The within proposed right to privacy multi-jurisdictional class proceeding involves the Defendants’, ALPHABET INC.’s, GOOGLE LLC’s, and GOOGLE CANADA CORPORATION’s (hereinafter collectively referred to as “Google,”), unlawful tracking, collection, saving, and use of the Plaintiff’s and  Class Members’ activity and browsing histories on their mobile devices, whenever they use third-party (or non-Google) software or mobile applications that have incorporated Google tracking and advertising code. The Defendant, Google, did this without notice or consent, where users had turned off a Google privacy feature called “Web & App Activity” or a sub-setting known as “supplemental Web & App Activity”. The Defendant, Google, falsely promised that by turning off this privacy feature, users would stop the Defendant, Google, from saving their app activity data across third-party apps, all of which caused the Plaintiff and Class Members to suffer loss, harm and damage.

Contrary to Google’s own privacy policies, disclosures, and representations—where it insists that it values users’ privacy and provides meaningful control—Google continues to track users and collects their app activity data even after users follow Google’s instructions to disable such tracking. What Google labels as privacy “controls” are, in reality, deceptive ruses designed to lull users into a false sense of security and control. In practice, regardless of the settings chosen by users, Google does not cease tracking, collecting, and exploiting users’ app activity data.

Google unlawfully tracked, collected, saved, and used the users’ app activity data during the period commencing July 1, 2016, and continuing through to the present (the “Class Period”).

For the purposes of this action, the WAA and (s)WAA features relate to a broad spectrum of app activity data of the Plaintiff and the putative class members, including, without limitation: (i) search and browsing history, or activity; (ii) records of interactions with their mobile devices; (iii) approximate or precise location information derived from Internet Protocol (IP) addresses, Wi-Fi, GPS, or other device signals; (iv) device-specific data such as model, operating system, unique identifiers, and diagnostic information; and (v) where enabled, voice commands, audio recordings, and virtual assistant interactions, all in connection with third-party apps incorporating Google tracking and advertising code described herein (the “activity data”). The activity data is tied to Plaintiff’s and putative class members’ Google accounts and profiles, thereby allowing Google to track, collect, save, and use a comprehensive record of the users’ online and offline activity across third-party apps regardless of the mobile device they are using.

Google unlawfully collected the users’ activity data from their mobile devices through its Firebase platform, a Google-owned service that provides backend infrastructure and analytics to third-party software and mobile application developers (“third-party app developers”). Rather than building their own servers and systems, third-party app developers are offered Google’s Firebase Software Development Kit (“SDK”), which supplies them with various built-in tools and functionalities, including Application Programming Interfaces (“APIs”) and prewritten code, thereby streamlining and accelerating the app development process.

When an SDK, such as the Firebase SDK, is embedded in third-party apps, it can collect and transmit data back to the company that made the SDK. In particular, Google unlawfully tracked and collected users’ activity data from their mobile devices using software scripts embedded in Google’s Firebase SDK platform, when third-party app developers used Firebase SDK to build their apps. Users then downloaded and used those apps to communicate with third parties (e.g., The New York Times app allows users to communicate with The New York Times) through their mobile devices. Unknown to users, the Firebase SDK scripts still copied users’ communications to third-party apps and transmitted them to Google’s servers through the users’ mobile devices, to be saved and used by Google for its own purposes. Google did all this even if users switched off Google’s WAA and/or (s)WAA feature, without providing any notice or obtaining any consent.

Further, Google’s tracking, collection, saving, and use of users’ activity data is not limited to Firebase SDK scripts. Notwithstanding whether users have WAA and/or (s)WAA switched off (which is sometimes referred to as “disabled” or “paused”), Google also tracks, collects and saves users’ activity data by way of other Google tracking and advertising code (in addition to Firebase SDK scripts) embedded in third-party apps. This additional Google tracking and advertising code includes, without limitation, the Google Analytics Services SDK, the Google Mobile Ads SDK (which supports AdMob and Ad Manager), Google’s AdMob SDK, the Google Ads SDK (formerly known as AdWords SDK or AWCT SDK), and Google code associated with WebView technologies for apps.

