Last week, the Northern District of California dismissed a putative class action lawsuit against Google, which alleged that the company used a secret program called “Android Lockbox” to spy on Android smartphone users. See Order Granting Motion to Dismiss, Hammerling v. Google LLC, No. 21-cv-09004-CRB (N.D. Cal. July 18, 2022). The complaint alleged ten different claims for relief under a variety of legal theories, including privacy, fraud, contract, and California’s Unfair Competition Law. The Court granted Google’s motion to dismiss on all claims. Although the Court gave plaintiffs leave to amend, it noted that the deficiencies in the complaint “will be difficult to cure,” signaling that plaintiffs face an uphill battle in keeping this lawsuit alive.

According to the complaint, for years Google collected sensitive personal data from Android smartphone users without their knowledge or consent. Specifically, plaintiffs allege that Android Lockbox was a secret initiative whereby Google tracked real-time data on usage and engagement of third-party apps on Android devices and then used this data to compete against leading social media platforms. Importantly, plaintiffs allege that Google never disclosed the full extent of this data collection in its privacy policy. Through this data tracking, plaintiffs allege that Google can also learn private details of a user’s life, such as sleep schedules, menstrual cycles, or exercise patterns based on the user’s interactions with relevant apps.

Plaintiffs’ allegations of Google’s secret collection of sensitive data proved insufficient to state a claim for relief. Plaintiffs’ privacy claims failed because the Court held that such data collection was not highly offensive to a reasonable person, noting that app usage and engagement was not sufficiently specific or personal to be highly offensive. For example, while Plaintiffs alleged that Google tracked information such as the length of time a user used a fertility tracking app, they did not allege that Google collected information that the user input into the app. As to the fraud claims, although the Court found that plaintiffs plausibly alleged that Google’s privacy policy contained material omissions regarding the company’s data collection practices, the Court held that plaintiffs failed to plausibly allege that they relied on any misrepresentation. The Court rejected plaintiffs’ contract claims because plaintiffs could not show the requisite breach. Finally, plaintiffs’ UCL claim failed because the Court held they did not allege a fraudulent, unlawful, or unfair practice.

This was the second defeat for plaintiffs alleging privacy violations arising from Andriod Lockbox. Last fall, another judge in the Northern District sent a similar lawsuit to arbitration. See McCoy v. Google, 2021 WL 6882419 (N.D. Cal. Nov. 9, 2021). These cases demonstrate the hurdles plaintiffs face in bringing data privacy claims, and offer insight into possible defenses for technology companies facing such lawsuits.