identifiers that would be in the pseudonymous log. 2 Where there is overlap, Google encrypts that data and throws away the decryption key after six 3 days. Google’s employees are also purportedly prohibited from “joining” pseudonymous and 4 identifiable data based on internal policies. In other words, per Google, pseudonymous and 5 identifiable data are kept separate. 6 D. Google’s disclosures 7 Google insists that users knew and consented to its tracking practices. Relying on the 8 WAA and (s)WAA disclosures, the Google Privacy Policy (“PP”), and language in Google’s 9 Privacy Portal, Google contends that it disclosed adequately the contours of the WAA and 10 (s)WAA buttons. Specifically, it argues that users knew the WAA and (s)WAA settings controlled 11 only whether a user’s web app and activity was linked to their “personal information,” which it 12 contends is synonymous with information “saved into [the user’s] Google Account” and that those 13 settings do not cover non-personally identifiable information (“non-PII”). 14 First, Google points to the language surrounding the WAA and (s)WAA buttons. The 15 WAA setting is located in a Google account’s page. The subheading for 16 states that a user may “[c]hoose the activities and info [a user] allow[s] 17 Google to save” on that page. On the actual page, where WAA is an available 18 setting for a user to toggle on or off, Google indicates that a user may “[c]hoose which settings 19 will save data in your Google Account.” Scrolling lower, the specific language surrounding the 20 WAA button states that switching it on “[s]aves your activity on Google sites and apps, including 21 associated location, to give you faster searches, better recommendations, and more personalized 22 experiences in…[various] Google services.” Finally, (s)WAA, which can only be turned on if 23 WAA is also on, “[i]ncludes Chrome history and activity from sites, apps, and devices that use 24 Google services.” Based on the subheading on the page, Google argues that a 25 user would know turning (s)WAA on or off controlled only whether Google could save certain 26 information “to a user’s Google account.” 27 In support of this interpretation of the phrase “saved to your Google account,” Google 1 points to language in its PP. The PP states that when a user signs up for a Google Account, Google 2 may “ask for personal information, like your name, email address, telephone number, or credit 3 card to store with your account.” Google’s Mot. Appx. A-7 at 4. Elsewhere, Google’s PP defines 4 “personal information” as “information which you provide to us which personally identifies you, 5 such as your name, email address, or billing information, or other data which can be reasonably 6 linked to such information by Google, such as information with your Google account.” Id. at 57. 7 Non-PII is defined as “information that is recorded about users so that it no longer reflects or 8 references an individually identifiable user.” Id. The PP further explains that depending on a user’s 9 account settings, the user’s “activity on other sites and apps may be associated with your personal 10 information” and Google may still “share [non-PII] publicly and with our partners.” Id. at 6-7, 11. 11 In other words, based on Google’s PP and the WAA and (s)WAA disclosures, Google contends 12 that users should have known that any app activity data shared with third-party developers through 13 GA4F was not covered by the WAA and (s)WAA settings because those settings controlled only 14 whether the data was saved in a user’s account. 15 E. The central dispute 16 While Google paints its practice of tracking attributions and conversion via GA4F as basic 17 record-keeping, Plaintiffs view it as considerably less innocuous than Google portrays. This 18 tracking, in Plaintiffs’ view, contravenes Google’s (s)WAA representations to users because it 19 gathers exactly the data Google denies saving and collecting about (s)WAA-off users. Moreover, 20 Plaintiffs insist that Google’s practices allow it to personalize ads by linking user ad interactions to 21 any later related behavior—information advertisers are likely to find valuable—leading to 22 Google’s lucrative advertising enterprise built, in part, on (s)WAA-off data unlawfully retrieved. 23 Accordingly, Plaintiffs contend, Google should be disgorged of all its profits derived from serving 24 any ads to (s)WAA-off users. 25 For its part, Google denies that any (s)WAA-off data is saved to a user’s marketing profile, 26 which precludes it from personalizing advertising to a WAA-off user. Instead, Google insists that 27 it engages simply in unharmful and basic record-keeping of “pseudonymous” data for (s)WAA-off 1 users, intended to be shared with only developers through GA4F for their own analysis. 