A UK class action privacy lawsuit against Google can go ahead, according to the UK Court of Appeal. The suit claims up to £3bn ($3.9bn) in damages based on Google’s manipulation of Apple’s Safari browser in 2011-12.
In 2010, Apple included anti-tracking technology in Safari that would stop advertising companies from inserting cookies into the browser.
Google developed a workaround, enabling it to put cookies from its DoubleClick advertising technology into users’ browsers anyway. Safari’s anti-tracking technology at the time made an exception for sites that users interacted with, so Google included code in advertisements that made it look as though the user was filling out a form.
This technique enabled the company to place cookies in Safari. Those small files could tell when the user visited a site participating in the DoubleClick advertising program, how long they spent on the site, what pages they visited, and in some cases even their rough geographic location.
The complaint calls this data ‘browser generated information’ or BGI, and says that over time it allowed Google to draw more conclusions about people, helping it to understand things like their sexual orientation, religious views, and political leanings. The company used this data to segment people into customer groups, which it used to target them with advertisements from its customers. So in other words, Google bypassed Apple’s technology protections to carry on its advertising operations as usual.
Google has already paid fines for these actions in the US. It stumped up $22.5m in FTC fines in 2012, and another $17m to 37 US states the following year. The company made those payments without admitting liability, though.
Three UK claimants sued the advertising behemoth in 2015 in a case led by Judith Vidal-Hall. Google settled with them. However, in ruling on the case, the court found that BGI could arguably constitute personal data, and that the complainants could potentially claim damages under section 13 of the UK Data Protection Act.
‘Safari workaround’ lawsuit
That encouraged another lawsuit in 2017 by former Which? executive director Richard Lloyd. This was a class action lawsuit, representing 5.4 million people allegedly affected by Google’s actions as described by the lawsuit’s public awareness website Google You Owe Us.
In October 2018, the High Court blocked the case from proceeding any further. It argued that while it found Google’s actions “wrongful, and a breach of duty”, it didn’t agree that complainants in a class action suit all shared a common interest. Neither did it agree that they could claim to have suffered ‘damage’ as defined under the DPA.
On 16 July 2018, Lloyd proceeded to the appeals court which handed down its judgement on 2 October. The court decided that personal data has value, and that losing control over personal data can be considered damage under the DPA after all.
So now, the group has the freedom to continue with its case. A simple piece of browser hackery on Google’s part almost a decade ago continues to haunt it.