Class Action Against Google Can Proceed for Claims Related to Conduct Prior to 2023

In Doe I v. Google LLC, the U.S. District Court for the Northern District of California begins in medias res but then cuts to the chase. Plaintiffs’ first amended complaint was dismissed, as they had not adequately alleged that Google was intentionally receiving communications that violated plaintiffs’ privacy rights. In the second amended complaint, they have, but just barely, and only as to claims arising prior to 2023, when Google put in place policies designed to protect the privacy of members of the plaintiff class.

The whole point of Google’s products was to allow Google access to some communications between healthcare providers and their patients. There is no dispute that Google received such communications and that some of them contained the kind of private health information that is protected under the federal Health Insurance Portability and Accountability Act (HIPAA). Google’s source code enabled it to know when patients saw specialists, looked up treatments for symptoms, and paid bills. Putting all of that information together Google had access to medical information tied to a particular person (individually identifiable health information), the sort of information that HIPAA is supposed to protect against dissemination to third parties.

The Court seems skeptical that plaintiffs can show that Google intentionally collected individually identifiable health information in violation of HIPAA. Certainly, the Court thinks plaintiffs cannot make that claim in connection with information provided to healthcare providers after 2023 when took Google took “measures to prevent itself from receiving communications containing private health information by clearly instructing health providers not to” use Google Analytics on webpages that contained information protected from disclosure under HIPAA. However, plaintiffs have sufficiently alleged that, prior to 2023, Google intended to receive individually identifiable health information. The Court expresses its skepticism, thinking it more likely that Google acted negligently rather than intentionally, but the Court concedes that it is possible that Google was aware of the problem and did not mind getting information that it was barred from getting under federal law.

As a result, the Court dismissed with prejudice plaintiffs claims under California’s Wiretap Act (CIPA), intrusion of seclusion, and common law privacy law to the extent that they relate to post-2023 communications. The claims can go forward as to earlier communications.

Plaintiffs had two claims for. breach of contract. The first alleged that Google violated its own Privacy Policy by collecting health information. That claim can proceed. The second alleged that Google breached a promise not to use health information in personalized advertising, and the Court did not find plaintiffs’ allegations persuasive in connection with that claim, even for the purposes of motion to dismiss. Plaintiffs did not make out a claim for a breach of the duty of good faith and fair dealing, so that claim was dismissed with prejudice, but their unjust enrichment claim survived.