Website, Google Violate CIPA Through Sharing of Users' Personal Sexual Data: Suit
PHE, owner of adult products website Adam & Eve, sends customers’ private and protected sexual information, plus their IP addresses, to Google Analytics without their consent, alleged a Jan. 3 privacy class action (docket 2:24-cv-01065) removed Wednesday from Los Angeles County Superior Court to U.S. District Court for Central California in Los Angeles.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Jane Doe, a Los Angeles resident, alleges PHE caused Google to learn the contents of her private and protected sexual information without notifying her and without her consent, in violation of the California Invasion of Privacy Act (CIPA). Google violated CIPA each time it “read, learned from, and/or utilized” that information without her consent, it said. Both defendants violated CIPA by operating under an agreement under which PHE installed Google Analytics to disclose Doe’s protected sexual information “in exchange for payment or another form of consideration,” it said.
Google’s analytics service can use the information PHE discloses to identify a specific user’s actions on a website, the complaint said. Google Analytics enabled the “opt-in” IP anonymization feature, which allowed an additional parameter to be added to the communications between Doe and the Google Analytics server, it said. By using the Google Analytics tool without enabling the anonymization feature, PHE “is sharing with Google” class members’ online activity and IP addresses, “even when consumers have not shared (nor have consented to share) such information,” it said. PHE’s website also shares with Google that customers add specific products to their virtual shopping carts and check out, the complaint said.
Information shared with Google, including the IP address, allows Google to identify a person who has interacted with PHE’s website or has submitted information through the site, the complaint said. PHE didn’t obtain consent or authorization from consumers to disclose those communications, and the “surreptitious disclosure” of private and protected sexual information “is an outrageous invasion of privacy and would be offensive to a reasonable person,” it said.
Doe, who created an account with PHE in 2018, bought products from PHE’s website on at least two occasions, most recently in 2022, said the complaint. Her use of the website constitutes internet messages, reports and/or communications between her and PHE transmitted “over a wire, line, or cable,” it said. Google and PHE had an agreement through the use of Google Analytics under which PHE would automatically send Google information pertaining to Doe’s use of the website, it said. Each time she used the website, PHE conveyed to Google the items she searched for, search terms, products she put in her cart and products she purchased, without her consent, it said.
Doe seeks for herself and the class statutory damages under CIPA of $5,000 for each time PHE disclosed a message, report or communication to Google without consent; statutory damages of $5,000 for each time Google read, learned the contents of or used information obtained from a communication between PHE and a class member; and attorneys’ fees and costs.