• by Wendy Davis , Staff Writer @wendyndavis, March 18, 2021

Siding against Google, a federal judge has refused to dismiss a privacy lawsuit claiming that the Chrome browser collects personal information from logged-out users -- including their IP addresses, identifiers stored on cookies, and data about web-browsing activity.

In a decision issued Wednesday, U.S. District Court Judge Lucy Koh in San Jose rejected the company's argument that Chrome users consent to the data collection.

“Google’s representations might have led a reasonable user to believe that Google did not collect his or her personal information when the user was not synced,” Koh wrote. “Accordingly, Google cannot show that plaintiffs expressly consented to Google’s collection of data.”

The ruling marks the second time in recent days that Google has lost a bid to dismiss a privacy case at an early stage.

Late last week, Koh refused to throw out a class-action complaint alleging that the company collected data from Chrome users who browsed in incognito mode.

Wednesday's ruling stems from a class-action complaint filed last July by Patrick Calhoun and three others, who alleged the company harvested a trove of data from Chrome users, even when they are logged out of their Google accounts.

Among other claims, they said Google violated Chrome's privacy policy, as well as the federal wiretap law and various California laws -- including prohibitions against theft, and against “intrusion upon seclusion.” The latter is a broad privacy concept involving an intentional and “highly offensive” intrusion into a private place.

Google urged Koh to dismiss the case at an early stage, arguing that consumers consented to the data collection.

The company specifically told Koh its privacy policy informs users that the company collects data, including search queries, IP addresses and cookies.

But Koh found those disclosures lacking for a few reasons, including that Chrome makes the following promise to users: “The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google account by turning on sync.”

Google argued that the “personal information” referred to in that sentence only includes data like names, email addresses, financial information or financial data -- and not pseudonymous data like IP addresses or cookies.

Koh rejected that argument, noting that California defines personal information broadly enough to cover pseudonymous data. The California Consumer Privacy Act specifically provides that personal information is data that could “reasonably be linked, directly or indirectly, with a particular consumer or household” -- including browsing history and search history.

While Koh dismissed some claims, including allegations that Google violated the federal wiretap law, she said Calhoun and the others could reformulate those claims and bring them again.

Far more significantly, she said Calhoun and the others could proceed with a host of other counts, including claims that Google broke its contract with users, and that the company intruded on users' privacy.

In what's probably the most surprising part of the ruling, she said the users could proceed with claims that Google violated a law against larceny “by stealing plaintiffs’ personal information.”

Google argued that the data at the center of the case isn't “property,” and that it wasn't stolen but copied.

Koh rejected both of those argument, writing that the trend across the country is to recognize a property interest in personal information, and that copying can be a form of theft.

A Google spokesperson suggested the company could revise its polices in the future. “Privacy controls have long been built into our services, and we continue to make improvements to provide greater transparency and put users in control," the spokesperson said.

Koh's two recent rulings against Google come as the company is under increased scrutiny over privacy, as well as its own data-gathering capabilities.

This month alone, Google managed to draw the ire of privacy advocates as well as state law enforcement officials by unveiling a plan to harvest Chrome data to power behavioral ad targeting.

The plan involves placing Chrome users into audience segments, or “cohorts,” based on their web-browsing activity, and then transmitting data about those segments directly to publishers through a Javascript API.

The digital rights group Electronic Frontier Foundation, which calls the plan terrible, notes that Chrome users would no longer be able to surf the web without also transmitting information about their potential interests. The organization also warned that any information sent by Chrome to publishers can serve as a data point for device fingerprinting -- a tracking technique that involves identifying users based on data about their computers, including operating systems, IP addresses, browser versions, installed fonts and plug-ins.

On Tuesday, 15 attorneys general alleged that Google's new plan is anticompetitive, arguing that it “puts Google’s Chrome browser at the center of tracking and targeting.”