Google's loss in Chrome users' US lawsuit over syncing will have reverberations across privacy litigation

23 August 2024
By Xu Yuan and Mike Swift

In a decision likely to reverberate widely, a US appeals court dealt a blow to Google and other Internet companies fighting privacy litigation by declaring that privacy disclosures must be clear to a typical consumer, and that companies face liability if they rely on complicated, multi-layered policies.

A three-judge panel on the US Court of Appeals for the Ninth Circuit yesterday reversed an order that dismissed privacy claims against Google by Chrome users over the syncing of browsing activities with their Google accounts. The case can now go to trial in Oakland, California, the appeals court ordered.

In remanding the case, the court directed that the standard for evaluating whether a user has given consent for the collection of personal data should be an objective one, not a subjective inquiry that varies from person to person — a decision that could make it easier for privacy plaintiffs to win class certification. Courts must review the terms of various disclosures and decide whether a reasonable user reading them would think they were consenting to the data collection.

“If that user could have plausibly understood the disclosures ‘as not disclosing that [the defendant] would engage in particular conduct,’ then the disclosures are insufficient to establish consent,” US Circuit Judge Milan D. Smith Jr. wrote.

In Google’s case, the company has a broadly worded general privacy disclosure, but also a privacy policy specific to Chrome, where Google promised consumers that “the personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by turning on sync.”

Within hours of yesterday’s decision, at least one plaintiff had already filed a judicial notice of the decision in another privacy case involving Google. That is a signal the Ninth Circuit order is likely to have significant implications for ongoing litigation, where defendants often don’t dispute the collection of data, but turn to a multitude of privacy policies or disclosures to argue that the user has been informed of the collection and has granted consent.

“The order makes it clear that if a company is claiming consent, the burden is on the company to demonstrate there was in fact knowing consent from the perspective of a reasonable user,” said Jim Dempsey, a lecturer at the University of California Berkeley School of Law. “The company cannot rely upon multiple privacy policies or very close reading of very complicated documents.”

For Google, the decision also puts the digital ads giant under intense pressure to negotiate what could be a hugely expensive settlement. Google’s alternative is a trial in which it would have the burden of proof to convince a jury that any typical user of Chrome — not a person who is “an experienced business lawyer or someone who is able to easily ferret through a labyrinth of legal jargon to understand what he or she is consenting to,” in the words of the Ninth Circuit — would understand the company’s lengthy, interlacing privacy statements.

“We disagree with this ruling and are confident the facts of the case are on our side,” a Google spokesperson, José Castañeda, said today. “Chrome Sync helps people use Chrome seamlessly across their different devices and has clear privacy controls." The company declined to comment on whether it will ask the US Supreme Court to review the Ninth Circuit decision.

Multiple privacy notices

Like Google, many tech companies have more than one product through which they collect data, resulting in more than one privacy policy.

But the order may force many more companies to be more careful with what has become a widespread practice of having general privacy policies overlaying separate disclosures specific to a product.

In the Chrome sync case, a key dispute at the trial court level had been which of Google’s several privacy policies the court should rely on when examining the data at issue. US District Judge Yvonne Gonzalez Rogers ruled in May 2023 that Google’s general privacy policies — a combination of several agreements — applied, instead of the specific Chrome Privacy Notice.

The appeals court said that was incorrect. “Google did make a promise in its Chrome Privacy Policy that it would not collect certain information absent a user’s voluntary decision to sync, so Google may be ‘bound by [those] promises,’ ” yesterday's ruling said.

And Google itself was responsible for the situation. “Here, Google had a general privacy disclosure yet promoted Chrome by suggesting that certain information would not be sent to Google unless a user turned on sync,” the court said.

Reasonable user

The court’s interpretation of what can be expected from a reasonable user could also be damning to the consent defense, where companies argue it’s the user’s fault for not having the technical capabilities to navigate through the multiple lengthy and jargon-laden policies.

A “determination of what a ‘reasonable’ user would have understood must take into account the level of sophistication attributable to the general public, which uses Google’s services,” the appeals court said.

In the lower court, Gonzalez Rogers wrongly focused on the technical aspects of whether Google collects user data differently if users are using different browsers such as Chrome, Apple’s Safari and Mozilla’s Firefox, the appeals court found.

Gonzalez Rogers held a 7.5-hour evidentiary hearing in October 2022 to hear from experts on whether the data at issue is “browser-agnostic” and she was convinced, meaning the data that was allegedly improperly collected was transmitted to Google regardless of the browser used.

During oral argument last month, however, it was clear that Smith and the two other Ninth Circuit judges were highly skeptical of Gonzalez Rogers’ thinking that led to her conclusion that Google had received meaningful consent from Chrome users.

“If I’m a regular person, and I look at that, I probably wouldn’t even go any further. I’m not going to look at anything else,” to try to understand the limits of Google’s data collection through Chrome, Smith said during oral argument, referring to Google’s Chrome Privacy Notice.

Next for the case

While the plaintiffs said in the wake of yesterday’s decision that they are looking forward to going to trial, a large settlement that could easily reach well into the hundred of millions of dollars is a more likely outcome. Privacy litigation virtually never goes to trial in the United States. Meta Platforms, for example, recently agreed to a $1.4 billion settlement in the days before the scheduled start of a jury trial involving the state of Texas over Facebook’s use of facial recognition technology.

Google could put up an initial Maginot Line in front of a trial, in that the Ninth Circuit said the plaintiffs would still need to win class certification. But yesterday’s decision appears to clear the way for the plaintiffs to win class certification by saying the case needs to be decided by the objective standard of whether a “‘reasonable user’ of a service would understand they were consenting to,” rather than the Ninth Circuit’s hypothetical “experienced business lawyer.”

“Because applying the correct standard reveals disputes of material fact regarding whether ‘reasonable’ users of Google’s product consented to Google’s data collection practices, the issue of consent—assuming a plaintiff class is certified—is remanded to the district court for trial,” the Ninth Circuit said.

At trial, Google would would have to prove that users consented to the data collection, which would be a tough case to make to a jury. There is extensive and broad evidence that American consumers do not find company privacy policies to be easy to read, nor do they feel company disclosures clearly explain how their personal data is being used by the likes of Google and other large tech companies.

A 2023 survey by the Pew Research Center found that 67 percent of Americans say they understand “little to nothing about what companies are doing with their personal data,” up from 59 percent on previous surveys. Pew found that 56 percent of Americans frequently click “agree” without actually reading privacy policies, and that 61 percent believe privacy policies are ineffective at explaining how companies use people’s data.

Americans are "largely skeptical that privacy policies do what they’re intended to do," Pew said, with 69 percent saying they view privacy policies "as just something to get past."

Given that common perception among typical consumers, Google might be hard pressed to convince a jury of citizens, even in Silicon Valley, that its multi-tiered disclosures around Chrome’s data collection was clear and understandable to most people.

For the latest regulatory developments in data privacy, cybersecurity and tech regulation across the globe, activate your instant trial of MLex today.