Opinion
20-cv-04688-RS
04-05-2024
ANIBAL RODRIGUEZ, et al., Plaintiffs, v. GOOGLE LLC, Defendant.
ORDER GRANTING IN PART MOTION TO “CLARIFY” CLASS DEFINITION
RICHARD SEEBORG Chief United States District Judge.
I. INTRODUCTION
This a privacy class action against Google with three claims: intrusion upon seclusion, invasion of privacy, and violation of the Comprehensive Computer Data Access and Fraud Act (CDAFA), Cal. Penal Code § 502 et seq. Plaintiffs represent class members who had certain Google privacy settings, referred to as Webb App & Activity (WAA) and supplemental Web App & Activity (sWAA), turned off during the class period. Two classes were certified on January 3, 2024, and the parties now seek to disseminate class notice. Accordingly, Plaintiffs filed a motion to direct notice to class members, seeking approval of the proposed notice plan. However, during the parties' meet and confer regarding class notice, a dispute arose about whether certain categories of Google accounts are part of the class. This threshold issue, which was not briefed by either side at class certification, must be resolved before notice may be issued. Supplemental briefing was consequently ordered, and Google subsequently filed the instant motion for clarification of the class definition.
II. BACKGROUND
The two classes certified in this case are defined as:
Class 1: All individuals who, during the period beginning July 1, 2016 and continuing through the present (the “Class Period”), (a) had their “Web & App Activity” and/or “supplemental Web & App Activity” setting turned off and (b) whose activity on a non-Google-branded mobile app was still transmitted to Google, from (c) a mobile device running the Android operating system, because of the Firebase Software Development Kit (“SDK”) and/or Google Mobile Ads SDK.
Class 2: All individuals who, during the Class Period (a) had their “Web & App Activity” and/or “supplemental Web & App Activity” setting turned off and (b) whose activity on a non-Google-branded mobile app was still transmitted to Google, from (c) a mobile device running a non-Android operating system, because of the Firebase SDK and/or Google Mobile Ads SDK.
At the most recent case management conference, the parties agreed to submit their proposed class notice plan on February 29, 2024. That motion was timely filed, however the parties identified two lingering issues that required resolution before class notice could be disseminated. The first issue pertained to directing notice via email to class members and the security of that data, and on March 8, 2024, the parties submitted a joint letter brief stating that issue was resolved.
The second dispute is the subject of the instant order. The parties disagree whether two categories of Google accounts are included in the class definition: Enterprise Dasher (“Dasher”) accounts, or accounts created by businesses or organizations for their employees or other members, and Supervised Unicorn (“Unicorn”) accounts, i.e., accounts created for children under thirteen by their parents. Dasher accounts are managed by an enterprise administrator, who controls both the initial account settings, including the WAA and sWAA settings, and the range of Google services available to a user. Monsees Decl. ¶ 5-7. A Dasher user does not set the Google privacy settings, including WAA and sWAA, when creating the account. Id. at ¶ 7. However, if a Dasher user turns WAA off, an enterprise administrator may not necessarily override that decision. Ruemmler Tr. at 173:18-23. Similarly, a Unicorn account is designed for children under the age of thirteen, created and supervised by their parents or guardians. Id. at ¶ 8. A separate Google account belonging to the parent or guardian is necessary to create and manage the Unicorn account's settings, including privacy-related settings. Id. Some Unicorn accounts do not even have associated Google email addresses. Like Dasher accounts, Unicorn users do not see or set WAA or sWAA settings at account creation. Id. at ¶ 11. The parent or guardian has the authority to decide whether the Unicorn user can modify their activity controls at all. Id. at ¶ 9. The account disclosures for Unicorn accounts are identical to those of regular Google accounts, except they replace “your data” with “your child's data.” Fair Tr. at 172:21-23; Dkt. 377-6. Google suggests it did not raise this issue in opposition to class certification because it assumed that individuals “who cannot enable or disable sWAA should [not] be in the classes defined by Plaintiffs.” Plaintiffs, on the other hand, charge Google with raising these objections belatedly, risking prejudice to individuals who thought this case included their account types, and maintains that including these account types is consistent with the aims of this litigation.
