LOST THE WAR?: Google Beats a CIPA Case—But the Ruling Likely Paves the Way for Another Generation of California Privacy Claims
Happy Sunday my fellow CIPA followers! I am currently en route to Florida (the Czar is currently snoozing in flight next to me. I have video evidence for anyone who wants it). And traveling cross country always reminds me of how much I love California (including keeping up to date with their new CIPA rulings.)
In litigation there are good wins and bad wins. This is definitely an awful win.
A good win puts away an issue forever. The substantive issue is determined in your favor. And you walk away knowing that sort of claim will never come back.
A bad win is, essentially, the opposite. You walk away on a technicality in that case—usually because the other side screws up—but there will be plenty more to litigate down the line.
So in Hammerling v. Google, the Plaintiffs’ counsel just couldn’t get its act together to allege facts needed to state a viable claim under California law. But the judge made it very clear that he felt the claims were perfectly viable—and there is a critical lesson here for all CIPAWorld dwellers.
So let’s dive in.
The Hammerling Plaintiffs alleged Google was monitoring consumer usage of third-party apps; gleaning information regarding their spending habits—what sort of shoes they’re interested in and whether their kids need braces. Presumably this data would then be analyzed to predict spending habits and provide more targeted advertising—which is all that really matters, these days.
While it is worth pausing to admire the allegations—Google is literally reviewing your use of third-party apps, including what you are doing and saying and to whom—the question is whether this conduct violates California law.
As we are about to see it does— but only when the Plaintiff alleges the magic words.
But first, a small clash on consent. As CIPAWorld dwellers know consent to snoop on our online activities is far easier to obtain then, say, consent to receive telemarketing calls. The latter must be conspicuously and plainly obtained. The former can be slipped into any contract of adhesion serving as a barrier to any old website.
And google argued that by downloading the apps the consumer necessarily consented to let google do whatever it wanted with respect to analyzing the data exchanged with those apps—that’s a bit of hyperbole, but more or less accurate. At the motion to dismiss phase, however, Google’s argument was just too premature and the Court noted there was no way to determine, for sure, what version of its terms and conditions the plaintiff had accepted and whether those terms permitted the specific intrusion of privacy at issue.
So with consent swept aside the court went on to analyze claims pleaded under California’s basic privacy law and the California Invasion of Privacy Act (CIPA).
In California everyone has a right to privacy. In fact it is in our Constitution. And not just a “penumbra” of privacy of the sort that animated the now-dead Roe decision—an ACTUAL expressly stated privacy right exists for each and every California.
But not every invasion of that privacy right gives rise to a claim. Only a “highly offensive” one. And what qualifies as ”highly offensive” is going to depend on what just is considering the case. It is simply too fuzzy of a standard to know, for sure, what triggers protection and what does not.
In Hammerling the Plaintiff argued that Google surreptitiously learned things like so-and-so wears a size 9 slipper and so-and-so has a retirement account with Fidelity, and so-and-so needs braces, and the like. While in a society awarding perfect privacy protections this sort of unauthorized info-gathering might be banned, th eHamerling court found that google did nothing wrong in gather these unsavory deets:
“ data collected from these particular intrusions is not sufficiently egregious to be characterized as highly offensive. Hammerling’s searches of a foot massager, slippers, meal subscriptions, coconut oil, and use of a photo editor are better characterized as data collection of “routine commercial behavior,” not considered a highly offensive violation of privacy.”
So there you go.
That being said—and this is important folks—the Court found that Plaintiffs DO have a reasonable expectation of privacy in the frequency and duration of their use of third-party apps. In other words, the length and nature of people’s internet activity is per se private. But nibbling for small and useless information about those sessions might not be a highly offensive violation of privacy. Critically, however, many reviews of session data will be—not just under CIPA, understand. But under California’s basic privacy rules.
That brings us, at long last, to the CIPA claim.
As we have laid our previously, to state a CIPA claim a defendant must have obtained the “contents” of a web session while it was “in transit” and “in California.”
The Plaintiff in Hamerling alleged that google collected data regarding “when and how often they interact” with third party apps, but particular activity on those apps, including products they searched for and services they used
within the application.” The Court found that this sort of information gathering DID qualify as learning the “content” of communications sent over a wire for CIPA purposes.
But the Plaintiff failed to allege that this content gathering took place while the data was “in transit” and “in California.” Instead, the Plaintiff alleged only that Google collects “real-time data.” But—so what?
“Real time” data can be stored and accessed later—as the court pointed out—so an allegation that data is stored in real time does not mean that it is accessed “in transit.”
Moreover, the mere fact that Google is a resident of California does not meant the “in transit” review took place in California.
In the end the Court found that the Plaintiff could have but simply did not state a claim because they failed to allege Google seized the information in transit in California. Had those allegations been included, however, the claim would have been viable.
When we defend CIPA cases we always focus on where the web session recording took place—i.e. where are the servers used to perform the recording or analysis performing their functions. Less technical lawyers shy away fro asking those questions, but as Hamerling confirms the situs of interception is absolutely critical.
Also keep in mind the difference between “in transit” and “in real time.” They are not the same thing!
In the end, Google won the case but Hamerling stands for the proposition that California consumers have broad and meaningful protections when it comes to their online activities. The lines between what is, and is not, legal are HIGHLY fuzzy, however. If your business monitors online actions by consumers—or makes use of data related to consumer behaviour—please feel free to reach out to discuss.