The Northern District of California’s ruling denying Google’s motion for summary judgment in Rodriguez et al. v. Google LLC is a critical moment in privacy law enforcement, particularly concerning Google’s Web App and Activity (WAA) and supplemental settings ((s)WAA). This case brings several important aspects to light.
Key Findings:
Ambiguity in Privacy Controls: Google’s WAA and (s)WAA disclosures were found ambiguous. Users were led to believe that turning off (s)WAA would prevent Google from collecting or saving app activity data, but Google continued collecting pseudonymous data via its analytics tool, GA4F (Google Analytics for Firebase).
Discrepancy in Representations and Practices: Plaintiffs argued that Google collected (s)WAA-off data despite its assurances to users, enabling it to link user behaviors to advertising performance (e.g., attribution/conversion tracking). This was seen as a violation of users’ reasonable expectations of privacy.
Consent and Permission Issues: Google claimed it had consent to collect pseudonymous data, but the court found the disclosures inadequate to obtain informed consent. The ambiguity around what toggling off (s)WAA meant created a genuine dispute over whether users revoked consent.
Invasion of Privacy: The court considered whether Google’s actions amounted to a “highly offensive” intrusion. While some evidence suggested users were not directly harmed, internal Google communications showed the company knowingly kept its disclosures vague, potentially misleading users.
Economic and Privacy Harms: Plaintiffs alleged harm from misappropriation of their data for profit, arguing for disgorgement of Google’s profits. The court acknowledged the economic value of user data and held that such intangible harms could constitute damage under California law.
CDAFA Violations: The court also denied summary judgment on the California Comprehensive Computer Data Access and Fraud Act (CDAFA) claim, citing questions over whether users’ actions to toggle off (s)WAA effectively revoked Google’s permission to collect their data.
Implications of the Ruling
Transparency in Privacy Practices: This ruling underscores the need for clear and unambiguous privacy disclosures. Companies must ensure users understand what happens to their data when toggling privacy controls.
Consent as a Central Compliance Mechanism: The ruling highlights how inadequate consent processes can lead to liability. Even pseudonymous data collection must be grounded in explicit and informed user consent.
Economic Value of User Data: Courts are increasingly recognizing user data as having intrinsic economic value, reinforcing the need for companies to handle it with care and respect.
Potential for Class Actions: If upheld, this ruling could pave the way for more class-action lawsuits against companies with vague or misleading data practices, particularly in the realm of analytics and tracking.
Risk for Analytics Tools: Tools like GA4F, which collect data regardless of user settings, are at risk of being seen as incompatible with modern privacy laws, particularly where they operate without clear consent.
This case sends a strong signal to Big Tech and app developers about the necessity of aligning data collection practices with user expectations and legal standards. The court’s focus on transparency and user control over data could have a ripple effect on other analytics and advertising tools. Companies using tools like Google Analytics should review their practices, ensuring they provide clear consent mechanisms and align their disclosures with actual data handling practices.
Ronni K. Gothard Christiansen
Creator, AesirX.io
Concerned about your website’s compliance?
Does your site collect data or share it with third parties before obtaining valid user consent? The AesirX Privacy Scanner is a free privacy tool that identifies potential GDPR and ePrivacy Directive violations, enabling you to address them proactively.