III. LEGAL STANDARD
A court retains jurisdiction to rescind, alter, or amend the class certification order prior to final judgment in “light of subsequent developments in the litigation,” for the order is “inherently tentative.” Gen. Tel. Co. of Southwest v. Falcon, 457 U.S. 147, 160 (1982); Fed.R.Civ.P. 23(c)(1)(C). “Any amendment must, however, satisfy the requirements of Rule 23.” Peel v. Brooksam Mortg. Corp., No. SACV1100079JLSRNBX, 2014 WL 12589317, at *3 (C.D. Cal. Nov. 13, 2014) (citation omitted); see also Ms. L. v. U.S. Immigration & Customs Enf't, 330 F.R.D. 284, 287 (S.D. Cal. 2019) (“In considering the appropriateness of [modification or] decertification, the standard of review is the same as a motion for class certification: whether the Rule 23 requirements are met.”) (alteration in original) (citation omitted).
IV. DISCUSSION
A. Procedural Issues
Google first insists that its motion is procedurally appropriate because it is merely seeking to clarify the class definition, and “[c]ourts routinely clarify ambiguities in class definitions.” To be sure, where true ambiguities exist in class definitions, clarification may be useful in determining what is and is not in the bounds of the class definition. Here, however, no such ambiguity exists. The plain language of the certified classes clearly identifies, with particularity, class members as “all individuals” who had their WAA and sWAA settings turned off. It does not limit the class to all individuals who by themselves turned those settings off. This unambiguous language was unopposed at class certification. Moreover, Google's insistence that it had no way of knowing that Plaintiffs meant to include Dasher and Unicorn accounts in the class definition is untenable based on even its own attached exhibit, which shows a discussion between counsel for both sides during the deposition of Google's rebuttal expert, John Black, that raised, at the very least, ambiguity regarding this issue. See Dkt. 375-2 at 6. Likewise, Plaintiffs' expert Jonathan Hochman discussed both Dasher and Unicorn accounts in his expert reports, and the fact that Black excluded those accounts in his technical analysis is inapposite here. Further, Michael Lasinski, who was the subject of Google's Daubert motion that was briefed concurrently to class certification, also included Dasher and Unicorn accounts in his analysis.
On this basis, Lasinski's calculations were not challenged in the Daubert motion or related filings. Google was therefore on notice at class certification that Plaintiffs were contemplating including those accounts in the certified classes, evidenced by their proposed definition of the classes consisting of “all individuals” who had disabled their WAA/sWAA settings. Accordingly, Google's artful attempt to portray the instant motion as one seeking merely to clarify the class definition to align with the class certification order is unavailing. It is more fitting to characterize the instant motion as a request to modify the class certification order to exclude Dasher and Unicorn accounts. Nonetheless, while Plaintiffs are correct that Google's objections should have been raised at class certification, the “inherently tentative” nature of the class certification order, “particularly during the period before any notice is sent to the members of the class,” permits review of Google's motion for modification so as to ensure the class, as defined, comports with the stringent requirements of Rule 23. See Falcon, 457 U.S. at 160.
B. Commonality, Typicality, Adequacy
Plaintiffs' proposed classes were certified because they met the 23(a) requirements of commonality, numerosity, typicality, and adequacy as well as the requirements of both 23(b)(3) and 23(b)(2). Google insists that the inclusion of Dasher and Unicorn accounts in the certified classes disturbs the commonality, typicality, and adequacy requirements under 23(a). 23(a)(2) requires that “questions of law or fact” be common to the class, (a)(3) mandates that the “claims or defenses of the representative parties [be] typical of the claims or defenses of the class,” and (a)(4) requires the class representatives to “fairly and adequately protect the interests of the class.”
