Last week, the Northern District of California denied a motion for class certification in a multidistrict litigation brought against Google over its alleged practice of scanning Gmail messages in order to serve content-based advertising. In re: Google Inc. Gmail Litigation, 5:13-md-02430 (N.D. Cal.). In sum, the court found that questions relating to whether class members had consented to the practice were too highly individualized to satisfy the predominance requirement based on the myriad of disclosures available to class members.

The original complaint in this case dates back to 2010. Six class actions were eventually centralized in the Northern District of California where a consolidated complaint was filed. The complaint sought damages on behalf of individuals who either used Gmail or exchanged messages with those who used Gmail and had their messages intercepted by Google. The causes of action were brought under California’s Invasion of Privacy Act, as well as federal and state wiretapping laws (California, Maryland, Pennsylvania, and Florida).

In general, the Wiretap Act prohibits the unauthorized interception of wire, oral, or electronic communications. Under the federal Wiretap Act, there are several exceptions to this general prohibition, one of which is if the interception is done subject to “prior consent.” So, the issue of whether the class members had consented to the interception, either expressly or impliedly, was a central issue in the case.

Google filed a Motion to Dismiss on the basis that its interception fell within the ordinary course of Google’s business and was therefore exempt from the wiretapping statutes. That argument was rejected by the court. Google also argued that class members had expressly consented to the interception based on Gmail’s Terms of Service and Privacy Policy (collectively, the “Terms”); and even that if they hadn’t viewed the Terms, they impliedly consented to the interception because, per Google, all email users understand and accept the fact that email is automatically processed. In September 2013, the court granted in part and rejected in part Google’s Motion to Dismiss. Only the claims based on California’s Invasion of Privacy Act and Pennsylvania’s wiretapping law (with respect to a subclass) were dismissed; the rest of the claims survived. A month later, the plaintiffs filed their motion for class certification.

What proved fatal for plaintiffs on this go-around was their inability to demonstrate that the proposed classes satisfied the predominance requirement under FRCP 23. There were several proposed classes and subclasses. Members in each of the classes were potentially subject to a different set of disclosures and registration processes. For instance, one of the classes represented users who signed up for Google’s free web-based Gmail service. These users were required to check a box indicating that they agree to be bound by the Terms of Service. Another class was comprised of users of an internet service provider (“ISPs”), Cable One, that had contracted with Google for Google to provide email service under the Cable One domain name. Another class consisted of users from educational institutions, such as the University of Hawaii; similar to Cable One, the educational institutions had contracted with Google for email services. For businesses such as the ISPs and the educational institutions, the contract required that the contracting business, not Google, ensure that end users agreed to Google’s Terms of Service.

With respect to the Terms themselves, it is interesting to note that in the court’s Order denying Google’s Motion to Dismiss, the court previously characterized the Terms as “vague at best and misleading at worst.” Per the court, the Terms of Service stated only that Google retained authority to prescreen content to prevent objectionable content, while the Privacy Policy suggested that Google would only collect user communications directed to Google, not among users. And while the contracting businesses, like Cable One and the University of Hawaii, were required to ensure end users were accepting Google’s Terms of Service, there were variations among the businesses as to how they would present the Terms of Service and obtain consent. Ironically, the fact that the court considered Google’s Terms to be vague or misleading and the fact that the Terms were not presented uniformly to end users appeared to actually help Google avoid certification — it led to more individualized inquiries as to whether the users had given their express consent.

In addition to Google’s Terms, the court noted that there was also a “panoply of sources” where users could have impliedly consented to Google’s practices, such as Google’s Help pages, Google’s Privacy Center, Google’s Ad Preference Manager (which included a webpage on “Ads on Search and Gmail,” Gmail’s interface itself, the Official Gmail Blog, Google’s SEC filings (which includes the statement, “we serve small text ads that are relevant to the messages in Gmail”), and even media reports (e.g., New York Times, Washington Post, NBC News, PC World, etc.). The breadth of these sources helped to further convince the court that determining whether class members impliedly consented to Google’s interception was a highly individualized determination, and not one based on common questions. Whether each individual knew about or consented to the interception would depend on the sources to which he or she had been exposed. The plaintiffs contended that relying on extrinsic evidence outside of Google’s Terms would violate the parol evidence rule. The court was quick to point out that while that argument might work for a breach of contract case, the parol evidence rule was not applicable under the Wiretap Act, which requires the fact finder to consider all surrounding circumstances in relation to the issue of consent.

Putting aside the question of whether Google’s Terms were in fact vague or misleading, a key takeaway for businesses from this case should be the importance of educating customers about their data practices. Google was able to avoid certification based on the fact that they offered a variety of other opportunities for their customers to learn more about their services and products. Outside of a website or app terms of use and privacy policy, businesses need to understand that the disclosures they make elsewhere can help to educate and inform users about their practices, e.g., on the websites or apps themselves, a “Help” or “FAQ” section, on advertisements or in promotional emails, or in their subscription or license agreements. Of course, the more disclosures a business offers, the more challenging it can be to make sure that the message being delivered remains consistent. Plus, businesses should revisit their disclosures regularly to make sure that they are clear, conspicuous, current, and forthcoming.

The fact that these cases were brought under wiretapping laws adds another interesting wrinkle. The federal Wiretap Act comes with $100 in statutory damages per day, which could lead to billions of dollars in penalties. Various other web companies have recently faced privacy class actions pursuant to the Wiretap Act over the alleged data mining of user communications, including Yahoo!, LinkedIn and Facebook. We’ll continue to monitor this area closely to see how the recent Google decision might affect this wave of cases.

Original posted in the IAPP Privacy Tracker.