2 III. LEGAL STANDARD 3 Summary judgment is appropriate if the pleadings, discovery, and affidavits show “that 4 there is no genuine dispute as to any material fact and the movant is entitled to judgment as a 5 matter of law.” Fed. R. Civ. P. 56(a). A genuine issue of material fact is one that could reasonably 6 be resolved in favor of the nonmoving party, and which could “affect the outcome of the suit.” 7 Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). The party moving for summary 8 judgment bears the burden of proof to “make a showing sufficient to establish…the existence of 9 an element essential to that party’s case.” Celotex Corp. v. Catrett, 477 U.S. 317 (1986). If the 10 movant succeeds in demonstrating the absence of a genuine issue of material fact, the burden then 11 shifts to the nonmoving party to “set forth specific facts showing that there is a genuine issue for 12 trial.” Id. at 322 n.3; see also Fed. R. Civ. P. 56(c)(1)(B). Evidence must be viewed in the light 13 most favorable to the nonmoving party and all justifiable inferences must be drawn in its favor. 14 See Anderson, 477 U.S. at 255. It is not the task of the court to scour the record in search of a 15 genuine issue of triable fact. Keenan v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996) (citation 16 omitted). Additionally, the non-moving party has the burden of identifying, with reasonable 17 particularity, the evidence that precludes summary judgment. Id. If the nonmoving party fails to 18 make this showing, “the moving party is entitled to a judgment as a matter of law.” Celotex, 477 19 U.S. at 322. 20 IV. DISCUSSION 21 Google submits several “undisputed facts” which it insists should resolve this case entirely. 22 These facts, according to Google, reflect that its collection of WAA and (s)WAA-off data was 23 lawful and consistent with its representations to class members. Google’s Mot. at 16-17. 24 Accepting Google’s view that these facts are true and undisputed would result in this motion being 25 granted on four grounds: first, Google secured consent from Plaintiffs for its “basic record-keeping 26 practices.” Second, the language of Google’s disclosures regarding the WAA and (s)WAA settings 27 unequivocally explained that those settings do not control Google’s “non-personal record- 1 keeping.” If the settings were ambiguous, Google insists that each Plaintiff reviewed the Privacy 2 Policy, which defines both personal information and non-PII. Third, Google did not use this 3 information to target or personalize ads to Plaintiffs. Finally, the above leads to the conclusion that 4 Google’s basic record-keeping practices harms no one. 5 A. What WAA/(s)WAA controls is ambiguous 6 Google does not deny that it collects (s)WAA-off data and tracks user behavior via GA4F 7 but argues that it did so lawfully. However, the argument that users knew the WAA button 8 controls only whether a user’s app activity data is “saved to [his or her] Google account” fails to 9 persuade. 10 On the page and connected interfaces, which include the WAA and 11 (s)WAA settings and their descriptions, Google provides multiple descriptions of what the WAA 12 and (s)WAA settings entail. Nowhere do these disclosures indicate with reasonable clarity that 13 (s)WAA controls not whether Google will collect data about a user’s app activity at all, but only 14 whether Google will delink the collected data from the user’s GAIA-ID. The various 15 interpretations of these disclosures render them ambiguous such that a reasonable user would 16 expect the WAA and (s)WAA settings to control Google’s collection of a user’s web app and 17 activity on products using Google’s services. Documents Google produced in discovery only 18 emphasize the WAA settings’ ambiguity. One such document states that “[a]ds you respond to by 19 clicking the ad itself or buying something on the advertiser’s site” constitute what is “saved as 20 [WAA].” Dkt. 398-8 at 9. At the very least, this could reasonably suggest that a (s)WAA-off user 21 may interpret the exact kind of data Google saves via GA4F to be precluded from Google’s data 22 logging if they switch (s)WAA off. What is meant by the (s)WAA disclosures is thus a disputed 23 material fact. 24 Google’s insistence that a user should have known that “saved to your Google account” 25 denotes only personal information is unconvincing, and its reliance on the PP provides no clarity. 26 The (s)WAA disclosures do not distinguish between personal information and non-PII, and the PP, 27 in defining both terms, does not expressly refer to the (s)WAA settings. Even accepting that 1 Google’s disclosures outside of the WAA/(s)WAA settings context could somehow be relied upon 2 to provide clarity as to those settings, that is not the case here. The PP states that a user must 3 provide Google with their personal information to create a Google account, which is then used to 4 authenticate a user when accessing Google’s services. This does not foreclose the possibility that 5 information which is not associated with a user’s Google account is personal information. 6 Moreover, Plaintiffs’ interpretation of “personal information” is consistent with California 7 law. In re Google RTB Consumer Privacy Litigation, 606 F. Supp. 3d 935 (N.D. Cal. 2022) is 8 instructive. There, the court pointed to language in the California Consumer Privacy Act 9 (“CCPA”) (amended by Stats. 