Commonality is met because Google's representations and conduct as to the WAA and sWAA settings are common to the class, even with Dasher and Unicorn accounts included. Google conflates the predominance inquiry of 23(b)(3) and the commonality question of 23(a)(2). To satisfy 23(a)(2), “even a single common question will do,” whereas the 23(b)(3) inquiry requires common questions to predominate over individual ones. Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 359 (2011) (internal quotes omitted). The class representatives of the two classes are also typical and adequate representatives of the class, inclusive of Dasher and Unicorn accounts. Named Plaintiffs' claims “are typical of those of the class members” because “each class member's claim arises from the same course of events, and each class member makes similar legal arguments to prove the defendant's liability.” Rodriguez v. Hayes, 591 F.3d 1105, 1124 (9th Cir. 2010) (quoting Armstrong v. Davis, 275 F.3d 849, 868 (9th Cir. 2001)). “Like the commonality requirement, the typicality requirement is permissive and requires only that the representative's claims are ‘reasonably co-extensive with those of absent class members.'” Id. (quoting Hanlon v. Chrysler Corp., 150 F.3d 1011, 1020 (9th Cir. 1998)).
Here, Plaintiffs satisfy that standard even as to Dasher or Unicorn users who had WAA or sWAA off during the class period as that conduct is typical of all class members. Further, named plaintiffs' claims are typical of the class members, arising from the same course of events, alleging the same injury, and carrying the same legal arguments. The adequacy requirement is also met because Google has failed to show how class counsel or named Plaintiffs' claims or interests conflict with those of Dasher or Unicorn users, or that they will fail to prosecute this action vigorously on behalf of those users. See Hanlon v. Chrysler Corp., 150 F.3d 1011, 1020 (9th Cir. 1998); Falcon, 457 U.S. at 158 n.13. Accordingly, the classes, inclusive of Dasher and Unicorn accounts, meet the 23(a) requirements.
Google focuses its motion on the deficiencies of the class as currently defined under 23(b)(3) and does not touch on any deficiencies of the class under 23(b)(2). Having determined that typicality and adequacy are, in fact, met even with Dasher and Unicorn users, the instant order applies only to the classes to the extent they were certified under 23(b)(3).
23(b)(3) requires a finding that questions of law and fact common to class members predominate over individual ones, as well as a finding that a class action is the superior method of adjudicating the controversy. Fed.R.Civ.P. 23(b)(3). “Implicit in the satisfaction of the predominance test is the notion that the adjudication of common issues will help achieve judicial economy.” Zinser v. Accufix Rsch. Inst., Inc. 253 F.3d 1180 (9th Cir. 2001) (quoting Valentino v. Carter-Wallace, Inc., 97 F.3d 1227, 1234 (9th Cir. 1996)). For the certified classes, the predominance condition was met, in part, because Plaintiffs established that Google's representations about the WAA and sWAA settings and its alleged misconduct are uniform across the class, and because Plaintiffs' averred claims are “subject to common proof.” Pertinently, the predominance inquiry also rested on the notion that the relevant, uniform conduct here is the proposed class members' decisions affirmatively to turn off the WAA and sWAA buttons. Cf. Hart v. TWC, No. 20-cv-03842-JST, 2023 WL 3568078 (N.D. Cal. Mar. 30, 2023).
A predominance inquiry necessitates analysis of what individual and common questions exist as to the proposed class and averred claims. The intrusion upon seclusion and invasion of privacy claims are frequently discussed together because they raise similar elements, whether “(1) there exists a reasonable expectation of privacy, and (2) the intrusion was highly offensive.” In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589, 601 (9th Cir. 2020). Whether a reasonable expectation of privacy exists is an objective question, evidenced by Google's uniform disclosures about the WAA and sWAA settings and the class members' corresponding choices affirmatively to switch those settings off. The second prong questions whether Google's intrusion is offensive to a reasonable person. While these elements may be proven class-wide as to standard Google users, these considerations break in the other direction vis-a-vis Dasher and Unicorn accounts. Unlike the remaining class members, these users do not necessarily turn off the WAA or sWAA settings themselves, nor do they always know if those settings are turned off. For Dasher accounts, an enterprise administrator chooses the account settings, including whether to turn WAA or sWAA off, at account creation. If the enterprise administrator turns WAA or sWAA on, an employee might subsequently choose to turn those settings off, and this choice may not be necessarily overridden by the enterprise administrator. Similarly, Unicorn accounts are managed by parents or guardians who control the user's privacy settings and decide whether the user can even alter those settings. The configurations of these accounts necessarily raise individualized factual questions of who actually engaged in the pertinent conduct for the purposes of class certification; that is, switching off WAA or sWAA. Put differently, whether WAA or sWAA is off for a Dasher or Unicorn account may represent the choice of someone distinct from the user (i.e., class member), raising individualized inquiries about reasonable expectations of privacy, which would unavoidably undermine the predominance prong of Rule 23(b)(3).
