Whether Google can assert an affirmative consent defense to a privacy claim when the company promised users specific privacy protections to limit the collection of their personal information but disclaimed any liability in contradictory general disclosures.
In contractual and tort privacy claims, the defendant bears the burden to prove the affirmative defense of consent. Courts in California have held that a defendant asserting the consent defense must show that the user provided actual consent to the specific conduct at issue, whether express or implied. In the data privacy context, a defendant relying on disclosures in its terms of service must show that a reasonable user would have understood from the disclosures that they the defendant was engaged in the specific practice at issue.
Over the past few decades, large tech companies have relied on lengthy and complicated disclosures in their terms of service to sidestep liability for privacy invasions. This use of privacy policies to enable data collection is central to the notice and choice regime that has fundamentally undermined user privacy. This framework rests on the fallacy that if a company notifies users of its data practices, a user can choose whether to consent to such practices. In reality, privacy policies are too complicated, difficult to understand, and misleading for users to be adequately notified. And large data controllers have too much knowledge and power compared to the average internet user for the user to choose to limit the collection and use of their personal information.
Simultaneously, individuals have expressed and demanded a desire to be tracked less online. People generally want privacy and wish for their information to be collected, shared, and retained less. Knowing this, large tech companies have in many cases offered users “privacy” in a bait-and-switch schemes to persuade them to use their services and give up more of their personal information while users believe they have heightened privacy protections.
The Plaintiffs sued Google for privacy tort claims, contract claims, and violations of California’s Unfair Competition Law. The Plaintiffs in this case are Google Chrome users who reasonably believed that Google would limit the collection of their browser history and other personal information. Google represented to Chrome Users that it would give them special privacy protections for browsing history data by not collecting it unless the users chose to sync that data to the cloud. But, in fact, Google did collect and transfer information about Chrome user’s browsing habits. Gooogle argued that these users had nevertheless consented to the collection and transfer of their sensitive browsing data based on general disclosures in its user agreement.
In 2021, the district court denied Google’s motion to dismiss, finding that a reasonable user could have understood Google’s contradictory promises to prevent actual consent to Google’s data collection. In 2022, Google moved for summary judgment on its affirmative defense of consent. The district court granted Google’s motion, finding that no reasonable jury could have found that any Chrome user understood Google’s conflicting disclosures to notify a user that Google would collect the users’ information that it promised it would not collect in the specific Chrome Privacy Notice—such that the general disclosure constituted actual consent. The district court held a 7.5-hour hearing with 8 witnesses to explain Google’s data collection and sharing practices. The district court opined that because Google collects some of the at-issue data from other wholly unrelated third-party browsers, the contradictory disclosures provided by Google sufficiently informed users of Google’s data practices to establish user consent. The Plaintiffs then appealed this decision to the Ninth Circuit Court of Appeals.
EPIC’s brief supports the Plaintiffs’ arguments that a jury could find that a reasonable user understood Google’s specific heightened privacy promises contained in the Chrome Privacy Notice to mean that Google would not collect the information it expressly promised not to and therefore that Google did not establish the affirmative defense of consent.
EPIC’s brief explained that in its reasonable user test to determine whether Google had established actual consent, the Court should: (1) give substantial weight to the specific heightened privacy protections provided in the Chrome Privacy Notice; (2) recognize the reasonable expectations of users’ to not be tracked online; and (3) consider that users cannot have meaningful choice with respect to the collection of their personal information when a company can assert a consent defense by pointing to a general disclaimer that contradicts a specific promise.
First, when evaluating an affirmative consent defense, the Court cannot allow Google to be shielded from liability when it uses general disclosures that expand the scope beyond what consumers reasonably expect. If the Court finds for Google, this invites a race to the bottom: large companies will make promises to users to protect them and will simultaneously disavow those promises in a general disclaimer. Under this rationale, companies will continue to extract data from individuals and fuel the harmful commercial surveillance system. Companies will continue to amass information and power over the average user, further entrenching the power and information asymmetry between companies like Google and internet users.
Second, the Court should consider that internet users do not wish to be tracked online and this wish should inform the Court’s reasonable user analysis. Google knows that users want privacy online. Google exploits this. Google specifically offers privacy protections to induce people to use its services only to violate their privacy by over collecting their information to profile them. This harmful and misleading practice leads users to resign their privacy. Why would any internet user read dense privacy policies and navigate complicated privacy toggles if companies like Google can assert a consent defense by pointing to a general disclaimer?
Third, the history of the failed notice and choice regime has undermined user privacy and prevented actual consent for decades. Notice and choice is a myth perpetuated by Google and other large data holders for decades where users believe they have more control over their personal information and privacy than they do. The Court should consider that finding for Google will affirm and extend this broken system and will ultimately further erode user privacy and consent online.