2023, Ch. 551, Sec. 1. (A.B. 947)), where the California legislature 10 defined as personal information the type of data collected by GA4F. See 606 F. Supp. 3d at 944. 11 Specifically, the CCPA defines personal information as that which “identifies, relates to, 12 describes, is reasonably capable of being associated with, or could reasonably be linked, directly 13 or indirectly, with a particular consumer or household,” including “[g]eolocation data” as well as 14 “Internet Protocol addresses” or “unique personal identifiers [or] online identifiers.” Cal. Civ. 15 Code § 1798.140. While Plaintiffs do not advance a claim under the CCPA, the legislature’s 16 definition in that statute illustrates that, at the very least, a reasonable juror could view the 17 (s)WAA-off data Google collected via GA4F, including a user’s unique device identifiers, as 18 comprising a user’s personal information. 19 B. Consent 20 Google argues that Plaintiffs consented to the collection of their pseudonymous data, but 21 this too is unconvincing. The recently decided Calhoun v. Google, LLC is apposite. 113 F.4th 22 1141 (9th Cir. 2024). In that case, the class members challenged Google Chrome’s sync function, 23 averring that they believed choosing not to sync Chrome with their Google accounts would preclude the collection of their “personal information” by Google. Id. at *1143–44. While that 24 case included an intrusion upon seclusion claim, the central inquiry on appeal was whether the 25 plaintiffs consented to Google’s conduct based on the viewpoint of a reasonable user encountering 26 Google’s disclosures (including the PP). 27 1 The Ninth Circuit confirmed that whether the plaintiffs consented turned on the terms of 2 various disclosures and “whether a reasonable user reading them would think that he or she was 3 consenting to the data collection, which collection Google has not disputed.” Id. at 1148. The 4 Calhoun court also distinguished Hammerling v. Google, LLC, No. 22-17024, 2024 WL 937247 at 5 *3 (9th Cir. Mar. 5, 2024) (unpublished) and Smith v. Facebook, 745 Fed. App’x 8, 9 (9th Cir. 6 2018) (unpublished), cases where the “plaintiffs…had not argued that Facebook or Google had 7 service-specific privacy policies that could reasonably be read to say the opposite of what its 8 general privacy policies disclosed.” Calhoun, 113 F.4th at 1149. “By contrast, and at least in the 9 light most favorable to plaintiffs, Google did make a promise in its Chrome Privacy Policy that it 10 would not collect certain information absent a user’s voluntary decision to sync, so Google may be 11 ‘bound by [those] promises.’” Id. (quoting Smith, 745 Fed. App’x at 9). As in Calhoun, Google 12 provides Plaintiffs with several disclosures, ranging from general privacy disclosures in its PP to 13 more specific disclosures surrounding the WAA/(s)WAA buttons. From the perspective of a 14 reasonable user, it is unclear Plaintiffs were consenting to the data collection at issue. With that 15 background, analysis turns to the specific claims advanced by Plaintiffs in the FAC. 16 C. Invasion of privacy claims 17 While Plaintiffs’ invasion of privacy claims, brought separately under the California 18 constitution and common law, are distinct claims, they consist of substantially similar elements. 19 The inquiry under either is whether “(1) there exists a reasonable expectation of privacy, and (2) 20 [whether] the intrusion was highly offensive.” In re Facebook, Inc. Internet Tracking Litig. 21 (“Facebook Tracking”), 956 F.3d 589, 601 (9th Cir. 2020). Plaintiffs’ common law tort claim also 22 requires a showing of intent to commit the intrusion on Google’s part. 23 1. Reasonable expectation of privacy 24 Google argues that Plaintiffs have no reasonable expectation of privacy in anonymized, 25 aggregate data, invoking Campbell v. Facebook, Inc., 951 F.3d 1106, 1119 (9th Cir. 2020). In that 26 case, however, the Ninth Circuit specifically declined to reach the issue: “We emphasize that this case also does not present the question whether standing could be based entirely on injury from 27 1 anonymized, aggregated uses of data.” Id. at n.9. Indeed, “information need not be personally 2 identifying to be private.” In re Google Referrer Header, 465 F. Supp. 3d 999, 1009–10 (N.D. 3 Cal. 2020); see also Brown v. Google LLC, 685 F.Supp.3d 909, 924 (2023) (“Plaintiffs have set 4 forth specific facts demonstrating that the reason Google has access to their anonymous, aggregated data is through the collection and storage of information from users’ private browsing 5 history without consent.”). Moreover, whether the data collected by Google constitutes personal 6 information is not, as Google suggests, a foregone conclusion. See In re Google RTB Consumer 7 Priv. Litig., 606 F. Supp. 3d at 944. 