California federal court denied in part Google's motion to dismiss a wiretap law case that stemmed from Google's scanning of Gmail users' messages to create user profiles and serve targeted advertising.
The consolidated multidistrict litigation involves several classes of plaintiffs who alleged that since 2008 Google intercepted, read, and acquired the content of e-mails sent or received by Gmail users. Google then used the information to send targeted ads and to create user profiles, according to the suit.
Plaintiffs argue that such actions stand in opposition to Google's own privacy policies and terms of service and violate the federal Wiretap Act, as amended by the Electronic Communications Privacy Act, the California Invasion of Privacy Act (CIPA), and the laws in Florida, Maryland, and Pennsylvania.
Google raised various arguments in support of its motion to dismiss. Addressing the federal statute, the company argued that the reading of messages fell within the "ordinary course of business" exception and that Gmail users consented to the review.
U.S. District Court Judge for the Northern District of California Lucy H. Koh disagreed. The "ordinary course of business" exception is narrow, she explained, and applies only when "an electronic communication service provider's actions are 'necessary for the routing, termination, or management of the message.'" Intercepting data for the purpose of creating user profiles or providing targeted advertising is a purpose "separate and apart" from the operation of the email service, the court said. The court also cited the fact that Gmail always had separate processes in place for spam and virus filtering.
"There must be some nexus between the need to engage in the alleged interception and the subscriber's ultimate business, that is, the ability to provide the underlying service or good," Judge Koh wrote. Because the plaintiffs alleged that Google's interceptions are for the company's own benefit unrelated to the service of e-mail or the particular user, she said the company did not fall within the protection of the exception.
Turning to the issue of consent, the court concluded that Gmail users or non-Gmail subscribers who received messages from Gmail users did not grant consent for Google to compile user profiles to use their emails to created targeted ads.
The terms of service reserved Google the right to "pre-screen" content, but implied that Google would only do so to filter objectionable material, the judge wrote.
A separate section notifying users they would be subject to targeted ads based on "stored" information was similarly unclear. "The language suggests only that Google's advertisements were based on information 'stored on the Services' – not information in transit via e-mail," the court said. The "policies did not explicitly notify plaintiffs that Google would intercept users' e-mails for the purposes of creating user profiles or providing targeted advertising."
Even Google's 2012 policy update failed to provide enough clarity, Judge Koh wrote. "The new policies are no clearer than their predecessors in establishing consent," she said. "A reasonable Gmail user who read the privacy policies would not have necessarily understood that her emails were being intercepted to create user profiles or to provide targeted advertisements."
The majority of the class claims based on the CIPA also survived Google's motion. Although the court was faced with an issue of first impression, it adopted a broad reading of the statute to encompass email messages.
Judge Koh granted dismissal on two issues: one of the causes of action under CIPA and claims pursuant to Pennsylvania state law, which protects only the sender of a communication from wiretapping (not the recipient). "In an abundance of caution," however, she granted the plaintiffs leave to amend their complaint.
To read the decision in In re: Google, Inc., click here.
Why it matters: Responding to the ruling, Google issued a statement that it was "disappointed" in the decision and will consider its options. "Automated scanning lets us provide Gmail users with security and spam protection, as well as great features," the company said. Privacy advocates hailed the decision as a consumer-friendly interpretation of the law – friendly enough, apparently, that two consumers took note and filed a similar suit against Yahoo just days later. In their complaint, the two California residents argue that Yahoo "intentionally intercepts and reviews the content of their electronic communications for financial gain." The plaintiffs argue that they did not consent to the scanning because they do not have Yahoo accounts and therefore did not agree to the company's terms of service.