Business

TECHNOLOGY LAW CORNER

Google’s $8.5M Data Privacy Dodge

An October 2010 class action lawsuit against Google included allegations that “Google transmitted user search queries to third parties without knowledge or consent in order to enhance advertising revenue and profitability.” Following three years of litigation, Google and the plaintiff users this June presented a settlement proposal to the federal court. However, Google is not proposing to change its privacy policies.

Interestingly, the class of plaintiffs is yet to be determined. The proposed settlement identifies the class as “all persons in the U.S. who submitted a search query to Google at any time from Oct. 25, 2006, until the date of the notice of the proposed class action settlement.” That must be a huge number.

As of July 2013, Google accounts for about 67 percent of the U.S. searches and about 90 percent of searches in the EU, based on comScore’s latest research.

Before the Lawsuit

On April 14, 2010, before the lawsuit was filed, Google sent a letter to the Federal Trade Commission expressing its views on transparency and privacy. Google specifically stated its view on these two topics:Strong industry commitments to ensure transparency, user control, and security in Internet services for consumers. Self-regulatory standards, such as the recent work done in online behavioral advertising, have encouraged companies to innovate in the area of privacy and have enhanced user choices in the environment as a whole.

Comprehensive privacy standards and strengthened protections from government intrusion. Google has long supported comprehensive federal privacy legislation to establish baseline privacy protections for consumers. In addition, Google recently announced its support for the reform of federal law governing government access to online records as part of the Digital Due Process coalition.Google also told the FTC that Google believes “that there is an important role for the development and enforcement of industry self-regulatory privacy principles… .”

How ironic, given what the plaintiffs complained about in their lawsuit.

What Are the Alleged Privacy Violations?

Among other things, the Second Amended Complaint against Google derides its famous motto “Don’t be evil,” and a provision of its Code of Conduct that asks users … to trust [it] with their personal information. Preserving that trust requires that each of us respect and protect the privacy of that information. Our security procedures strictly limit access to and use of users’ personal information.Further, the Second Amended Complaint includes the following allegations:…Google has consistently and intentionally designed its services to ensure that user search queries, which often contain highly sensitive and personally identifiable information (PII), are routinely transferred to marketers, data brokers, and sold and resold to countless other third parties.

…user search queries disclosed to third parties contain, without limitation, users’ real names, street addresses, phone numbers, credit card numbers, Social Security numbers, financial account numbers and more, all of which increases the risk of identity theft. User search queries also contain highly personal and sensitive issues, such as confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality, which are often tied to the user’s personal information.The plaintiffs asserted that Google violated the Electronic Communications Privacy Act. The ECPA broadly defines an “electronic communication” as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photo-optical system that affects interstate or foreign commerce… .”

The plaintiffs also alleged that Google violated the Stored Communications Act of 1986 in that “Google intentionally disclosed its users’ communications to third parties to enhance its profitability and revenue. The disclosures were not necessary for the operation of Google’s systems or to protect Google’s rights or property.”

Also, the plaintiffs complained that Google breached its own Terms of Service and Privacy Policy, since the class “agreed to use Defendant’s services and transmit sensitive personally identifiable information to Google in exchange for Google’s promise that it would not share that personal information with third parties without users’ authorization.”

The motion to settle the lawsuit, which came after four days of mediation, includes the following: …the proposed Settlement also requires Google to post disclosures on its website concerning user search queries. As a result of this Settlement, users will be given information about whether their search queries are transmitted to third parties and have the opportunity to make informed decisions about their privacy choices.As part of the settlement Google agreed to pay US$8.5 million in damages, which is “within the range of similar class action settlements.”

Opposition to the Proposal

The Electronic Privacy Information Center last month sent U.S. District Judge Edward Davila a letter opposing the settlement on behalf of Consumer Watchdog, Patient Privacy Rights, the Center for Digital Democracy, and the Privacy Rights Clearinghouse.

The letter contends that Google’s settlement proposal is unacceptable because 1) it fails to require Google to make any substantive changes to its business practices; and 2) it provides no monetary relief to the class.Among other complaints, EPIC specified that because few people ever read privacy notices, Google’s settlement offer to modify its Privacy Policy was a meaningless gesture.

EPIC was very critical of the $8.5 million not going to Google search engine users. Instead, much of the money…is meant to cover settlement administration expenses and part will be paid to the World Privacy Forum, Carnegie-Mellon; Berkman Center for Internet and Society at Harvard University; and Stanford Center for Internet and Society, among others.

In Conclusion

Concerns about Internet privacy are front page news these days. Since Google has more than the lion’s share of the search business, Google’s privacy protection activities remain critical, and other Internet businesses may follow its example in managing privacy for their customers.

As of this writing, Google’s proposed settlement has yet to be accepted or rejected by the trial judge, so this case may not be over.

Peter S. Vogel

E-Commerce Times columnist Peter S. Vogel is a partner at Gardere Wynne Sewell, where he is Chair of the Internet, eCommerce & Technology Team. Peter tries lawsuits and negotiations contract dealing with IT and the Internet. Before practicing law, he was a mainframe programmer and received a Masters in computer science. His blog covers IT and Internet topics.

1 Comment

  • With every passing day data protection becoming a serious problem for the organization. Cloud computing increase the data theft if an organization can’t protect its data users will not trust him. In that context Google are working on data protection its a good step taken by the Google.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Peter S. Vogel
More in Business

E-Commerce Times Channels