Google suffers Chrome legal setback

A California appeal court has sided with plaintiffs who allege that Google has misled consumers about how it collects personal information from Chrome browser users. 

The complaint alleges that Google falsely claimed that it would not collect personal information from people who chose not to sign into Chrome and sync their accounts between devices. 

An August 2024 appeal court opinion found that a “reasonable user” could be misled by Google’s privacy communications, rejecting previously successful arguments based on technical “jargon” that only lawyers would understand. 

Background to the case

The case against Google was first filed in 2020 on behalf of California Chrome users. The plaintiffs allege that Google misled them by making false claims about privacy in Chrome. 

Chrome users have two options for managing their data in Chrome: Sync and Basic.  

Sync Mode requires the user to sign in to a Google account. The user can access their Chrome data, such as bookmarks, browsing history, and open tabs – across devices.  

To achieve this synchronization, Sync Mode sends data to Google’s servers. As such, some privacy-conscious Chrome users might wish to user Basic Mode instead. 

In Basic Mode, the user doesn’t sign into their Google account via Chrome. The browser can still save the user’s bookmarks, history, and other data locally, but the user cannot access such data across devices. 

Google stated in its Chrome Privacy Notice that in Basic Mode, “the personal information that Chrome stores won’t be sent to Google”. 

Was the Chrome Privacy Notice misleading? 

While Chrome sends data about users’ preferences and history in Sync Mode, the court heard that Google still collects some data about users in Basic Mode – in much the same way Google collects data about almost everyone online. 

Google offers a suite of business tools to third-party website operators. Google uses these tools, most of which are free, to collect data about third-party website visitors for purposes such as ad measurement and analytics.  

As such, Google will collect data about people who visit third-party websites running, for example, Google Analytics – including those using Chrome, in Basic or Sync Mode, and those using other browsers. 

So, while it’s true that Chrome doesn’t send Google data about Basic Browser users’ open tabs, browsing history, or bookmarks, the company does still collect some information about Basic Browser users.  

Such information can include cookies, IP addresses, and a unique “header” indicating that the user is running Chrome. These sorts of data are considered “personal information” under California law. 

The plaintiff’s legal claims

The case alleges that Google violated a long list of laws, including: 

• California’s Invasion of Privacy Act (CIPA). This decades-old law prohibits “wiretapping”, which can include collecting personal information without a person’s consent. 
• California’s Unfair Competition Law (UCL). The plaintiffs claim Google’s promises broke this consumer protection law. 
• “Intrusion upon seclusion”. This common law “tort” protects people’s private sphere and communications. 

A key question for the court was whether Chrome Basic Mode users had consented to Google’s collection of their personal information. 

In this context, the court considered “consent” in terms of contract law. Essentially, did users know what they were signing up for? 

The plaintiffs acknowledge that they had agreed to the Chrome Privacy Notice (note that, in this context, the notice was treated as a contract) but argued it was misleading. 

Google conceded that it collected some personal information from Chrome Basic Mode users but argued that the Chrome Privacy Notice did not apply. 

Google’s other terms

Google countered that, with one exception, it only collected so-called “browser agnostic” data from Basic Mode users. 

As such, the company argued that the Chrome Privacy Notice was not relevant. Google pointed to its other contracts – like the Google Privacy Policy and its various Terms of Service agreements – which explain how the company collects personal information about all internet users. 

As it happens, all the plaintiffs in this case had Google accounts – and as such, all had agreed to one or other of these policies at some point before bringing the case. 

At an earlier stage in this case, a District Court agreed with Google on this point, finding that the plaintiffs had consented to the collection of cookies, IP addresses, header data, etc., when they signed up for Google accounts. 

But more recently, the Ninth District Court of Appeal disagreed with the lower court’s reasoning and ordered it to reconsider. 

The ‘reasonable user’ 

The Court of Appeal said that the lower court had addressed the wrong question. 

The issue is not whether Google’s collection of personal information was “browser agonistic” – most Chrome users were unlikely to understand or assess this sort of technical distinction. 

The appeal court said Google’s defense hinged on technical jargon that was not accessible to most of its users. 

What matters is what the “reasonable user” believed they were signing up for when choosing Chrome Basic Mode over Sync Mode. 

The “reasonable Basic Browser user” might not expect Google to collect their personal information after reading the Chrome Privacy Notice, which stated that “the personal information that Chrome stores won’t be sent to Google”. 

The case has not yet concluded, but the opinion represents a partial victory for the plaintiffs and provides a clear lesson for businesses.  

• Take care with how you describe your data-processing activities.  
• Don’t expect your users to understand technical language or legal jargon.  
• Keep privacy communications clear, honest, and accurate.