Despite Plaintiffs' insistence otherwise, it does matter whether it is the administrator or parent who chose to turn WAA or sWAA off or whether the actual user did so, because this inquiry reflects the meaningfulness of the user's choice and, therefore, whether they maintained a reasonable expectation of privacy throughout the class period. It similarly signifies whether the user or the enterprise administrator/parent actually saw Google's disclosures and policies about the WAA and sWAA settings, as this raises individual questions about whether users (as opposed to their parents or administrators) consented to the complained about conduct. Plaintiffs' argument that a parent's choice to switch WAA or sWAA off is no reason to “exclude children from this important privacy case” fails to persuade. The relevant inquiry here is not whether Unicorn users' privacy interests should be litigated at all, but whether common questions as to those accounts predominate over individual ones. The need to investigate Dasher and Unicorn accounts' conduct as to these privacy settings necessarily raises individual questions that make class treatment unmanageable and defeat predominance.
Plaintiffs argue that Google must have information about the number of Dasher accounts for which sWAA was switched off by the user instead of the enterprise administrator, because Google maintains records of when all users turned sWAA off or on. Even accepting that these records give Google this information, individualized inquiries would still exist as to whether it was the enterprise administrator or the employee who switched sWAA off.
Indeed, even accepting this argument, Dasher and Unicorn accounts remain part of the classes as certified under 23(b)(2), discussed further below.
Inclusion of Dasher and Unicorn users in the classes does not, however, raise individualized inquiries for the CDAFA claim. CDAFA makes it unlawful to “knowingly access[] and without permission take.. .any data from a computer.” Cal. Penal Code § 502(c)(2). Whether Google had “permission” to collect the data turns on what words or conduct were communicated to Google, in this case, the status of the sWAA setting. California courts have yet to define what “without permission” means in the CDAFA context, but courts in this district often suggest that a defendant acts without permission when it circumvents “technical or code-based barriers.” See In re Carrier IQ., Inc. 78 F.Supp.3d 1051, 1100 (N.D. Cal. 2015) (collecting cases) (citations omitted). Here, the relevant technical barrier is the WAA or sWAA settings. Plaintiffs insist that “consent” was communicated to Google based on the status of the sWAA button, i.e., if it was toggled off, Google took that to mean they had no permission to collect the data. Indeed, CDAFA does not mandate that “consent” be given by the user and not the parent or enterprise administrator. The other elements of CDAFA-whether Google knowingly accessed the data; whether Google took, copied, or made use of any data from a computer; or whether class members suffered any damage or loss-are unaddressed by Google and are also subject to common proof of Google's conduct. Therefore, as to the CDAFA claim, Dasher and Unicorn accounts are included in the classes as defined.
D. Feasibility
While Google points out that not all Dasher and Unicorn accounts have associated email addresses, which makes it challenging to send class notice, Plaintiffs are correct that the Class Administrator can undertake publication notice to reach those individuals without associated email addresses through other methods. This might be enough for the transmission of notice, but Plaintiffs have not provided a solution to the inevitable challenge that the notice language will inevitably be different as to the Dasher and Unicorn accounts to identify which individual belongs in the class.
