wyrick.com

Get Lost: Geolocation Privacy Claims Against Google Dismissed

Businesses’ use of geolocation technology is under significant public scrutiny, as demonstrated by a recent New York Times series spotlighting the practice and the attendant privacy risks. Geolocation data practices also recently came under judicial scrutiny in In re Google Location History Litigation, a proposed class action filed in federal district court in the Northern District of California based on Google’s storage and retention of geolocation data from its users’ mobile devices.

While the court dismissed the claims against Google, the case was not a complete victory for the company: the court rejected its argument that user consent provided it a complete defense against the plaintiffs’ claims. The court’s decision offers some important reminders and insights for privacy lawyers and compliance professionals regarding geolocation data practices.

Setting the Scene

The In re Google plaintiffs alleged that they used Google services with Google’s Location History setting deactivated on their devices. When activated, Location History permits Google to collect and store the location of the user’s device at all times—no matter if a Google service is in use. Google represented to users that when they deactivated Location History, “the places you go are no longer stored.” The plaintiffs, however, claimed that statement was untrue.

The plaintiffs asserted California statutory, constitutional, and common law claims that Google violated users’ privacy rights by storing geolocation data. Those claims rested on the allegation that users reasonably believed deactivating Google’s “Location History” setting would prevent Google from storing their geolocation information.

The court framed the claims as limited to Google’s geolocation data storage practices because the plaintiffs acknowledged that Google could lawfully process geolocation data while users were actively using its services. Thus, the issue was not whether deactivating “Location History” prohibited Google from processing geolocation data at all, but whether Google could store and retain that data for purposes other than providing its services.

Google moved to dismiss the plaintiffs’ claims for failure to state a claim. Google argued both that (1) users consented to Google’s geolocation practices, and (2) that the claims were otherwise insufficiently plead.

Consent Horizon

Google first argued that the plaintiffs failed to state a claim because the plaintiffs had both explicitly and implicitly consented to its geolocation data practices.

Google contended that users explicitly consented to geolocation data storage when they agreed to Google’s terms of service and privacy policy. To that end, Google pointed to a statement in its privacy policy that explained “[w]hen you use Google services, we may collect and process information about your actual location.” Google also pointed to a support page created after the plaintiffs filed the lawsuit that disclosed that Google services collected geolocation data when in use.

The court rejected Google’s explicit consent argument. The court found the privacy policy statement irrelevant because the plaintiffs’ allegations centered on whether Google misled the plaintiffs into believing Google would not store their geolocation information, not whether Google would collect and process geolocation data from the use of Google services. The court held that “a reasonable user could believe that disabling Location History prevented [Google] from collecting and storing geolocation data,” regardless of the privacy policy statements. The court also noted the separate support page did not provide a basis for express consent because—when the lawsuit was filed—that support page did not address geolocation data storage. 

Google also argued that users implicitly consented to Google’s collection and use of geolocation data through their use of Google services—such as Google Maps—that required that geolocation data to function. The plaintiffs contested that characterization by noting that any such consent was for transitory geolocation data tracking “for an immediate, discrete purpose” and not “for the indefinite storage of such location information.”

The court held that Google’s “implicit consent” argument could not defeat the plaintiffs’ claims at the pleadings stage. The court first rejected Google’s argument that a user’s consent to contemporaneous and transitory use of geolocation data automatically meant that user consented to geolocation data collection and storage more generally.

The court agreed with Google that the plaintiffs had consented to some form of geolocation tracking “corollary to the use of a Google service.” But the court determined that the plaintiffs plausibly alleged they consented only to geolocation tracking for transitory purposes and withheld their consent to geolocation data storage by deactivating Location History. As that plausible interpretation favored the plaintiffs, the court held that implicit consent did not defeat the claims at the pleadings stage.

But the Claims Are Dismissed

While consent did not provide Google a defense against the plaintiffs’ claims, the court found the complaint’s allegations deficient for other reasons.

The court dismissed plaintiffs’ California Invasion of Privacy Act claim because that statute only regulates unconsented geolocation tracking, not the storage of geolocation information. Because the plaintiffs’ allegations acknowledged that contemporaneous use of geolocation location is appropriate in some settings—such as obtaining driving directions—the court held that geolocation tracking was not at issue.

The court also concluded the plaintiffs insufficiently alleged that Google violated their constitutional and common law privacy rights. Both claims required the violation of a legally protected privacy interest. The court held that the complaint fell short of that standard because the allegations did not claim that Google used the geolocation data to create a “mosaic” of users or that Google collected “sensitive and confidential information” regarding users’ locations. In other words, simply alleging Google stored users’ geolocation data did not establish a violation of a legally protected privacy interest. The court thus dismissed the constitutional and common law claims, but did so without prejudice and granted leave to amend.

Search for Meaning

The court’s analysis in In re Google teaches several lessons about how privacy policies might provide consent-based defenses against similar claims.

  • Implicit consent is limited.

The opinion stresses the limits of implicit consent as a basis for the processing of geolocation information. The court did conclude that users implicitly consented to transitory geolocation tracking to deliver certain services where the tracking is corollary to the services. That implicit consent, however, does not necessarily permit the retention of geolocation data for other uses beyond delivering the service. Users’ explicit consent would have to support that processing.

  • Consider disclosing data storage and retention practices.

While US privacy policy laws do not require businesses to disclose their data storage and retention practices, the court’s opinion shows that there may be an advantage to making those disclosures. The court’s repeated differentiation between the concepts of geolocation tracking and geolocation data storage suggests that disclosing geolocation data tracking or collection without also describing the company’s storage and retention of that data—as Google did in its privacy policy—can limit the company’s ability to rely on consent as a basis for that processing. 

  • Precise disclosures are necessary to establish consent.

The court’s opinion suggests that more precise disclosures may have provided Google a stronger consent-based defense. For example, the court held that the disclosures in effect before the litigation was filed did not support explicit consent because those disclosures did not address Google’s storage and retention of location information.

The opinion thus suggests that providing more detail about its geolocation data practices in those disclosures may have bolstered Google’s position. The court noted that Google’s updated disclosures specifically state that Google saves users’ geolocation data. While the court did not opine on the effect of that update, the fact the court mentioned it suggests that making more precise disclosures from the outset may have strengthened Google’s explicit consent argument.

  • Relying on privacy policies as a basis for consent can be problematic.

Finally, the case shows that obtaining users’ agreement to a privacy policy may not be the best method to establish consent. The court’s conclusion that Google’s general privacy policy did not provide a basis for specific consent suggests that other disclosures—such as a “just in time notice” associated with the Location History setting—might have led to a different outcome on the consent issue.

Conclusion

While the plaintiffs’ claims were dismissed because of pleading deficiencies, this case still offers important lessons to privacy lawyers and compliance professionals. While consent did not defeat the plaintiffs’ claims, more precise disclosures and consent management efforts could have provided a complete defense.