Chrome users who refused to sync their Google accounts with their browsing data scored a major privacy victory this week, after previously losing a proposed class action lawsuit that alleged Google secretly collected personal data without consent from more than 100 million Chrome users who opted out of syncing their Google accounts.
On Tuesday, the 9th U.S. Court of Appeals overturned the previous court's finding that Google had properly obtained consent for the disputed data collection.
The appeals court said the U.S. district court erred in holding that Google's general privacy policy guaranteed consent for the data collection. The district court failed to consider conflicts with Google's Chrome Privacy Notice (CPN), which stated that “users' choice not to sync Chrome with their Google accounts meant that certain personal information would not be collected and used by Google,” the appeals court ruled.
Rather than analyzing the CPN, it appears that the U.S. district court fully agreed with Google’s argument that the CPN didn’t apply because the data collection at issue was “browser-agnostic,” occurring regardless of whether a user was browsing with Chrome or not. But the appeals court, by a vote of 3-0, did not.
According to Judge Milan Smith, the district court should have reviewed the terms of Google's various disclosures and decided whether a reasonable user reading the disclosures would believe he or she was consenting to the data collection.
“By focusing on 'browser agnosticism' rather than conducting the reasonable person test, the district court failed to apply the proper standard,” Smith wrote. “Viewed in the light most favorable to plaintiffs, browser agnosticism is irrelevant because nothing in Google's disclosures is tied to what other browsers do.”
Smith appeared to suggest that the U.S. district court was wasting time holding a “7.5-hour hearing during which expert testimony was provided on 'whether the data collection at issue'” was “browser-agnostic.”
“Rather than attempting to determine how a reasonable user would understand Google's various privacy policies,” the court wrongly “let the case hinge on a technical distinction that is unfamiliar to most 'reasonable'” users, Smith wrote.
Now, the case has been sent back to the U.S. District Court, where Google will face trial over its alleged failure to obtain consent for its data collection. If the class action is certified, Google could face paying currently unknown damages to Chrome users who opted out of syncing between 2016 and 2024.
According to Smith, the focus of the trial is on weighing the CPN terms and determining “what a 'reasonable user' of a service would understand when giving consent, not what a technical expert would understand.”
The same privacy policy led to a settlement last year between Google and Chrome users whose data was collected despite using incognito mode.
Matthew Wessler, an attorney representing Chrome users who is prosecuting the case, told Ars that “we are pleased with the Ninth Circuit's decision” and “look forward to bringing this case to trial on behalf of Chrome users.”
Google spokesman José Castañeda told Ars that Google disputes the decision.
“We disagree with this ruling and are confident the facts of this case are on our side,” Castañeda told Ars. “Chrome Sync helps people use Chrome seamlessly across their devices and has clear privacy controls.”