A New Legal Approach to Defending Email Privacy

Posted by Mark Greisiger

A Q&A with Ray Gallo of Gallo LLP

In January, University of California Berkley students brought a claim against Google alleging that the company was violating the Electronic Communications Privacy Act by using college emails to target ads to the students. I asked attorney Ray Gallo about his work on behalf of the students and how this case, which is currently focused on individuals and not a large class action, is different from its predecessors both in scope and strategy.

How are you using the Family Education and Privacy Rights Act (FERPA) in this case?  
Obviously, “educational records” will be found in some .edu emails. Google may be a vendor in operating an email system, but if Google used email content for commercial purposes that’s another matter. I believe Google knew that its university clients intended to comply with FERPA and that scanning and using the content of emails for commercial purposes—without express consent from students—would violate FERPA.

If the colleges gave students the promises of privacy, how is Google responsible?
The colleges appear to have said what they understood from Google. Some said they had specific contractual commitments from Google that there’d be no email scanning for ad purposes. Others said their contract specified there would be “no data mining.” That sounds like Google’s responsibility to me. We have documented through the Wayback Machine that Google was expressly saying “we’re not scanning for ads.”

How have you narrowed your claims to individual plaintiffs and if they win, how will you expand the suit to others?
We’ve focused on plaintiffs who didn’t consent to Google’s ad scanning, in part by focusing on schools that understood and told users that their emails were private from Google’s ad scanning. We are considering how much broader we may want to go. Consent is a defense and Google can use school disclosures to establish consent where those disclosures suggested there was (or could be) ad scanning. Back in 2014, the vast majority of schools didn’t do anything and were at best silent. So while this defense defeated class certification, we believe all or the vast majority of our clients are not subject to this defense.

How will you get discovery on Google’s scanning methods?
I can’t comment on strategy, but it seems clear from previous litigation on this issue, and previous statements by Google, that the emails were being intercepted, and we’ve alleged that. And that’s apparently what Yahoo was doing, too. I think we can infer there’s a reason why Google and Yahoo have been intercepting rather than scanning what’s in the the mailbox. Yahoo has agreed to stop doing that in the proposed settlement before Judge Koh. So I don’t see that there’s any implausibility argument for Google.

Why is Google intercepting emails rather than taking the information from their servers?
We don’t entirely know. We infer that it is more useful to know what a consumer is saying and thinking as soon as possible. If you’re emailing me about going out for ice cream, Google Ads would like to serve up an ad for ice cream then and there. Of course, scanning emails in the mailbox for commercial purposes and without consent may not be legal or proper, either, but it falls under different regulation.

I’m a big proponent of freedom of contract—if people are aware of the agreement and are willing to participate, that’s up to them. But let’s face it: We’re all accepting agreements we haven’t read. We all need to pay closer attention.

How might this case impact the public in terms of creating awareness around these issues?
Some people realize there’s a price they pay for free email service and do choose to use that service anyway. They may even like to be advertised to and influenced. But most people probably don’t realize they have better options. If you’re using an iPhone or Apple product, for example, you are already paying for an iCloud account. I wonder if eventually more people won’t use these in place of Google when they realize how much scanning is going on. Ultimately, what I hope we get from Google is clearer, more prominent disclosure and consents in the future, if there’s going to be scanning for commercial purposes. I’m a big proponent of freedom of contract—if people are aware of the agreement and are willing to participate, that’s up to them. But let’s face it: We’re all accepting agreements we haven’t read. We all need to pay closer attention.

What do you see as the most significant or game-changing aspect(s) of this case?
So far, Google hasn’t had to pay anything in damages, even though it apparently violated federal and various state statutes, and perhaps common law. We hope at a minimum that Google will be required pay some damages, and that will help ensure future compliance. My guess is that the value of the information obtained may have justified from a business perspective Google’s decision to risk violating these statutes, and that shouldn’t be. We know that if it’s cheaper or better business to engage in illegal actions then lots of businesses will. The main takeaway from any consumer fraud-style case is: Be forthright. It’s not very hard for organizations to comply with the law—which just requires consent—if you’re not intercepting emails or otherwise engaging in wiretapping, or if you get clear, prominent, written consent.

What may be equally important to the ECPA issues, though, is that aggregating claims using our LeverageÒ software means massive aggregate litigation is now possible even where class certification is not available, and plaintiffs can choose the benefits of individual litigation wherever that’s better for them while still achieving the scale of class-type litigation.

Can you speak bit more about Leverage? Will plaintiffs firms now develop their own technology to be able to pursue these cases? If so, how do you see that developing?

Leverage is a partial solution to the access to justice issues our society faces. Ironically, wrongdoers have failed to be careful what they ask for. They’ve opposed class certification broadly, through legislation and in the courts. It’s increasingly unavailable. Now they’re going to get the masses of more expensive and harder to beat individual cases. Leverage offers superior outcomes for plaintiffs who care enough to get involved. Leverage does that by making it economically viable for plaintiffs’ lawyers to vindicate numerous smaller claims on a contingent fee/mass action basis.

I’ve spent a fortune, learned the lessons, and built the right solution—made available to responsible and capable plaintiffs firms at reasonable prices. It’s user-friendly, elegant, and powerful. Hagens Berman is using it at www.vwrelief.com and we’re offering it as the communications tool of choice for class counsel in the VW diesel fraud MDL. Others are using it as a backup to a class action, to hedge the risk of losing on class certification. It’s also a great claims submission and processing platform and has been used in a class action settlement already. More information is available at www.whoneedsclasscert.com.

I believe plaintiffs’ lawyers increasingly will adopt this approach to helping people who previously could not be helped, or simply as a superior alternative to class treatment in many cases. It allows plaintiffs to try their best case and not just the common case, to recover individual damages, and to have multiple tries at winning and at recovering punitive damages where appropriate. It also enables plaintiffs’ counsel and their clients to set fees by agreement, rather than having the court do it. Leverage represents a new way for plaintiffs’ lawyers to work and help folks. It’s just beginning but we know this approach can make a big difference.

In summary…
We want to thank Ray Gallo for his insights. Plaintiffs’ firms are getting more and more creative in how they approach privacy and data breach cases so they can have viable causes of action. How courts define injury in these cases is evolving as there is better understanding of how electronic information and privacy intersects. There is now a resurgence not just in data breach cases but in cases for failed privacy practices, and all companies should be aware of these issues to better mitigate risk.