Last week, the Northern District of California denied a motion for class certification in a multidistrict litigation brought against Google over its alleged practice of scanning Gmail messages in order to serve content-based advertising. In re: Google Inc. Gmail Litigation, 5:13-md-02430 (N.D. Cal.). In sum, the court found that questions relating to whether class members had consented to the practice were too highly individualized to satisfy the predominance requirement based on the myriad disclosures available to class members.

The original complaint in this case dates back to 2010. Six class actions were eventually centralized in the Northern District of California where a consolidated complaint was filed. The complaint sought damages on behalf of individuals who either used Gmail or exchanged messages with those who used Gmail and had their messages intercepted by Google. The causes of action were brought under California’s Invasion of Privacy Act as well as federal and state wiretapping laws (California, Maryland, Pennsylvania and Florida).

In general, the federal Wiretap Act prohibits the unauthorized interception of wire, oral or electronic communications. Under the Wiretap Act, there are several exceptions to this general prohibition, one of which is if the intercepting company has obtained “prior consent.” So, the issue of whether the class members had consented to the interception, either expressly or impliedly, was a central issue in the case.

Google filed a motion to dismiss on the basis that its interception fell within the ordinary course of Google’s business and was therefore exempt from the wiretapping statutes. That argument was rejected by the court. Google also argued that class members had expressly consented to the interception based on Gmail’s Terms of Service and Privacy Policy (collectively, the “Terms”); and even that if they hadn’t viewed the Terms, they impliedly consented to the interception because, per Google, all e-mail users understand and accept the fact that e-mail is automatically processed. In September 2013, the court granted in part and rejected in part Google’s Motion to Dismiss. Only the claims based on California’s Invasion of Privacy Act and Pennsylvania’s wiretapping law (with respect to a subclass) were dismissed; the rest of the claims survived. A month later, the plaintiffs filed their motion for class certification.

What proved fatal for plaintiffs on this go-around was their inability to demonstrate that the proposed classes satisfied the predominance requirement under FRCP 23. There were several proposed classes and subclasses. Members in each of the classes were potentially subject to a different set of disclosures and registration processes. For instance, one of the classes represented users who signed up for Google’s free web-based Gmail service. These users were required to check a box indicating that they agree to be bound by the Terms of Service. Another class was comprised of users of an internet service provider (ISP), Cable One, which had contracted withGoogle to provide e-mail service under the Cable One domain name. Another class consisted of users from educational institutions, such as the University of Hawaii; similar to Cable One, the educational institutions had contracted with Google for e-mail services. For businesses such as the ISPs and the educational institutions, the contract required that the contracting business, not Google, ensure that end users agreed to Google’s Terms of Service.

With respect to the Terms themselves, it is interesting to note that in the court’s order denying Google’s motion to dismiss, the court previously characterized the Terms as “vague at best and misleading at worst.” Per the court, the Terms of Service stated only that Google retained authority to prescreen content to prevent objectionable content, while the Privacy Policy suggested that Google would only collect user communications directed to Google, not among users. And while the contracting businesses, like Cable One and the University of Hawaii, were required to ensure end users were accepting Google’s Terms of Service, there were variations among the businesses as to how they would present the Terms of Service and obtain consent.

Ironically, the fact that the court considered Google’s Terms to be vague or misleading and the fact that the Terms were not presented uniformly to end users appeared to actually help Google avoid certification—it led to more individualized inquiries as to whether the users had given their express consent.

In addition to Google’s Terms, the court noted that there was also a “panoply of sources” where users could have impliedly consented to Google’s practices, such as Google’s Help pages; Google’s Privacy Center; Google’s Ad Preference Manager, which included a webpage on “Ads on Search and Gmail”; Gmail’s interface itself; the Official Gmail Blog; Google’s SEC filings, which includes the statement, “we serve small text ads that are relevant to the messages in Gmail,” and even media reports in such publications as The New York TimesThe Washington PostNBC News and PC World.

The breadth of these sources helped to further convince the court that determining whether class members impliedly consented to Google’s interception was a highly individualized determination and not one based on common questions. Whether each individual knew about or consented to the interception would depend on the sources to which he or she had been exposed. The plaintiffs contended that relying on extrinsic evidence outside of Google’s Terms would violate the parol evidence rule. The court was quick to point out that while that argument might work for a breach of contract case, the parol evidence rule was not applicable under the Wiretap Act, which requires the fact finder to consider all surrounding circumstances in relation to the issue of consent.

Putting aside the question of whether Google’s Terms were in fact vague or misleading, a key takeaway for businesses from this case should be the importance of educating customers about their data practices. Google was able to avoid certification based on the fact that they offered a variety of other opportunities for their customers to learn more about their services and products. Outside of a website or app terms of use and privacy policy, businesses need to understand that the disclosures they make elsewhere can help to educate and inform users about their practices; e.g., on the websites or apps themselves, a “Help” or “FAQ” section, on advertisements or in promotional e-mails or in their subscription or license agreements. Of course, the more disclosures a business offers, the more challenging it can be to make sure that the message being delivered remains consistent. Plus, businesses should revisit their disclosures regularly to make sure that they are clear, conspicuous, current, and forthcoming.

The fact that these cases were brought under wiretapping laws adds another interesting wrinkle. The federal Wiretap Act comes with $100 in statutory damages per day, which could lead to billions of dollars in penalties. Various other web companies have recently faced privacy class actions pursuant to the Wiretap Act over the alleged data mining of user communications, including Yahoo, LinkedIn and Facebook. We’ll continue to monitor this area closely to see how the recent Google decision might affect this wave of cases.

Written By

Frederick Lah, CIPP/C, CIPP/US

Written By

Mark Melodia

Written By

Paul Bond, CIPP/US


If you want to comment on this post, you need to login.
  • Rowin, J. Mar 27, 2014

    Increasing investment to mediate the risk of customers' misunderstandings of the business's data practices is abundantly valid. The requisite privacy statement (and accompanying TOS) is persistently criticized for failing to be succinct and understandable to customers. Responsibile businesses have been providing additional resources, but these are typically ad-hoc invetments in reactionary publicity. The whole business community will benefit if all participate with progromatic investments focusing in on key data use themes. Timing for these programs could not be any better unless they started years back.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»