Google repeatedly represented to users that turning off the WAA and/or (s)WAA feature would stop Google from “sav[ing]” their activity data—including data generated through both Google products and services, as well as third-party appls. However, only the tracking, collection, saving, and use of the latter form of data is at issue in this action. Google also presented these settings to its business partners as device-level privacy controls, and required that such controls, along with Google’s accompanying representations, be incorporated into versions of the Android operating system (“Android OS”) licensed to Android device manufacturers, including Samsung Electronics Co., Ltd. (“Samsung”).

Google’s Privacy Policy represented to users that they would have meaningful control over their privacy settings, including the ability to opt out of the tracking, collection, saving, and use of their activity data. The Privacy Policy states, on the first page:

"When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.

. . . .

Our services include: … products that are integrated into third-party apps and sites, like ads and embedded Google Maps.

. . . .

[A]cross our services, you can adjust your privacy settings to control what we collect and how your information is used. [Emphasis added.]"

That language is quite plain. Any reasonable person would understand it to mean just what it says, that is, the user “can adjust . . . privacy settings to control what [Google] collects and how [user] information is used” by Google “across [Google’s] services,” which services “include . . . products,” like Google’s Firebase SDK platform and other Google tracking and advertising code “that are integrated into third-party apps.” As such, Google falsely promised users that by utilizing the built-in privacy settings, they retain the ability to prevent Google from using their activity data without their consent, and thereby intentionally created an illusion of user control.

In fact, Google still collects activity data from users who turn off the WAA and/or (s)WAA features. Google collects the activity data through various backdoors made available through and in connection with Google’s Firebase SDK, including not only Google Analytics for Firebase but also, without limitation, AdMob and Cloud Messaging for Firebase. Google also collects data about users’ interactions with non-Google apps by way of other Google tracking and advertising code (aside from the Firebase SDK scripts), including, but not limited to, the Google Mobile Ads SDK, AdMob SDK, and “WebView” technologies. All of these products copy and provide Google with the activity data while WAA or (s)WAA is turned off.

Users turned off the WAA and/or (s)WAA features to prevent Google from collecting and saving their activity data, but Google unlawfully without the knowledge and/or consent of the users, amassed a stockpile of activity data that it used for its technological advancement and financial gain.

Google’s practice of tracking, collecting, saving, and using the users’ activity data without their knowledge or consent, for the purposes of its own technological development and financial gain, constitutes a substantial breach of their rights to privacy. These practices directly contravene applicable federal and provincial privacy statutes, as Google has, through its unlawful practices, violated and continues to violate the users’ privacy.

As a result of Google’s unlawful and/or deceptive conduct and its breach of the Plaintiff’s and putative class members’ right to privacy, the Plaintiff and putative class members have suffered harm, loss, and damage. The activity data unlawfully collected by Google is highly valuable—not only to Google, but also to the users themselves and to third parties who may seek to acquire it. Accordingly, the Plaintiff and putative class members seek damages, disgorgement, and all other appropriate relief ensuing from the tracking, collection and use of their activity data.

Further, Google acted without the knowledge or consent of users in tracking, collecting, saving, and using the activity data, which it then exploited to maintain and extend its monopolistic position. The Plaintiff and putative class members therefore seek injunctive relief requiring Google to delete, purge, or otherwise cease all use of the unlawfully obtained activity data, and to refrain from further tracking and collecting such activity data without proper notice and consent. The Plaintiff and putative class members also seek an injunction prohibiting Google from integrating the unlawfully obtained activity data into its advertising, analytics, artificial intelligence, or other technological platforms, and requiring Google to implement safeguards to prevent any future misuse of such activity data.