Siding against Google, a federal appellate court on Tuesday revived a privacy lawsuit brought by Chrome users who said the company wrongly gathered information about their web-browsing activity.
In a unanimous 23-page decision, a three-judge panel of the 9th Circuit Court of Appeals reversed U.S. District Court Judge Yvonne Gonzalez Rogers's determination that the plaintiffs consented to Google's alleged practices, which she said were disclosed in various privacy policies.
The appellate panel ruled that questions regarding Chrome users' consent to data collection require further analysis, and sent the case back to Rogers for additional proceedings.
While the judges didn't definitively decide whether the plaintiffs consented, the ruling suggests that Google's various privacy disclosures were so confusing that they may not have been understandable by most people.
“Whether a 'reasonable' user of Google’s computer software at issue in this case consented to a particular data collection practice is not to be determined by attributing to that user the skill of an experienced business lawyer or someone who is able to easily ferret through a labyrinth of legal jargon to understand what he or she is consenting to,” Circuit Judge Milan Smith, Jr. wrote in an opinion joined by Mark Bennett and Anthony Johnstone.
advertisement
advertisement
They added: “A determination of what a 'reasonable' user would have understood must take into account the level of sophistication attributable to the general public, which uses Google’s service.”
A Google spokesperson said the company disagrees with the ruling and is “confident the facts of the case are on our side.”
The ruling comes in a battle dating to 2020, when Patrick Calhoun and other Chrome users claimed in a class-action complaint that Google violated Chrome's privacy policy, the federal wiretap law, and various California laws by allegedly collecting users' IP addresses and information about web browsing activity.
Calhoun and the others specifically alleged that Google failed to honor the following statement in Chrome's privacy policy: “The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google account by turning on sync.”
They claimed Google violated that provision by collecting data regardless of whether they had synced their Google account to Chrome.
Google countered that its various privacy policies, taken together, informed Chrome users about the collection of IP addresses and cookie identifiers.
The company also said that the phrase “personal information” in Chrome's privacy policy referred to data such as bookmarks and passwords -- not pseudonymous information such as IP addresses or web-browsing data stored on cookies.
Rogers granted Google's motion for summary judgment, writing in a decision issued last year that statements in Chrome's privacy policy “cannot be read in a vacuum or cherry-picked.”
Calhoun and the others then appealed to the 9th Circuit, where the battle drew attention from outside parties including the Electronic Privacy Information Center.
That organization argued to the 9th Circuit that Google shouldn't have prevailed based on disclosures in the general policies when it also made representations in a Chrome-specific policy.
“When Google makes specific privacy promises to Chrome users, the company should not be allowed to override those promises with blanket disclaimers in its general user agreement,” that group argued.