District Court (Cal.) Allows UCL Claim to Proceed against Google Arising from Alleged Improper Collection of Data

In Calhoun v. Google, LLC, Judge Koh allowed part of a claim against Google to proceed based Google Chrome’s sharing of data with Google.

Plaintiffs are users of Google’s Chrome browser who allege that they “chose not to ‘Sync’ their [Chrome] browsers with their Google accounts while browsing the web . . . from July 27, 2016 to the present.” ECF No. 1 (“Compl.”) ¶ 1. Chrome’s Sync feature enables users to store their personal information by logging into Chrome with their Google account. Id. ¶ 39.1 Plaintiffs allege that “Chrome sends . . . personal information to Google when a user exchanges communications with any website that includes Google surveillance source code . . .regardless of whether a user is logged-in to Google Sync or not.” Id. ¶ 134 (emphasis omitted). According to Plaintiffs, Google’s code “is found on websites accounting for more than half of all internet tracking” and “Chrome is . . . used on a majority [59%] of desktop computers in the United States, giving Google unprecedented power to surveil the lives of more than half of the online country in real time.” Id. ¶¶ 9, 194. Plaintiffs allege Google collects five different types of personal information: (1) “The user’s unique, persistent cookie identifiers”; (2) “The user’s browsing history in the form of the contents of the users’ GET requests and information relating to the substance, purport, or meaning of the website’s portion of the communication with the user”; (3) “In many cases, the contents of the users’ POST communications”; (4) “The user’s IP address and User-Agent information about
their device”; and (5) The user’s X-Client Data Header. Id. ¶ 134. . . .According to Plaintiffs, “Google expressly promises Chrome users that they ‘don’t need to provide any personal information to use Chrome,’ and that ‘[t]he personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by turning on sync[.]’” Id. ¶ 2. Conversely, Google contends that it explicitly disclosed the alleged data collection. Mot. at 3–5. Four documents are of particular relevance regarding Google’s representations to users: (1) Google’s Terms of Service; (2) Google’s Privacy Policy; (3) Chrome’s Terms of Service; and (4) Chrome’s Privacy Notice.

After concluding that Google did not notify users that Google engages in the alleged data collection, the Court addressed the statutory claims under which the Plaintiffs sued.   Judge Koh found no violation of the federal Wiretap Act and Stored Communications Act law because Google had not disclosed the data to a third party, only to itself.

Google contends that Plaintiffs’ unauthorized disclosure claims should be dismissed because Plaintiffs fail to allege that Google divulged the contents of any communication to a third party. Mot. at 11–12, 16–17. The Court agrees with Google. In the instant case, Plaintiffs allege that Chrome “is an ECS.” Compl. ¶¶ 289–90, 316–17. Because Chrome is a Google service,5 the “person or entity providing [the ECS]” is Google. 18 U.S.C. § 2511(3)(a), id. § 2702(a).

Judge Koh allowed the Plaintiff’s UCL claim to proceed, stating that lost personal information is “economic injury” under the UCL’s loss of “money or property” requirement.

First, Google argues that Plaintiffs lack statutory standing under the UCL because they fail
to allege that Google caused them to lose “money or property.” Mot. at 23–24. However, to satisfy the statutory standing requirement under the UCL, a plaintiff must merely suffer an injury in fact that is an “economic injury.” Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 321–22 (2011). The Court concludes that Plaintiffs have met this requirement. Indeed, the Ninth Circuit and a number of district courts, including this Court, have concluded that plaintiffs who suffered a loss of their personal information suffered economic injury and had standing. See In re Facebook Privacy Litigation, 72 F. App’x 494, 494 (9th Cir. 2014) (concluding that the plaintiffs had plausibly alleged that they experienced harm when their personal information was disclosed in a data breach and they lost the sales value of their personal information); In re Marriott Int’l, Inc. Cust. Data Sec. Breach Litig., 440 F. Supp. 3d 447, 461 (D. Md. 2020) (“[T]he growing trend across courts that have considered this issue is to recognize the lost property value of this information.”); In re Yahoo! Inc. Cust. Data Sec. Breach Litig., 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017) (holding that plaintiffs had adequately alleged injury in fact based on the loss of value of their personal information); In re Anthem Inc. Data Breach Litig., 2016 WL 3029783, at *14 (N.D. Cal. May 17, 2016) (concluding that the plaintiffs had plausibly alleged injury from the loss of value of their personal information).