Complaint, New Mexico v. Google LLC (D.N.M. Feb. 20, 2020)(No. 1:20-cv-00143-NF-KHR).
New Mexico’s Attorney General has sued Google alleging that it is collecting personal data from children through its G-Suite for Education (“Google Education”) services in violation of the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. § 6502 (1998), the New Mexico Unfair Practices Act (“UPA”), N.M. Stat. § 57-12-26 (2017), and the common law privacy tort of intrusion upon seclusion.
Google Education provides students with free access to Gmail, Calendar, Drive, Docs, and other applications. The complaint alleges that through this service, widely used in the U.S. among K-12 educators and students, Google has collected children's data including their physical locations, websites they visit, videos watched on Youtube, personal contact lists, and voice recordings. Such alleged data mining is in violation of COPPA.
In its first cause of action, the State of New Mexico alleges that despite COPPA requirements that an operator of a website or online services must provide parental notice of any data collection of personal information from children under the age of 13 and obtain their “verifiable parental consent,” Google Education has failed to do so.
In the second cause of action, the complaint alleges that Google’s “deceptive” behavior is also in violation of New Mexico’s UPA. The complaint alleges that Google has set the Chrome Sync function on by default. Thus, when students log into a school-issued or personal Chromebook, Google automatically starts uploading students’ data. Although users may turn such data syncing off, the option is deceptively “buried in settings that parents [and students] likely never see.”
Moreover, the complaint alleges that Google’s current behavior and practices are a material misrepresentation of its commitments made when signing the K-12 School Service Provider Pledge to Safeguard Student Privacy of 2015.
New Mexico's last cause of action is the common law tort of intrusion upon seclusion. According to the complaint, the alleged intrusions, consisting of, inter alia, monitoring and collecting data, are highly offensive to a reasonable person and their expectation of privacy as evidenced by numerous statutes enacted both by Congress and by New Mexico to protect children’s privacy and citizens at large. In that regard, given the conscious nature of the acts, the State not only seeks injunctive relief to stop Google’s allegedly unlawful practices, it also seeks nominal and punitive damages.
A Google spokesman responded in a statement that the allegations are “factually wrong.” He asserted that Google Education allows schools to obtain parental consent and that it does not use children’s data to target ads to primary and secondary students.
Allegations of privacy violations and requirements of affirmative consent are becoming a growing challenge for tech companies. Scholars have argued that companies' privacy policies are not generally treated as contracts, in contrast to terms of use. This approach has reinforced the role of the Federal Trade Commission (“FTC”) in policing privacy compliance and bringing big tech companies to the negotiating table. In 2019, for example, FTC reached a $5 billion settlement with Facebook regarding its violation of a 2012 FTC settlement concerning consumer privacy. In 2018, Google also reached a $170 million settlement with the FTC over its alleged violation of COPPA; the settlement was reached without any admission of wrongdoing. This case may start a trend of judicial, rather than administrative, enforcement. Regardless of the outcome, the lawsuit will also encourage companies to think actively about consumer privacy protection and their role in promoting privacy by design.