E. Prejudice
The notion that excluding Dasher and Unicorn users from the 23(b)(3) classes will risk unfair prejudice to them is questionable. Dasher users have personal Google accounts which, provided the WAA or sWAA settings are off during the class period, would be included in the class. Likewise, Unicorn accounts require parents to have their own Google accounts, and those parents' Google accounts would also be included in the classes provided the class definitions are met. Plaintiffs suggest that excluding Dasher and Unicorn accounts from the certified classes would require a separate action to litigate the interests of those users. This is not necessarily true. In fact, those users may remain in the classes certified under 23(b)(2). For purposes of 23(b)(3), however, predominance is a prerequisite that warrants exclusion of Dasher and Unicorn accounts as to the intrusion upon seclusion and invasion of privacy claims. Dasher and Unicorn users may attempt to bring these claims as individuals should they wish to do so.
Plaintiffs raise concerns that class members who thought they would be part of the classes would be unfairly prejudiced if the applicable statute of limitations is no longer suspended upon modification. See Am. Pipe & Const. Co. v. Utah, 414 U.S. 538, 554 (1978); Newberg & Rubenstein on Class Action § 7.40. While tolling may be appropriate, Plaintiffs are to submit a stipulated tolling agreement within two weeks or provide a proposed tolling order to which Google may respond.
Plaintiffs also seek to direct notice to all Dasher and Unicorn accounts so they may be made aware of their change in status. See Newberg & Rubenstein on Class Action § 7.40 (“If a class certification order is modified to exclude some previous members of the class, these newly excluded class members...should receive notice of this action”). In the interest of fairness to the Dasher and Unicorn users, notice of their change in status is warranted.
Lastly, Plaintiffs seek permission to proceed on a Rule 23(b)(2) basis as to the Dasher and Unicorn users even if the instant motion is granted so that injunctive relief may apply equally, regardless of account type. Given that any declaratory or injunctive relief regarding Google's WAA or sWAA settings would impact all users, and because Google has failed to establish that any of the 23(a) factors are deficient, inclusive of Dasher and Unicorn users, this request is also granted. See Ellis v. Costco Wholesale Corp., 657 F.3d 970, 988 (9th Cir. 2011) (“the court [may] certify a Rule 23(b)(2) class for equitable relief and a separate Rule 23(b)(3) class for damages”) (internal citation omitted).
Accordingly, the classes certified under 23(b)(3) for the invasion of privacy and intrusion upon seclusion claims are modified as follows:
Class 1: All “non-Enterprise” and “non-Unicorn” individuals who, during the period beginning July 1, 2016 and continuing through the present (the “Class Period”), (a) had their “Web & App Activity” and/or “supplemental Web & App Activity” setting turned off and (b) whose activity on a non-Google-branded mobile app was still transmitted to Google, from (c) a mobile device running the Android operating system, because of the Firebase Software Development Kit (“SDK”) and/or Google Mobile Ads SDK.
Class 2: All “non-Enterprise” and “non-Unicorn” individuals who, during the Class Period (a) had their “Web & App Activity” and/or “supplemental Web & App Activity” setting turned off and (b) whose activity on a non-Google-branded mobile app was still transmitted to Google, from (c) a mobile device running a non-Android operating system, because of the Firebase SDK and/or Google Mobile Ads SDK.
For the CDAFA claim, the 23(b)(3) classes as certified in the original class certification order, Dkt. 352, see supra section II, remain the same (i.e., the CDAFA subclasses under 23(b)(3) include Dasher and Unicorn users). Likewise, the 23(b)(2) classes follow the class definition as set forth in the original class certification order and include Dasher and Unicorn users.
V. CONCLUSION
Google's motion to modify the class certification order is granted in part. The hearing set for April 11, 2024 is vacated per L.R. 7-1(b). The parties must inform the Court whether they plan on withdrawing and resubmitting a modified class notice plan in accordance with this order and provide a briefing schedule as to the notice plan within one week. If the parties do not plan on filing a new motion, an order will be issued based on the class notice plan currently filed, Dkt. 370, without a hearing. Additionally, as stated above, Plaintiffs must file within two weeks a stipulated tolling agreement or a proposed tolling order to which Defendants may respond. Finally, Plaintiffs filed a motion to seal exhibits containing Google employee email addresses, internal code names, and commercially sensitive business information. The information sought to be sealed is narrowly tailored, and the motion to seal is granted. Public, redacted versions of the exhibits must be filed within two weeks of this order.
IT IS SO ORDERED.