8 Google invokes Hammerling, where the Ninth Circuit affirmed a district court’s dismissal 9 of these claims because Google’s PP “expressly disclosed Google’s intention to track [the 10 plaintiffs’] activity on third-party apps. As a result, [they] have no reasonable expectation of 11 privacy in that data.” 2024 WL 937247 at *3. By contrast, Google’s disclosures concerning the 12 (s)WAA settings state that it governs a user’s activity “on sites, apps, and devices that use Google 13 services”—language almost identical as that in Hammerling— to describe data that Google will 14 not save when (s)WAA is off. Following Google’s logic, it is at least disputed here whether 15 Plaintiffs have a reasonable expectation of privacy as to the (s)WAA-off data. 16 2. Highly offensive conduct 17 For Plaintiffs to succeed on their invasion of privacy claims, they need also show that the 18 invasion of privacy was “highly offensive” to a reasonable person and unwarranted “so as to 19 constitute an ‘egregious breach of social norms.’” Facebook Tracking, 956 F.3d at 606 (quoting 20 Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 295 (2009)). This inquiry “requires a holistic 21 consideration of factors such as the likelihood of serious harm to the victim, the degree and setting 22 of the intrusion, the intruder’s motives and objectives, and whether countervailing interests or 23 social norms render the intrusion inoffensive.” Id. 24 To emphasize the offensiveness of Google’s conduct, Plaintiffs highlight the “vast and 25 sensitive” nature of the information collected, see Brown, 685 F. Supp 3d at 941, as well as the 26 significant profits Google makes resulting from its misconduct. Specifically, Plaintiffs suggest that 27 Google can personalize ads based on (s)WAA-off data because Attribution/Conversion Tracking 1 is highly profitable for Google. In support, Plaintiff’s technical expert, Jonathan Hochman, looks 2 to the GA4F Help Center. There, Google indicates that a GA4F automatically collects certain 3 “User Properties,” including a user’s IP address, age, gender, geolocation, “potentially even 4 ‘favorite food.’” Hochman Rep. 89, 99. Google also supposedly performs its (s)WAA “consent checks” only after it has collected and saved a myriad of unique and sensitive information from 5 users, rendering the distinction between identifying and pseudonymous data (i.e., GAIA and non- 6 GAIA identifiers) meaningless. Id. at 86, 87. 7 This inquiry of Google’s conduct turns on the nature of the information collected and 8 whether a reasonable person would consider its collection to be an offensive intrusion. While 9 Hochman’s report indicates that Google creates these extensive and detailed marketing profiles of 10 (s)WAA-off users which it then uses to gain high profits, those arguments are founded on a 11 hypothetical scenario, rather than Google’s actual conduct. Plaintiffs have provided no evidence 12 that Google uses (s)WAA-off data to build highly targeted and invasive marketing profiles of 13 (s)WAA-off users, only that Google has the technical capabilities of joining the identifiers it 14 collects with more sensitive and personal data about the user. In fact, Google takes significant 15 efforts to separate a (s)WAA-off users’ GAIA-IDs from its device identifiers. Furthermore, 16 “routine commercial behavior” is not a “highly offensive” invasion of privacy. Low v. LinkedIn 17 Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012). 18 That Google can use this information to make money or improve its products or services is 19 of little relevance. That principle applies a fortiori here as Google collects the (s)WAA-off data 20 not simply to line its pockets, but for a free analytics tool intended to aid developers in 21 understanding their apps and usage. Moreover, Plaintiffs have not explained how the (s)WAA-off 22 data that Google collects constitute sensitive information that would offend a reasonable person 23 and social norms. See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 24 2012) (“[T]he information allegedly disclosed to third parties included the unique device identifier 25 number, personal data, and geolocation information from [p]laintiffs’ iDevices. Even assuming 26 this information was transmitted without Plaintiffs’ knowledge and consent, a fact disputed by 27 Defendants, such disclosure does not constitute an egregious breach of social norms.”). 1 Ultimately, however, viewing the facts in the light most favorable to Plaintiffs, Google’s 2 conduct is at least arguably offensive because it collects (s)WAA-off data despite concerns raised 3 by its employees and with the knowledge that its disclosures are ambiguous and deficient. In 2019, 4 an employee who worked on Gmail shared internally that Google “would need to modify the [WAA disclosures] to indicate that WAA off is identical to being not logged into your account 5 (data logged, but not tied to your account).” Later that year, he wrote again, highlighting that the 6 WAA page indicates that WAA-off data should not be logged at all. Another employee wrote that 7 “teams should not use user data at all if WAA is off,” to align with what “most users expect.” 8 Several Google employees between 2017 and 2020 wrote that WAA was confusing and unclear to 9 everyday users. See Plaintiffs’ Opposition to Motion for Summary Judgment (“Plaintiffs’ Opp.”) 10 at 12-13. Internal Google communications also indicate that Google knew it was being 11 “intentionally vague” about the technical distinction between data collected within a Google 12 account and that which is collected outside of it because the truth “could sound alarming to users.” 