OneTrust_Square Banner_300x250_DD_ROS_01_19

Last week, the Northern District of California denied a motion for class certification in a multidistrict litigation brought against Google over its alleged practice of scanning Gmail messages in order to serve content-based advertising. In re: Google Inc. Gmail Litigation, 5:13-md-02430 (N.D. Cal.). In sum, the court found that questions relating to whether class members had consented to the practice were too highly individualized to satisfy the predominance requirement based on the myriad disclosures available to class members.

The original complaint in this case dates back to 2010. Six class actions were eventually centralized in the Northern District of California where a consolidated complaint was filed. The complaint sought damages on behalf of individuals who either used Gmail or exchanged messages with those who used Gmail and had their messages intercepted by Google. The causes of action were brought under California’s Invasion of Privacy Act as well as federal and state wiretapping laws (California, Maryland, Pennsylvania and Florida).

In general, the federal Wiretap Act prohibits the unauthorized interception of wire, oral or electronic communications. Under the Wiretap Act, there are several exceptions to this general prohibition, one of which is if the intercepting company has obtained “prior consent.” So, the issue of whether the class members had consented to the interception, either expressly or impliedly, was a central issue in the case.

Google filed a motion to dismiss on the basis that its interception fell within the ordinary course of Google’s business and was therefore exempt from the wiretapping statutes. That argument was rejected by the court. Google also argued that class members had expressly consented to the interception based on Gmail’s Terms of Service and Privacy Policy (collectively, the “Terms”); and even that if they hadn’t viewed the Terms, they impliedly consented to the interception because, per Google, all e-mail users understand and accept the fact that e-mail is automatically processed. In September 2013, the court granted in part and rejected in part Google’s Motion to Dismiss. Only the claims based on California’s Invasion of Privacy Act and Pennsylvania’s wiretapping law (with respect to a subclass) were dismissed; the rest of the claims survived. A month later, the plaintiffs filed their motion for class certification.

What proved fatal for plaintiffs on this go-around was their inability to demonstrate that the proposed classes satisfied the predominance requirement under FRCP 23. There were several proposed classes and subclasses. Members in each of the classes were potentially subject to a different set of disclosures and registration processes. For instance, one of the classes represented users who signed up for Google’s free web-based Gmail service. These users were required to check a box indicating that they agree to be bound by the Terms of Service. Another class was comprised of users of an internet service provider (ISP), Cable One, which had contracted withGoogle to provide e-mail service under the Cable One domain name. Another class consisted of users from educational institutions, such as the University of Hawaii; similar to Cable One, the educational institutions had contracted with Google for e-mail services. For businesses such as the ISPs and the educational institutions, the contract required that the contracting business, not Google, ensure that end users agreed to Google’s Terms of Service.

With respect to the Terms themselves, it is interesting to note that in the court’s order denying Google’s motion to dismiss, the court previously characterized the Terms as “vague at best and misleading at worst.” Per the court, the Terms of Service stated only that Google retained authority to prescreen content to prevent objectionable content, while the Privacy Policy suggested that Google would only collect user communications directed to Google, not among users. And while the contracting businesses, like Cable One and the University of Hawaii, were required to ensure end users were accepting Google’s Terms of Service, there were variations among the businesses as to how they would present the Terms of Service and obtain consent.

Ironically, the fact that the court considered Google’s Terms to be vague or misleading and the fact that the Terms were not presented uniformly to end users appeared to actually help Google avoid certification—it led to more individualized inquiries as to whether the users had given their express consent.

In addition to Google’s Terms, the court noted that there was also a “panoply of sources” where users could have impliedly consented to Google’s practices, such as Google’s Help pages; Google’s Privacy Center; Google’s Ad Preference Manager, which included a webpage on “Ads on Search and Gmail”; Gmail’s interface itself; the Official Gmail Blog; Google’s SEC filings, which includes the statement, “we serve small text ads that are relevant to the messages in Gmail,” and even media reports in such publications as The New York TimesThe Washington PostNBC News and PC World.

The breadth of these sources helped to further convince the court that determining whether class members impliedly consented to Google’s interception was a highly individualized determination and not one based on common questions. Whether each individual knew about or consented to the interception would depend on the sources to which he or she had been exposed. The plaintiffs contended that relying on extrinsic evidence outside of Google’s Terms would violate the parol evidence rule. The court was quick to point out that while that argument might work for a breach of contract case, the parol evidence rule was not applicable under the Wiretap Act, which requires the fact finder to consider all surrounding circumstances in relation to the issue of consent.

Putting aside the question of whether Google’s Terms were in fact vague or misleading, a key takeaway for businesses from this case should be the importance of educating customers about their data practices. Google was able to avoid certification based on the fact that they offered a variety of other opportunities for their customers to learn more about their services and products. Outside of a website or app terms of use and privacy policy, businesses need to understand that the disclosures they make elsewhere can help to educate and inform users about their practices; e.g., on the websites or apps themselves, a “Help” or “FAQ” section, on advertisements or in promotional e-mails or in their subscription or license agreements. Of course, the more disclosures a business offers, the more challenging it can be to make sure that the message being delivered remains consistent. Plus, businesses should revisit their disclosures regularly to make sure that they are clear, conspicuous, current, and forthcoming.

The fact that these cases were brought under wiretapping laws adds another interesting wrinkle. The federal Wiretap Act comes with $100 in statutory damages per day, which could lead to billions of dollars in penalties. Various other web companies have recently faced privacy class actions pursuant to the Wiretap Act over the alleged data mining of user communications, including Yahoo, LinkedIn and Facebook. We’ll continue to monitor this area closely to see how the recent Google decision might affect this wave of cases.

Written By

Frederick Lah, CIPP/C, CIPP/US

Written By

Mark Melodia

Written By

Paul Bond, CIPP/US

1 Comment

If you want to comment on this post, you need to login.

  • Rowin, J. Mar 27, 2014

    Increasing investment to mediate the risk of customers' misunderstandings of the business's data practices is abundantly valid. The requisite privacy statement (and accompanying TOS) is persistently criticized for failing to be succinct and understandable to customers. Responsibile businesses have been providing additional resources, but these are typically ad-hoc invetments in reactionary publicity. The whole business community will benefit if all participate with progromatic investments focusing in on key data use themes. Timing for these programs could not be any better unless they started years back.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»