According to plaintiffs, Google’s RTB auctions share highly specific personal information about individuals with auction participants, including device identifiers, location data, IP addresses, and unique demographic and biometric data, including age and gender. This, the plaintiffs argued, directly contradicted Google’s promises to protect users’ data. The plaintiffs therefore proposed a class definition that included all Google account holders subject to the company’s U.S. terms of service whose personal information was allegedly sold or shared by Google in its ad auctions after June 28, 2016.
But Google challenged this definition on the basis that it “embed[ded] the concept of personal information” and therefore subsumed a dispositive issue on the merits, i.e., whether Google actually shared account holders’ personal information. Google argued that the definition amounted to a fail-safe class since it would include even uninjured members. The Court agreed. As noted by Judge Gonzalez Rogers, Plaintiffs’ broad class definition included a significant number of potentially uninjured class members, thus warranting the denial of their certification motion.
Google further argued that merely striking the reference to “personal information,” as proposed by plaintiffs, would not fix this problem. While the Court acknowledged this point, it concluded that it did not yet have enough information to make that determination. Because the Court denied plaintiffs’ certification motion with leave to amend, it encouraged the parties to address these concerns in any subsequent rounds of briefing.
In addition, Judge Gonzalez raised that plaintiffs would need to demonstrate that the RTB data produced in the matter thus far was representative of the class as a whole. While the Court agreed with plaintiffs’ argument and supporting evidence that Google “share[d] so much information about named plaintiffs that its RTB data constitute[d] ‘personal information,” Judge Gonzalez was not persuaded by their assertion that the collected RTB data would necessarily also provide common evidence for the rest of the class. The Court thus determined that plaintiffs needed to affirmatively demonstrate through additional evidence that the RTB data was representative of all putative class members, and noted for Google that it could not refuse to provide such and assert that plaintiffs had not met their burden as a result.
This decision underscores the growing complexity of litigating privacy issues in the digital age, and previews new challenges plaintiffs may face in demonstrating commonality and typicality among a proposed class in privacy litigation. The decision is also instructive for modern companies that amass various kinds of data insofar as it demonstrates that seemingly harmless pieces of that data may, in the aggregate, still be traceable to specific persons and thus qualify as personally identifying information mandating compliance with the patchwork of privacy laws throughout the U.S.