13 Google argues that these comments are innocuous because they seek largely to identify 14 potential technical improvements for Google services, and several of the employees making such 15 remarks are unfamiliar with WAA. The concerns raised by Google employees are relevant, 16 however, at the very least for tending to show that the WAA disclosures are subject to multiple 17 interpretations. What is more, the remarks and Google’s internal statements reflect a conscious 18 decision to keep the WAA disclosures vague, which could suggest that Google acted in a highly 19 offensive manner, thereby satisfying the intent element of the tort claim. Then again, these 20 comments could also be ascribed to the unremarkable culture in large technology enterprises 21 where employees simply offer improvements of the company’s products or services. Whether 22 Google or Plaintiffs’ interpretation prevails is a triable issue of fact.
23 3. Harm 24 Google insists that Plaintiffs’ invasion of privacy claims fail because Plaintiffs cannot 25 establish that a “bare privacy harm” is actionable, as Article III injury alone cannot constitute 26 harm to sustain the invasion of privacy claims (as well as CDAFA, discussed further below). In 27 TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the Supreme Court held that, for purposes of 1 Article III standing, “only those plaintiffs who have been concretely harmed by a defendant’s 2 statutory violation may sue that private defendant over that violation in federal court.” Id. at 427 3 (emphasis in original). The Court also noted that “[c]entral to assessing concreteness is whether 4 the asserted harm has a 'close relationship to a harm traditionally recognized as providing a basis 5 for lawsuits in American courts.” Id. at 417 (internal quotations omitted); Facebook Tracking, 956 6 F.3d at 598 (“[V]iolations of the right to privacy have long been actionable at common law.”). 7 Additionally, as the Ninth Circuit indicated when discussing certain California privacy statutes, 8 “under the privacy torts that form the backdrop for these modern statutes, the intrusion itself 9 makes the defendant subject to liability . . . In other words, privacy torts do not always require 10 additional consequences to be actionable.” Campbell, 951 F.3d at 1117 (internal citations 11 omitted). 12 Google insists that while Plaintiffs may have suffered Article III injury, they cannot show, 13 class-wide, that they suffered harm under the invasion of privacy claims because the “emotional 14 harms” associated with those claims are only available on an individual basis. Plaintiffs have 15 offered no models or explanations for how these harms apply across the classes, and at the 16 hearing, Plaintiffs’ counsel admitted that if emotional harm was Plaintiffs’ sole theory of harm, 17 only nominal damages would be available to the class. Contrary to Google’s view, however, that 18 only nominal damages are available class-wide does not defeat Plaintiffs’ invasion of privacy 19 claims. 20 D. CDAFA 21 Plaintiffs aver, in their third claim, that Google’s collection and use of (s)WAA-off data 22 violates CDAFA, Cal. Penal Code § 502, et seq. CDAFA imposes liability on whoever 23 “[k]nowingly accesses and without permission takes . . . any data from a computer.” Cal. Penal 24 Code § 502(c)(2). The statute allows an individual who “suffers damage or loss by reason of a 25 violation” of the statute to bring a private civil action. Cal. Penal Code § 502(e)(1). Google seeks 26 summary judgment for Plaintiffs’ CDAFA claim on the grounds that it had permission to use 27 (s)WAA-off data and that Plaintiffs suffered no damage or loss. 1 1. Permission3 2 CDAFA does not define “permission” within the text of the statute. Several cases in this 3 district and the Ninth Circuit provide guidance as to the term’s meaning for the purposes of 4 CDAFA analysis, focusing on the plain meaning of the term and what the defendant knew while 5 using the data. See, e.g., In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1100 (N.D. Cal. 2015) 6 (“‘Permission’ is defined as the ‘act of permitting’ or ‘a license or liberty to do something; 7 authorization.’”) (quoting Black’s Law Dictionary (8th ed. 2004)); Facebook, Inc. v. Power 8 Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016) (in concluding that the defendant violated 9 CDAFA, holding that it “knew that it no longer had permission to access [the plaintiff’s] 10 computers at all”). Much of the authority on this issue comes from courts reviewing Computer 11 Fraud and Abuse Act (CFAA) claims, 18 U.S.C. § 1030(a)(2). Courts in this district have held that 12 CDAFA claims generally “rise or fall with . . . CFAA claims because the necessary elements of 13 Section 502 do not differ materially from the necessary elements of the CFAA, except in terms of 14 damages.” Meta Platforms, Inc. v. BrandTotal Ltd., 605 F. Supp. 3d 1218, 1260 (N.D. Cal. 2022) 15 (citing Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 129 (N.D. Cal. 2020)). In the CFAA context, 16 the Ninth Circuit defines “authorization” as “permission or power granted by an authority.” LVRC 17 Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). 