On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR).  The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.

How Does Google Violate GDPR, According to CNIL?

  • Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
    • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
    • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
    • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
    • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
  • Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
    • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
    • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
    • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

What Does This Mean for Other Companies?

Continue Reading C’est la vie? French Regulator Fines Google Nearly $57 million for GDPR Non-compliance

On July 5, bipartisan Attorneys General from 11 states filed an astonishing brief in the Third Circuit Court of Appeals, asking that court to reject the proposed class action settlement in In re Google Inc. Cookie Placement that would give settlement monies to non-profits rather than class members.

The plaintiffs in Google Cookie allege that Google circumvented the cookie-blocker settings in Microsoft’s Internet Explorer and Apple’s Safari browsers and placed advertising tracking cookies without user consent.  The putative class—theoretically, every user of those hugely popular browsers—obviously is massive.  The “damages” suffered by class members, however, if any, is vanishingly small.

In 2016, Google and the plaintiffs’ counsel reached a proposed $5.5 million class action settlement.  The plaintiffs’ counsel requested a $2.5 million fee, with the balance (after administrative costs) to be distributed to privacy rights non-profits such as the Berkman Center for Internet and Society at Harvard University and the Privacy Rights Clearinghouse.  Individual class members would receive nothing.

The Competitive Enterprise Institute’s Center for Class Action Fairness filed an objection to the settlement, arguing that if money cannot be distributed to class members, then the settlement class should not be certified at all.  The Delaware federal judge hearing the case disagreed and approved the settlement.  The objector took its arguments to the Third Circuit, and now 11 state Attorneys General have joined it.

The AG coalition brief, written by the office of the Arizona Attorney General, took no issue with the amount of the settlement and acknowledged that the settlement class is huge.  They contend, however, that “[d]irecting settlement funds to members of the class wherever feasible is important,” and that “there is a feasible path to distribution here.”  That “feasible path” is where the brief took an unprecedented turn for an AG objection.

“Claims rates in small-dollar cases are reliably in the very low single digits (if not below one percent),” the brief argued, citing cases with low claims rates.  “Even assuming a class in the tens of millions, such a claims rate would result in an economically meaningful” payment of “a few dollars to $15 or $20, if not more) to those lucky “one-percenters.”  That, these Attorneys General argued, “is preferable to making no distribution to any class members.”

In the years since the Class Action Fairness Act of 2005 required federal litigants to notify State AGs of proposed class action settlements, State AGs have taken a leading pro-consumer role in trying to limit the forms that settlements can take.  A multistate AG objection to a coupon settlement a decade ago, for example, has sharply curtailed the use of coupon settlements.  This is the first time, however, that AGs have argued it is better to direct small dollars to a tiny fraction of a large class than to pay millions of dollars to non-profits that ostensibly could advocate on behalf of the interests of the class as a whole. 

It will be very interesting to see how the Third Circuit responds to this argument.

Joining Arizona on the brief were the Attorneys General of Alaska, Arkansas, Louisiana, Mississippi, Missouri, Nevada, Oklahoma, Rhode Island, Tennessee, and Wisconsin.

BRIEF OF ELEVEN STATE ATTORNEYS GENERAL AS AMICI CURIAE IN SUPPORT OF OBJECTOR-APPELLANT AND REVERSAL

Last week, the U.S. Court of Appeals for the Third Circuit revived several privacy claims against Google pertaining to the Internet company’s practice of side-stepping “cookie blockers” on Microsoft’s Internet Explorer and Apple’s Safari browsers.

The Third Circuit found that Google intentionally circumvented “cookie blockers” on Internet browsers by exploiting loopholes found in the cookie blockers and that Google was actually tracking users’ browsing habits without these users’ knowledge.  Meanwhile, Google’s privacy policy as well as a number of other public statements indicated that the company was abiding by the browsers’ cookie-blocking settings.

“Cookie blockers” are features built in to web browsers that allow a user to prevent the installation of cookies by third-party servers.  Internet users have grown wary of Internet “cookies” because cookies can track visits to webpages and clicks throughout the site.  Information collected from cookies is often sold to third-party advertisers or marketers.

The case, In re: Google Cookie Placement Consumer Privacy Litigation, consists of 24 consolidated suits alleging violations of California state law and federal statutes, specifically, the Computer Fraud and Abuse Act (CFAA), the Stored Communications Act (SCA) and the Wiretap Act.  While the Third Circuit decision affirmed the dismissal of claims pertaining to the CFAA, SCA and the Wiretap Act, the Court vacated the trial court’s dismissal of claims under California tort law and the state’s constitutional right to privacy, reviving the suit.

The Third Circuit noted that Google’s actions amounted to “deceit and disregard” as the Company “not only contravened the cookie blockers – it held itself out as respecting the cookie blockers.”  The Court concluded that a reasonable jury could find that Google’s conduct was “highly offensive” or “an egregious breach of social norms” as the Company’s actions touched millions of unsuspecting internet users over an indeterminable amount of time.  Accordingly, the Third Circuit vacated the trial court’s dismissal of the plaintiffs’ claims under the California constitution and California tort law.

While Google’s “cookie blocking” practices sparked both the instant lawsuits and settlements with the FTC and 38 state attorneys general, Google isn’t the only company to come under fire for the use of cookie-blocking technology.  Earlier this week, MoPub Inc., a mobile ad server owned by Twitter, was sued in California court for using “super cookies” to track and store the Internet browsing history of anyone accessing the web through their Verizon smartphone.  The suit alleges that MoPub then used this information to build a personal profile which it then used to send targeted advertising, without subscribers’ knowledge or consent.  Similar to the Google litigation, MoPub is accused of misleading subscribers who believed that their browser’s “opt-out” mechanism would stop MoPub’s tracking.

Companies that use tracking cookies or similar technologies should pay close attention to Google’s current litigation.  Companies should also be aware of their own privacy practices, specifically, what data is being collected, how that data is used, and with whom the company may be sharing that data.  When it comes to privacy policies, companies should clearly communicate their practices to users and then live up to those commitments.