By Samuel Daheim
On Tuesday, November 10th, the Third Circuit vacated a district court’s dismissal of freestanding privacy claims against Google Inc. (Google) under California law. Plaintiffs alleged that Google’s actions constituted a breach of privacy, under both California Tort law and the California State constitution, when it deceitfully bypassed internet privacy settings in order to track internet usage. The Third Circuit rejected the district court’s ruling that the alleged intrusive practices of the company did not amount to an “egregious breach of social norms” – the standard under the California constitution.
This decision comes out of a class action lawsuit in which twenty-four individual suits were brought under various state and federal privacy laws and consolidated. The suits alleged that technology companies developed a “scheme” to circumvent users’ browser settings in order to track internet communications without consent. A Delaware federal judge dismissed the case on a 12(b)(6) motion brought by defendants after being persuaded that the plaintiffs had not alleged an injury-in-fact from the defendants’ use of tracking cookies. The Third Circuit affirmed the district court’s dismissal of many of the claims for several reasons. However, the appellate panel of the Third Circuit determined that Google’s alleged conduct could amount to a violation of California privacy law.
Google allegedly employed technology to bypass the cookie blocking feature on Apple’s Internet Browser – Safari. Safari is equipped with a default setting that prevents the installation of tracking cookies by third parties, the so-called “cookie blocking feature.” According to plaintiffs, Google’s privacy policy gave website visitors assurance that by using Safari, visitors could prevent the installation of tracking cookies, as long as the default cookie blocking feature was left on. The plaintiffs alleged that Google’s ability to use the technology to evade Safari’s cookie blocking feature, in light of its’ representation to the contrary, violates the California common law tort of intrusion, as well as the right to privacy in California’s constitution.
In its’ lengthy opinion, the court listed the burdens for bringing successful claims under California law. A violation of privacy arising out of the common law tort of intrusion has two elements: (1) “the defendant must intentionally intrude into a place . . . [in] which the plaintiff has a reasonably expectation of privacy,” and (2) “the intrusion must occur in a manner highly offensive to a reasonable person.” The constitutional violation of privacy claim, similar to the tort claim, requires a showing that: (1) the plaintiff had a legally protected privacy interest, (2) the expectation in such an interest was reasonable, and (3) “that the intrusion is so serious ‘in nature, scope, and actual or potential impact as to constitute an egregious breach of the social norms.” The court determined that a reasonable jury could find the alleged conduct both “highly offensive” and to be “an egregious breach of the social norms.” The court rested its’ conclusion on the deceptive aspect of Google’s actions of “[holding] itself out as respecting the cookie blockers,” while still contravening the browser’s cookie blocking feature.
By adopting a somewhat expansive view of the privacy protections afforded to citizens under California law, the court set a relatively low threshold for plaintiffs to bring this sort of privacy claim. This case stands for the proposition that when a company states a position regarding privacy and data, and is found to be doing otherwise, that a successful claim could potentially be made as to the same sort of deceitful conduct. It will be interesting to see if, and how many, similar privacy claims arise out of the ruling.
Image source: Google.
Washington Journal of Law, Technology & Arts 