A new class action against Google in federal court in San Jose, Calif., claims that Google's collection of web browsing data from individuals who have enabled "private browsing mode" violates the Federal Wiretap Act, 18 U.S.C. § 2511. This novel theory could have broad implications for entities that act as third parties in using cookies to deliver advertising and analytics services.
At issue in Brown et al. v Google are the technical practices associated with the copying of information transmitted from web browsers to websites visited when the websites have installed Google products such as Google analytics (alleged to be installed on 70 percent of websites), Google advertising products, and features such as the Google Sign-In button.
Alleged Violation of the Wiretap Act
The Wiretap Act prohibits the "intentional" acquisition of the contents of a wire, oral, or electronic communication through the "use of any electronic, mechanical, or other device." The codes embedded in Google's analytics and ad cookies, as well as Google's services and the plaintiff's browsers, mobile applications, computers, and mobile devices are alleged by plaintiffs to be "devices" under the Wiretap Act.
The complaint alleges that when the code behind Google's cookies and other tracking technologies sends to Google session data such as IP address and URL visited, such constitutes an intentional acquisition of personal data, via the specified device, in violation of the Wiretap Act. The complaint also includes claims for violation of the California Invasion of Privacy Act (CIPA) and the common law tort of intrusion upon seclusion.
The Brown allegations are framed in an accusation that Google acted nefariously in this data collection because it collected personal information despite the fact that the class action plaintiffs selected the "private browsing mode." Such an accusation misunderstands the nature of this feature, however.
Private browsing mode is a feature available in most browsers which prevents activity such as websites visited and values entered into forms from being saved in the browser history on that device; it is intended to prevent others who use that device from having access to that information and is not intended to be a signal to websites visited or other parties on the internet of the individual's preferences. This claim was likely included to demonstrate that the plaintiffs did not consent to the collection of their data and/or to establish the intended confidentiality of the website interaction.
The complaint seeks to counter a likely argument from Google that it is acting as a service provider on behalf of the website that has displayed its tools by alleging that Google is really collecting information for its own use and uses data it collects via these means to create new Google products.
The detail around private browsing is arguably not necessary to make the Wiretap Act claim; consent is not an element of that law (though express or implied consent is a defense); and while it is an element of CIPA, plaintiffs could have just as easily alleged that they were never asked by Google to agree to the collection of their data. If the practice of using cookies to collect data from others' websites is a violation of the Wiretap Act, it is potentially problematic across many other instances.
Numerous platforms that provide advertising and analytics services set cookies as third parties on websites belonging to other companies; depending on how the website is configured, visitors to these websites may be subjected to collection of their information by these cookies as soon as they visit the site, unless they have set their browsers to block cookies. The Wiretap Act contains a private right of action with statutory damages, which makes such claims attractive to plaintiffs' attorneys.
The complaint also demonstrates how broad statements about a company's commitment to privacy can be used against a company to allege deception, even when the statements have little to do with the practice at issue.
Google has been under fire for its practices related to cookies for some time. In 2012, Google paid $22.5 million to the FTC to settle a claim that it placed cookies used for targeted advertising on devices of Apple Safari browser users, despite public claims that it would honor settings that would have prohibited such.