Is That the Way the Cookie Crumbles? Allegations of Circumvention of Cookie Opt-out Embroil Google


On February 16, 2012, The Wall Street Journal reported Google was bypassing the default privacy setting in Apple’s Safari Internet browser. Since the publication of this article, at least three federal class-action lawsuits alleging a variety of privacy-based claims have been filed. Thus far, only Google has been named in these lawsuits, but companies utilizing Google’s code to track user data and activities may be added to existing and future suits.

What Happened
Google and other advertising companies allegedly have been tracking iPhone and other Apple users despite Safari’s attempt to block such tracking. Safari’s default settings prohibit third parties - such as advertising and web analytics firms - from setting tracking cookies without user authorization. This presented a problem for Google, since the company wanted to identify when users were signed in to their Google accounts in order to deliver personalized advertising and the ability to +1 (similar to a Facebook “like”) items online. Google said the company tried to design the +1 ad system to protect people’s privacy and did not anticipate that it would enable tracking cookies to be placed on user’s computers. Microsoft has since claimed that Internet Explorer users were also targeted by the Google code, which allowed for the collection of user data. Google disabled the code that allowed the tracking to occur once contacted by the The Wall Street Journal. Additionally, Google has announced it will allow a “do-not-track” button to be embedded in its Web browser, allowing users to restrict the amount of data that can be collected about them.

Only days following publication of the article in The Wall Street Journal, federal lawsuits were filed in Missouri, Kansas, and Delaware against Google and unnamed Doe defendants. It is likely more lawsuits will quickly follow. These lawsuits generally allege that the plaintiffs suffered an invasion of their privacy, in direct violation of federal law, when Google developed and implemented a secret computer code to avoid the privacy default settings that had been designed by Apple to prevent advertisers and other third parties from secretly monitoring or tracking the Web-browsing activities of Safari users. Specifically, these lawsuits allege violation of the Federal Wiretap Act, the Stored Electronic Communication Act, the Federal Computer Fraud and Abuse Act, as well as unjust enrichment and intrusion upon seclusion. 

Although it is clear that The Wall Street Journal article led directly to the filing of these lawsuits (many of the complaints quote directly from the article), it is less clear whether the plaintiffs have standing and whether current law prohibits Google’s actions. In the Delaware suit, Soble, et al. v. Google, Inc., Case No. 1:12-cv-00200, the plaintiffs assert a cause of action for violation of the Federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”). To prove this claim, the plaintiffs must show that Google: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

One of the foremost issues in these cases surrounds the issue of damages. The CFAA is silent on the issues of punitive damages, and plaintiffs in the current suits will likely struggle to prove any economic damages related to the Google code. Recently, a putative class action suit, In re iPhone Litigation, 2011 WL 4403963 (N.D. Cal. 2011), which asserted, inter alia, violation of the CFAA for the surreptitious tracking of Apple users’ data, was dismissed in part because the plaintiffs failed to allege “a concrete harm from the alleged collection and tracking of their personal information.” Id. at *5. The court cited numerous cases for the proposition that holding the unauthorized collection of personal information by a third-party is not “economic loss.”

Other claims will likely also prove problematic. In the Missouri case, Martorana, et al. v. Google, Inc., et al., Case No. 4:12-cv-00222, the plaintiffs assert a cause of action for intrusion upon seclusion. Under Missouri law, three elements encompass the claim for unreasonable intrusion upon the seclusion of another: (1) the existence of a secret and private subject matter; (2) a right in the plaintiff to keep that subject matter private; and (3) the obtaining by the defendant of information about that subject matter through unreasonable means. Corcoran v. Southwestern Bell Telephone Co., 572 S.W.2d 212, 215 (Mo. Ct. App. 1978). Serious questions exist as to whether the first and third elements of this claim can be met by the allegations as currently pled.

Highlighting these preliminary issues is only the beginning of a legal analysis of these claims, but it displays a few of the significant difficulties plaintiffs in the currently filed lawsuits will face in proceeding.

What It Means
Three suits have been filed against Google, and additional filings are almost certainly imminent. Moreover, the current suits will likely be amended to include numerous companies that work with Google to advertise their products and compile user data. Both the Missouri suit and Kansas suit, Rischar, et al. v. Google, Inc., et al., Case No. 12-cv-2100, name numerous Does as co-defendants with Google. Nonetheless, the plaintiffs in these actions will face significant hurdles in proceeding with their current claims, as discussed above. Companies that have done business with Google should monitor these other lawsuits carefully. As noted above, there may be strong defenses to both current and future allegations related to data tracking activities.

What You Should Do
If you have any questions about how the Google lawsuits or actions might affect your company or if you have any other questions about class-action privacy defense or compliance, please contact your Lathrop Gage attorney or one of the attorneys listed above.