18 First, Google argues that, as a matter of law, Plaintiffs explicitly consented because the 19 default setting for (s)WAA gave Google permission to use their data, and toggling (s)WAA off did 20 not revoke permission. Even if Plaintiffs impliedly granted Google permission to use their data 21 prior to toggling (s)WAA off, this argument is lacking. See Power Ventures, 844 F.3d at 1069 22 (acknowledging that permission may be granted by implication in the context of CDAFA). What 23 is relevant is whether toggling (s)WAA off revoked permission.4 Google’s generic disclosures in 24
25 3 The parties interchangeably refer to this element under CDAFA as “permission” and “consent.” 26 4 If Google is correct that the WAA settings are of no import as to the data Google collected via GA4F, it is unclear how else a user may give Google consent to log that information to begin with 27 (short of not signing up for a Google account), much less withdraw it. 1 the PP fail to show express or implied consent to the data use at issue because consent is only 2 effective if directed “to the particular conduct, or to substantially the same conduct.” Tsao v. 3 Desert Palace, Inc., 698 F.3d 1128, 1149 (9th Cir. 2012) (internal quotations omitted). Here, the 4 permission prong of Plaintiffs’ CDAFA claim turns on whether class members revoked 5 permission when they toggled (s)WAA off. 6 When evaluating whether a party revoked permission in the context of CDAFA or CFAA, 7 courts focus on the perspective of the defendant at the time they used the data. See Power 8 Ventures, 844 F.3d at 1069. In Power Ventures, the Ninth Circuit held that a cease-and-desist 9 letter sent by the plaintiff revoked any implied permission for the defendant to continue accessing 10 their computers and using their data. The Ninth Circuit held that previously permitted use runs 11 afoul of the CFAA (and therefore the CDAFA) “when such permission has been revoked 12 explicitly.” Id. at 1067. The Ninth Circuit did not hold that a cease-and-desist letter was required 13 or articulate a specific test for revocation, instead focusing on what a defendant knew or should 14 have known at the time of use. Id. at 1069 (“But when Facebook sent the cease-and-desist letter, 15 Power, as it conceded, knew that it no longer had permission to access Facebook’s computers at 16 all . . . Power violated [the CDAFA].”). 17 In this case, it is genuinely disputed whether Google knew or should have known that class 18 members revoked permission to use (s)WAA-off data. Google contends that the description of the 19 (s)WAA switch and what it controlled was plain and straightforward, clearly communicating that 20 the access and use now at issue was beyond the scope of the setting. Plaintiffs disagree, arguing 21 that they reasonably thought turning off (s)WAA meant that “Google would not collect or save 22 their app activity.” As explained above, evidence produced by Google during discovery, including 23 deposition testimony by Google employees, indicates that the description of (s)WAA was 24 ambiguous. Although Google disputes the applicability of that evidence, a reasonable juror could 25 be convinced by either party’s argument regarding the (s)WAA setting and Google’s PP. 26 Furthermore, Google has not explained how it received “consent” by (s)WAA-off users to collect 27 the data if there was no meaningful way for users to provide that consent. Indeed, “consent is only 1 effective if the person alleging harm consented to the particular conduct, or to substantially the 2 same conduct and if the alleged tortfeasor did not exceed the scope of that consent.” Brown, 685 3 F. Supp. 3d at 926 (internal quotations omitted). Accordingly, it cannot be determined as a matter 4 of law that Google had Plaintiffs’ permission to use their data. 5 Google next argues that even if Plaintiffs did not give Google permission to use their 6 (s)WAA-off data, the third-party app developers obtained consent from users as a condition of 7 GA4F, so Google had permission to collect the data and its use did not violate CDAFA. Google 8 says that it acted only as a “vendor” to those third-party apps and permission granted by users to a 9 technology company extends to vendors who process such data. Even assuming Google acted as a 10 vendor, no court has endorsed the position that when one technology company acts as a vendor for 11 another, consent for the purposes of CDAFA analysis is coextensive with the party that obtained 12 it. Google cites only to inapposite California Invasion of Privacy Act (“CIPA”) cases in support of 13 their position on this point. See, e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 14 2021). Unlike CFAA, CIPA has never been deemed substantially similar to CDAFA. Therefore, 15 Google presents no relevant authority to show that under CDAFA, permission given by third 16 parties to use (s)WAA-off data satisfies the statute’s permission requirement. 