Google's real-time bidding system violates users' privacy by disseminating their personal data with “thousands” of outside companies, two web users allege in a new lawsuit against the company.
“Google actively sells and shares consumers’ personal information with thousands of entities, ranging from advertisers to publishers to hedge funds to political campaigns and even to the government, through its Google Real-Time Bidding system,” California resident Benjamin Hewitt and Missouri resident Kimberley Woodruff allege in a 118-page class-action complaint filed Friday in U.S. District Court for the Northern District of California.
“The personal information that Google sells, shares and uses includes the very sensitive information Google promised it would not use for advertising purposes,” they add. “These practices are not disclosed to consumers.”
They contend in the complaint that Google “automatically and invisibly sells” bidstream data about users to participants in real-time bidding.
“The bidstream data that Google sells and discloses ... identifies individual account holders, their devices, and their locations; the specific content of their Internet communications; and even highly personal information about their race, religion, sexual orientation, and health.”
How far the case gets in court could depend on how judges define terms like “sale” and “personal information.”
Google has not yet responded to MediaPost's request for comment. But Google (and other companies involved in programmatic advertising) often say that the identifiers used for ad-targeting -- such as cookies or device identifiers -- are pseudonymous, because they don't include people's names.
The complaint alleges that some companies receiving that type of pseudonymous data are able to combine it with other information, including data that would identify people.
But some judges have ruled in the past that pseudonymous data is not personally identifiable. For instance, the 9th Circuit Court of Appeals ruled in 2017 that Roku serial numbers are not personally identifiable because an "ordinary person" wouldn't be able to determine someone's identity simply by knowing that information.
Since then, lawmakers in California passed the Consumer Privacy Act, which defines at least some pseudonymous data as personal information. That law specifically says data that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” is personal information.
The California Consumer Privacy Act doesn't empower people to sue over violations, and the extent to which that law's definitions apply to Google's terms of service is unclear.
That law's definition of “sale” also has some ambiguities. While the measure defines “sale” as including transfers and disclosures, it also says transfers made for business purposes, pursuant to contracts with “service providers,” are not sales.