In Google MDL Win, Issues Exposed with Outdated Privacy Laws

In October, a Delaware federal judge tossed a multidistrict litigation (MDL) accusing Google Inc., among other online advertisers, of bypassing Apple Inc.’s Safari web browser privacy settings to illegally track users’ Internet activity. However, attorneys for the plaintiffs say the decision just further establishes the unwillingness of courts to revise outdated privacy laws that fail to cover new uses of personal data online.

It did not interpret modern technology’s application to Congress’ initial intent when writing the privacy law.

The plaintiffs alleged that the advertisers created a code that would override Apple’s established privacy settings on their browsers – which prevents third parties from tracking browsing activities of users – and violated several privacy statues, including the Electronic Communications Privacy Act (ECPA).

In a motion to dismiss, Google argued that the accusations were based on information routinely sent to the company when a user browses a Google ad-containing website, and therefore the alleged secretive cookie placement could not have caused injury. The judge agreed, stating that the plaintiffs lacked standing since they failed to sufficiently allege the ability to monetize their personal information, or that it had been diminished or lost with Google’s collection of cookies.

Enacted in 1986, the ECPA contains outdated portions that fail to address modern privacy concerns. For example, the Act protects “contents” of communications, such as spoken words of a telephone call; however, data including URLs and other personal information – which were allegedly tracked in this case – do not fall under the “umbrella” of content. Although the court acknowledged parts of the ECPA were outdated, it did not interpret modern technology’s application to Congress’ initial intent when writing the privacy law, an attorney for the plaintiffs said. While Congress has previously passed statutes to address new uses of data in the health care and financial regions, personal privacy concerns remain unrevised.

Recently, Google has faced two other rulings under the ECPA, but this has been the first ruling in their favor. In September, the Ninth Circuit rejected Google’s argument that data collected through unencrypted Wi-Fi networks is allowed under an exemption in the ECPA that allows data collection from unencrypted radio communications. Later that month, Google attempted to dismiss a class action lawsuit, arguing that when they scanned users’ emails they fell within the “ordinary course of business” exemption to the ECPA; however, a California federal judge refused to grant the company’s bid for dismissal.