• by Wendy Davis  @wendyndavis, Yesterday

Google must face claims that it wrongly obtained web users' identifiable information from healthcare websites that used its analytics tool, a federal judge ruled late last week.

The ruling, issued by U.S. District Court Judge Vince Chhabria in San Francisco, only allows users to proceed with claims over data that was allegedly collected before Google revised its instructions to healthcare sites -- which happened at some point in 2023.

The decision comes in a dispute dating to May 2023, when a web user proceeding as an anonymous “Jane Doe” alleged that Google wrongly collected her sensitive health data. She specifically alleged that she used Planned Parenthood's site to search for an abortion provider, and received treatment at the reproductive health-care center's affiliate in Burbank, California.

Her complaint referred to an investigation by the app Lockdown Privacy, which reported in 2022 that Planned Parenthood's site used third-party analytics tools leaked “extremely sensitive data" to third parties including Google, Meta and TikTok.

Soon after she sued, other anonymous plaintiffs alleged in a separate complaint that Google collected health information from a variety of healthcare sites.

The complaints, which were consolidated in 2023, include claims that Google violated wiretap laws.

Google argued that the case should be dismissed for numerous reasons, including that any data sent by healthcare sites wouldn't be personally identifiable.

Counsel for the plaintiffs countered that the health-related data allegedly sent to Google, including pages visited, could be tied to individual users through other information, such as IP addresses.

Chhabria sided against Google for now, ruling that the allegations, if proven true, could support a finding that the health data could be tied to particular individuals.

“Certainly it would be reasonable to infer that Google, out of anyone, would be able to use an IP address to connect information to an identifiable person,” he wrote.

“As the plaintiffs point out, Google has access to vast amounts of information through its various products, and because the range of information collected by those products is so broad, it’s plausible that Google would know enough about the activity of an IP address to be able to tie it to an identifiable person, say, through the information that person provides while setting up a Google account or shopping on another website,” he added.

Google also argued the case should be dismissed on the grounds that the company never intended to capture health information.

“Out of the box, Google Analytics is agnostic as to the subject matter of the website on which it’s installed,” Google argued in papers filed with Chhabria in March. “It works the same by default whether installed by a sneaker company or a hospital.”

Chhabria sided with Google on that point -- but only for data collected after Google revised its help page in 2023.

“At some point in 2023, apparently in response to growing concerns about Google and other pixel firms obtaining people’s private health information, Google updated its help pages to explain to providers (and other customers) how they can and must avoid sending health information to Google,” Chhabria wrote.

But he also ruled that the users could attempt to prove that prior to 2023, Google intended to collect health related data -- though he expressed doubt that the plaintiffs would succeed.

“It seems much more likely that the evidence will ultimately reflect negligence or recklessness on Google’s part, not an intent to have clients using the products in a way that would cause the transmission of communications containing private health information. But judicial skepticism is not a reason to throw out the claims,” he wrote.

He set a July 11 date for further proceedings.