Google must face claims it violated mobile users' privacy by allegedly sending analytics data about their online activity to outside developers, a federal judge ruled Friday.
In the ruling, U.S. District Court Judge Richard Seeborg in San Francisco rejected Google's position that the case should be dismissed at an early stage on the grounds that the consumers consented to the alleged data transfers.
“As the present controversy throws into sharp relief, navigating Google’s user-facing privacy representations is a singularly fragmented affair,” Seeborg wrote. “Where, as here, a company’s public-facing statements are legitimately confusing, it is not the public’s fault for being confused.”
The decision stems from a class-action complaint brought last July by Anibal Rodriguez and other consumers.
The complaint focused on Google Analytics for Firebase -- a tool that allows developers to learn data about consumers' activity, including the website the user was visiting immediately before visiting the app. Google Analytics for Firebase can also collect data about browsing histories and search queries.
Rodriguez and others alleged that Google uses the Firebase code “to collect users’ communications made via the apps on users’ devices,” regardless of the way users have configured Google's “Web & App Activity” settings.
The users said Google “intentionally created an illusion of user control” with its Web & App Activity setting. The page describing that setting says people's searches and activity from Google services will be saved in their Google account, if they turn on the Web & App Activity settings.
Google urged Seeborg to dismiss the lawsuit, arguing that its Web & App Activity setting only deals with data stored in users' Google accounts, and not data sent to developers.
The company contended that the consumers consented to the alleged data transfers, arguing that apps using Firebase were required to tell consumers about the data collection.
“This case is therefore about the authorized collection of data that users knowingly provided to apps so the app developers could understand the data using Google’s tool,” the company wrote in a motion filed late last year.
Rodriguez and the other consumers countered that they believed the “Web & App Activity” setting would prevent their data from being shared, regardless of any app-specific settings.
Seeborg sided with the consumers on that point, ruling that if all the allegations in the complaint were proven true, the consumers wouldn't have consented to the data transfers.
“The average internet user is not a full-stack engineer; he or she should not be treated as one when Google explains which digital data goes into which digital buckets, and where the corresponding spigots might be found,” he wrote.
The ruling allows the consumers to proceed with claims for “invasion of privacy” and “intrusion upon seclusion,” as well as a claim that Google violated a state computer abuse law.
Seeborg dismissed several other counts, including a claim that Google violated the federal wiretap law. But the ruling allows the consumers to reformulate the claims that were dismissed and bring them again within 21 days.