17 Google’s third-party permission argument is not only unsupported by any applicable 18 caselaw but also in tension with relevant Ninth Circuit precedent. In United States v. Nosal, the 19 Ninth Circuit held that “once authorization to access a computer has been affirmatively revoked, 20 [a defendant] cannot sidestep the statute by going through the back door and accessing the 21 computer through a third party. Unequivocal revocation of computer access closes both the front 22 door and the back door.” 844 F.3d 1024, 1028 (9th Cir. 2016) (discussing the authorization prong 23 of the CFAA). Assuming, then, that Plaintiffs did revoke permission when they toggled (s)WAA 24 off, whether a third party granted permission is irrelevant. Instead, what matters is whether Google 25 knew or should have known that Plaintiffs revoked permission to use their data, a material fact 26 that is genuinely disputed. 27 Google also contends that if a plaintiff was indeed confused about the limitations of the 1 WAA or (s)WAA settings, that confusion would undermine Plaintiffs’ class-wide claims because 2 it otherwise received clear consent for pseudonymous record-keeping. As explained, whether 3 Google received consent for its conduct is not a sure-fire proposition. More critically, Google 4 confuses the issue here: viewing the facts in the light most favorable to Plaintiffs, it is a disputed 5 fact, not an individualized inquiry, whether the class members’ uniform conduct of turning 6 (s)WAA off withdrew their consent for Google to “save app activity data.” This identical conduct, 7 as explained in the class certification order, still warrants class treatment. Moreover, Google’s 8 disclosures were uniform to all class members and its treatment of the classes’ data was also 9 identical. Its own imprecision does not undermine predominance. 10 2. Damage or Loss 11 CDAFA neither defines nor sets a monetary threshold for “damage or loss.” Cottle v. Plaid 12 Inc., 536 F. Supp. 3d 461, 487 (N.D. Cal. 2021). Rather, “under the plain language of the statute, 13 any amount of damage or loss may be sufficient.” Facebook, Inc. v. Power Ventures, Inc., No. 08- 14 cv-05780-JW, 2010 WL 3291750, at *4 (N.D. Cal. July 20, 2010). Plaintiffs argue that at least 15 five injuries establish “damage or loss” under CDAFA. 16 a. Deprivation of privacy 17 This damage theory rests entirely on the viability of Plaintiffs’ other two claims and 18 requires a showing of harm. As discussed above, Plaintiffs are unable to show that they are 19 entitled to more than nominal damages resulting from the emotional harms associated with their 20 deprivation of privacy. They offer no concrete models or theories that this harm constitutes more 21 than simply an emotional injury. However, Plaintiffs have other damage or loss theories that 22 provide a basis to satisfy this element of CDAFA. 23 b. Disgorgement of profits 24 Plaintiffs argue that they experienced damage or loss because Google illegally profited 25 from the use of their data. Plaintiffs rely on Facebook Tracking, where the Ninth Circuit held that 26 “California law recognizes a right to disgorgement of profits resulting from unjust enrichment, 27 even where an individual has not suffered a corresponding loss.” 956 F.3d at 599. Google 1 responds that, in light of TransUnion, Plaintiff’s disgorgement of profits theory of damage or loss 2 is untenable under CDAFA. 594 U.S at 417. 3 Plaintiffs’ disgorgement theory is compatible with TransUnion, which held that, when 4 determining which injuries are sufficiently concrete, “history and tradition offer a meaningful 5 guide.” Id. at 424 (citation omitted). Certain harms “readily qualify as concrete injuries under 6 Article III. The most obvious are traditional tangible harms, such as physical harms and monetary 7 harms.” Id. at 425. Intangible harms, such as “disclosure of private information” or “intrusion 8 upon seclusion”, have also been traditionally recognized. Id. Google argues that its “harmless data 9 collection” does not serve as a basis to disgorge its profits because it does not constitute a concrete 10 injury. 11 Notwithstanding that it is disputed whether Google’s data collection was “harmless,” 12 Brown v. Google LLC is instructive in showing why Plaintiffs’ intangible harms are sufficiently 13 concrete to constitute damage or loss under current law. 685 F. Supp. 3d 909 (N.D. Cal. 2023). In 14 that case, decided after TransUnion, the court held that the plaintiffs satisfied CDAFA’s damage 15 or loss requirement because they had “a stake in the value of their misappropriated data.” Id. at 16 940. Relying on Facebook Tracking, the court held that the plaintiffs could state an economic 17 injury for their misappropriated data. Id.; Facebook Tracking, 956 F.3d 589 at 600. The court also 18 denied summary judgment as to the defendant’s argument that plaintiffs lacked standing to seek an 19 unjust enrichment remedy, holding that Facebook Tracking was still good law. Brown, 685 F. 20 Supp. 3d at 926. Here, Plaintiffs have a stake in the value of their data. As in Brown, where the 21 court denied summary judgment on the issue of damage or loss “because plaintiffs proffer[ed] 22 evidence that there [was] a market for their data,” Plaintiffs here similarly present evidence that 23 their data has economic value. 