Google’s Incognito Settlement: Browsing Data is Not Private
Introduction
Of course, everyone knew that user website activity was NOT actually private when using Chrome’s Incognito mode. Or, at least, that was Google’s argument in court.
Facing the prospect of making this argument at trial, Google settled this class action lawsuit, Chasom Brown, et al. v. Google, which is the fourth significant settlement in the past few months.
Google has since updated its disclosure statement for Incognito mode and agreed to delete billions of user records that it generated and anonymized while those users were “privately” browsing.
The Facts
The following facts were established by the United States District Court in the Northern District of California:
Plaintiffs filed a class action suit based on Google’s “surreptitious interception and collection of personal and sensitive user data while users are in ‘private browsing mode’”.
Plaintiffs alleged Google violated (1) the Federal Wiretap Act, (2) the California Invasion of Privacy Act (CIPA), (3) the Comprehensive Data Access and Fraud Act ("CDAFA”), (4) invasion of privacy, (5) intrusion upon seclusion, (6) breach of contract, and (7) violation of California's Unfair Competition Law (“UCL”).
Plaintiffs sought $5 billion in damages (approximately $5,000 per affected person).
Google filed a motion for summary judgment to dismiss the claims.
In August 20223, the Northern District rejected Google’s motion in whole.
Google's motion hinged on the idea that users consent to Google collecting their data while users browse the internet in private mode.
Because Google never explicitly told users that it continues to collect data in Incognito mode, the Court could not find that users explicitly consented to data collection.
As the trial approached, plaintiffs and Google agreed to settle.
Denial of Google’s Motion for Summary Judgment
Google’s defense provides a good illustration of how a lack of clarity in website notices and terms of service can lead to costly legal actions.
Facts Regarding Data Collection
The Plaintiffs were Google account holders that used “private browsing” two different ways.
First, they used Google Chrome browser’s “Incognito Mode”.
Second, they used the private modes of other browsers (like the “Private Window” feature in Safari).
Since 2016, Google represented that it would not collect user information if users browsed the internet privately.
Google collected data anyway - even when people used Incognito Mode or other “private” browsing modes. Google collected, aggregated, and sold private browsing data without user consent. The parties did not dispute these facts.
How Does Google Collect Data, Normally and Incognito?
Whenever we access a website that uses Google Analytics, Ad Manager, or a similar Google service (which is currently estimated to be about 70 percent of all websites), Google’s software directs our browser to send information to Google.
This activity was unknown to both users and web developers.
When we visit a website, our browser sends a GET request to retrieve the webpage we want.
The GET request contains data like the requestor website universal resource locator (URL), our internet protocol (IP) address, our device platform and browser, our location information if available, and event data about how we have interacted with the website (e.g., What ads did we see? Did we click on a video? What did we search for?).
Simultaneously, our browser reads Google’s code embedded on a website and sends a concurrent message directly to Google. This second transmission tells Google exactly what our browser communicated to the target website.
According to the Plaintiffs, What Does Google Do with the Data?
Google collects our “private” browsing history and associates it with our preexisting user profiles.
This enabled Google to offer more personalized services and advertisements to us, which is the foundation of Google’s multi-billion-dollar business model.
Google’s Representations About Private Browsing
Google's General Terms of Service and its Chrome Privacy Notice form the basis of the contractual relationship between Google and its account holders. Plaintiffs also alleged that Google’s Privacy Policy (now hyperlinked from the Chrome Privacy Notice), Search & Browse Privately Help page, and Incognito Splash Screen also form the basis for the users’ contract with Google. In denying Google’s motion to dismiss, the court held that incorporating these three additional writings raised a triable issue of fact.
Google’s Privacy Policy serves to help users “understand what information [Google] collects, why [they] collect it, and how you can update, manage, export, and delete your information.”
The Search & Browse Privately Help page states: “You’re in control of what information you share with Google when you search.”
The former Incognito splash page begins by stating “Now you can browse privately.”
Express Consent to Data Collection in Incognito Mode
Google argued that users expressly consented to Incognito data collection under its Privacy Policy because that policy unambiguously disclosed its data collection practices are mode-agnostic. In short, “Google collects the same data whether users are in regular or private browsing mode.” (USDC NDC, p. 13).
But Plaintiffs argued that Google presented Incognito mode differently - that it offered more privacy.
In fact, the Privacy Policy is silent as to any data collection specific to private browsing mode.
Nevertheless, Google acknowledged that it relies on user trust - a “big responsibility” - and Google works hard to protect user information and puts users in control, like offering Incognito mode.
