Website owners often struggle to design privacy policies that are not only comprehensive, but also comprehensible. The tension between these competing concerns was in sharp focus in a recent Ninth Circuit decision, Calhoun v. Google, LLC, _ F.4th _, 2024 WL 3869446 (9th Cir. 2024), which reversed the district court’s order that had granted summary judgment for defendant on plaintiffs’ claims under the California Invasion of Privacy Act and related state law claims. The Ninth Circuit confirmed that a privacy policy will only provide a defense to such claims if a “reasonable person” would understand they were consenting to the particular data collection practice.
Background
The Plaintiffs in Calhoun were a group of Google Chrome users who chose not to sync their Chrome browsers with their Google accounts. Id. *2. Chrome offered a feature called “sync” which, when turned on, saves personal information in the user’s Google account which may then be accessed by the user on other computers and devices. Id. Plaintiffs alleged certain personal information (the “at-issue” data) was sent to Google despite the Chrome Privacy Notice’s promise that Chrome would not send Google personal information if sync were turned off. Id. at *9 (noting Google had made a “specific representation in the Chrome Privacy Notice that ‘the personal information that Chrome stores won't be sent to Google unless you . . . turn[] on sync’”). The record also established, however, that the plaintiffs had agreed to Google’s other privacy policies and terms, including the General Privacy Policy, New Account Creation Agreement, and Consent Bump Agreement, which described Google’s data collection practices more broadly. Id. at *10-12.
Analysis
In the district court, Google successfully argued, after a lengthy evidentiary hearing, that because any browser, and not just the Chrome browser, sends the at-issue data to Google, the company’s general privacy policies governed, and not the Chrome Privacy Notice. In other words, the data collection was “browser agnostic,” and the general privacy policies informed consumers that “Google maintains the practices of (a) collecting its users’ data when users use Google services or third party sites that use Google’s services and (b) that Google uses the data for advertising purposes.” Id. at *12-13. The trial court thus entered summary judgment for Google on its consent defense. Id. at *13.
The Ninth Circuit reversed, however, concluding the district court had erred by focusing “on ‘browser agnosticism’ instead of conducting the reasonable person inquiry.” Id. at *7. For Google to prevail on its consent defense, it bore the burden of proving “whether the circumstances, considered as a whole, demonstrate that a reasonable person understood that an action would be carried out so that their acquiescence demonstrates knowing authorization.” Id. at *15. According to the Ninth Circuit, the “governing standard is what a ‘reasonable user’ of a service would understand they were consenting to, not what a technical expert would.” Id.
The Court pointed to the tension between Google’s general privacy policies which stated that: Google collects data about users’ ‘[a]ctivity on third-party sites and apps that use [Google’s] services,’” on the one hand, and the Chrome Privacy Notice which included an affirmative statement that it would not receive information from users “unless you choose to turn on sync” on the other. Id. at *22-23. It concluded that “when the disclosures are read together and in the light most favorable to Plaintiffs, a reasonable user would not necessarily understand that they were consenting to the data collection at issue.” Id. at *23.
Important Takeaways
The Calhoun decision is an important reminder for website owners to closely examine all their privacy policies and terms and conditions that govern data collection on their websites to ensure that the language is consistent and that it can be understood by the ordinary consumer who uses their sites and its services. Particular care should be given when there are multiple, overlapping privacy policies and where the specific data collected depends on which service the consumer uses. Ordinary consumers are not technical or legal experts, so policies must be drafted using language is concise and easy for your typical user to understand.
1 The Court stated Plaintiffs allege “‘Chrome sends the following personal information to Google when a user exchanges communications with any website that includes Google surveillance source code—again, regardless of whether a user is logged-in to Google Sync or not’: a. The users unique, persistent cookie identifiers; b. The user’s browsing history in the form of the contents of the users’ GET requests and information relating to the substance, purport, or meaning of the website’s portion of the communication with the user; c. In many cases, the contents of the users’ POST3 communications; d. The user’s IP address4 and User-Agent information about their device; and
e. The user’s x-client-data identifier.” Id. at *2.
[View source.]