685 F. Supp. 3d at 940. Accordingly, a reasonable juror could find 24 that Plaintiffs suffered damage or loss because Google profited from the misappropriation of their 25 data. 26 c. Failure to pay for collected data 27 Third, Plaintiffs argue that they suffered damage or loss because Google failed to pay for 1 the data it collected despite there being a market for it. This theory of damage or loss is closely 2 related to Plaintiffs second theory. See Brown, 685 F. Supp. 3d at 925-26, 940 (discussing unjust 3 enrichment and economic injury for misappropriated data). Plaintiffs argue that they suffered 4 damage or loss because Google took something of economic value from them without their 5 permission. Google insists that this theory fails because Plaintiffs did not wish to sell their data 6 and, even if they did, their data did not diminish in value because of its conduct. However, “under 7 California law, [a] stake in unjustly earned profits exists regardless of whether an individual 8 planned to sell his or her data or whether the individual’s data is made less valuable.” Facebook 9 Tracking, 956 F.3d at 600. It remains disputed whether Plaintiffs suffered damage or loss because 10 Google failed to pay for their data despite the existence of a market. 11 d. Depletion of battery and bandwidth 12 Fourth, Plaintiffs proffer evidence that Google’s unauthorized access depleted their 13 devices’ battery and bandwidth, causing damage or loss. Courts recognize depletion of battery and 14 computing resources as acceptable forms of damage or loss for the purposes of a CDAFA claim. 15 In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1065 (N.D. Cal. 2015); Williams v. Facebook, Inc., 16 498 F. Supp. 3d 1189, 1199 (N.D. Cal. 2019). While Plaintiffs have provided no evidence about 17 how much device battery life and bandwidth was depleted, they point to internal Google 18 documents that suggest Google Analytics impacts battery-life of a device. Google points out that 19 Plaintiffs failed to present a damage model at class certification based on this harm, and Plaintiffs 20 concede that only nominal damages would be available to them under this theory of liability. As 21 the statute sets no minimum threshold for damage or loss, even small harms due to depletion of 22 battery and bandwidth satisfy CDAFA’s requirements. At this stage, Plaintiffs have provided 23 sufficient evidence to show harm for at least nominal damages under this theory. 24 e. Denial of benefit of the bargain 25 Finally, Plaintiffs argue that they suffered damage or loss because class members did not 26 receive the “benefit of their bargain” with Google, a concept linked to their now dismissed breach 27 of contract claim. Dkt. 127, 209. Plaintiffs have offered no authority that denial of the benefit of 1 the bargain constitutes damage for CDAFA absent a contract claim. 2 E. Motions to Seal 3 The parties have filed administrative motions to seal portions of their briefing. Plaintiffs 4 || move to seal highlighted portions of Exhibit 4 of its Opposition on the grounds that it contains 5 personally identifiable information, which is deemed private pursuant to the Protective Order. 6 Google has moved to seal no portion of the Opposition or its Reply brief (and its Motion 7 for Summary Judgment was filed publicly). Instead, Google seeks only to seal portions of 16 8 exhibits submitted alongside the Opposition and Reply briefs and 6 exhibits in full. Google 9 subsequently withdrew its request to seal one sentence from Exhibit 34. Google raises several 10 grounds as the basis for its motion to seal: first, it seeks to seal commercially sensitive 11 information, including its internal research methodologies and forward-looking strategies and g 12 || deliberations. It also seeks to seal private documents regarding the technical details of Google’s 13 internal systems, references to internal code names, and non-public email addresses. 14 The parties’ motions to seal have satisfied the “compelling reasons” standard for 2 15 || dispositive motions. See Ctr. for Auto Safety v. Chrysler Grp., 809 F.3d 1092, 1098-1099 (9th Cir. 16 || 2016). The sealing questions are tailored narrowly in order to avoid impacting the public’s 2 17 understanding of this case. Accordingly, the motions to seal are granted. Z 18 V. CONCLUSION 19 For the reasons explained above, Google’s motion for summary judgment is denied and the 20 || pending motions to seal are granted. The parties shall file public versions of their briefs and 21 related exhibits in accordance with the sealing order within one week of the date of this order. 22 || ITISSO ORDERED. 23 24 || Dated: January 7, 2025 25 / 26 RICHARD SEEBORG 27 Chief United States District Judge 98 ORDER DENYING MOTION FOR SUMMARY JUDGMENT CASE No. 20-cv-04688-RS