When a normal Chrome browser is opened, the screen is bright and white. When the Incognito browser is opened, the screen is dark, text is gray, and users are greeted with a “spy guy icon”.
Moreover, users are told they’ve “gone incognito” and can “browse privately”. Other people who use the device won't see the user’s browsing activity.
In the end, the Court rejected Google’s summary judgment claim regarding express consent not only because its Privacy Policy was silent regarding Incognito mode, but also because of Google's surrounding statements regarding what it means to engage in private browsing. The court held that a dispute of fact remained regarding the scope of users’ consent.
Point by point, the court rejected Google’s request for summary judgment and its interpretation of the law. As such, this case was headed to trial.
Results of the Settlement
Despite consistently rejecting plaintiff’s allegations, Google agreed to settle the dispute and make several changes to its practices. In short, Google will do the following:
Delete and/or remediate billions of data records that reflect class members' private browsing activities worldwide.
Beginning in January 2024, Google has started updating its disclosures regarding data collection for users that select a private browsing mode.
“Google will also stop using technology that detects when users enable private browsing, so it can no longer track people’s choice to use Incognito mode” (NYT).
Google is introducing a trial feature that automatically blocks third-party cookies for Incognito mode users, which will continue for the next five years.
Incognito users are already greeted with a somewhat clearer notice statement. Specifically, rather than stating “Now you can browse privately”, it states “...you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google…”
Plaintiff’s attorneys stated that "Google will collect less data from users' private browsing sessions, and that Google will make less money from the data." (TFTC)
Google’s spokesman, José Castañeda, stated that “[t]he plaintiffs originally wanted $5 billion and are receiving zero.” Moreover, “[w]e are pleased to settle this lawsuit, which we always believed was meritless," and “[w]e are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.”
What Can Individuals Do to Browse with Greater Privacy?
As a rule, one should always begin with the assumption that all internet activity will be monitored and processed by Google, Microsoft, or any other large for-profit company that provides a web browser. Data collection is the foundation of their businesses and it will remain the case for the foreseeable future.
This is not an admonition that users should not use Google Chrome or Incognito mode - these Google tools are blazing fast, smoothly integrated, and very useful - but one must assume that very little about Google’s browsers are engineered for user privacy.
If you want the closest thing to actual privacy online, you should consider the following practices:
Use a virtual private network (VPN)
At 1GDPA, we use Proton VPN, which is a non-profit based in Switzerland.
Firefox Focus
For slightly better privacy you might consider Firefox Focus browser, but even Firefox acknowledges that it collects user data, including things like location data (Firefox Privacy Policy)
Tor Project and the Onion Browser
For the most private browsing experience online, try the the Tor Browser from the non-profit Tor Project.
Tor Project’s Onion Browser is also available for iOS and Android.
In the meantime, maintain awareness of current cyber threats and seek out tools that mitigate these threats.
What are Some Lessons for Your Business?
Although Google has always denied the claims against it in this case, privacy-related litigation is something every business wants to avoid. The present settlement compelled Google to make some very basic changes to a few sentences in its disclosures and turn off third party cookies in its slightly more private browser tool. Google’s actual business practices changed very little. From the outside, it appears to be a lot of legal cost for very little benefit.
In short, if you claim to offer your users benefits like added privacy, ensure you present the facts unambiguously and back it up with technical follow-through. Always strive to adhere to the privacy principle of transparency.
Clearly state in plain language the types of information that are collected for each of the tools or platforms you offer.
Clearly state the lawful purposes for which user data are used.
If you offer a “private” or “more secure” option, explain how that mode or option is actually more private. For example, you promise to encrypt stored user data. Ensure this practice is consistently followed through audits and penetration testing.
State the limitations of your tool or platform clearly. Do not overpromise and under-deliver.
Do not assume your current Privacy Policy will adequately cover all your operations all the time. Revisit your policy regularly to ensure your business processes are consistent with what you are promising to your customers.
Conclusion
If your organization does not yet have a mature data governance, risk, and compliance (GRC) program, a privacy program, or a cybersecurity strategy, then 1 Global Data Protection Advisors (1GDPA) can help. Reach out for a free consultation at any time.
Sources
New York Times (NYT), Google to Delete Billions of Chrome Browser Records in Latest Settlement
The Verge, $5 billion Google lawsuit over ‘Incognito mode’ tracking moves a step closer to trial
Chasom Brown, et. al. v. Google LLC, US District Court of Northern California, Case No. 4:20-cv-3664-YGR
TFTC, Google Settles Privacy Lawsuit Over Incognito Mode Tracking