Overview
On October 8, 2018, Google announced a data breach that impacted users of its Google+ social media network (“Google+ Data Breach”). The personal information of up to 500,000 Google+ users was exposed due to a software glitch that gave third-party application developers access to private Google+ profile data between 2015 and March 2018.
Similar to Facebook’s Cambridge Analytica scandal, Google+ users’ personal information was supposed to be protected and shared only with expressed permissions and limitations. However, Google allowed third-party application developers to improperly collect the personal information of Google+ users. Instead of informing the public about the breach and exposure of users’ personal information immediately, Google chose to conceal the breach from the public for approximately 7 months, hoping to avoid the public backlash and Congressional scrutiny surrounding Facebook’s widely publicized Cambridge Analytica scandal.
On October 17, 2018, Frank Azar & Associates filed a class action lawsuit against Google and its parent company, Alphabet Inc., alleging violations of unfair competition laws, violations of the Colorado Security Breach Notification act, negligence, invasion of privacy, deceit by concealment, and a breach of Google’s implied contract with users.
On January 6, 2020, plaintiffs asked Judge Edward J. Davila to approve a proposed settlement in which Google agreed to pay Google+ users $7.5 million to settle their class action claims related to the data breach.
Nature of the Claims Against Defendants
Google+ (or Google Plus) is a social network owned and operated by Google for consumers with Google accounts. Like other social media platforms such as Facebook or Twitter, Google+ facilitates the sharing of information, photographs, weblinks, conversations, and other content between users.
As part of the sign-up process and as a consequence of interacting with their social network, Google+ users create, maintain, and update profiles containing significant amount of personal information, including their names, birthdates, hometowns, addresses, locations, interests, relationships, email addresses, photos, and videos, amongst other items.
Google maintains a privacy policy that makes specific representations to its users regarding its affirmative duty to protect users’ personal information, specifically providing that users are in control of who has access to their personal information. When a user adds a contact to his or her Google+ account, the user assigns that person to one or more “circles” in order to categorize or organize the contact. Google+ users determine privacy settings for content, allowing content to be shared with the public or with only those in designated circles.
While users’ personal information on Google+ was supposed to be protected and shared only within these expressed permissions and limitations, Google allowed third-party application developers to improperly collect the personal information of up to 500,000 Google+ users.
In practice, the Google+ Data Breach occurred as follows:
- Google+ User 1 (“User 1”) is friends with Google+ User 2 (“User 2”);
- User 1 shares personal information with her friends, including User 2;
- User 2 decides to connect to a third-party application through Google+;
- User 2 is prompted to give that application access to his own personal data, and he consents to providing it;
- Because of the Google+ Data Breach, the third-party application was also improperly granted access to all the details—including ones not marked public—that User 1 had only given consent to be shared with User 2.
Despite Google’s awareness of the breach as early as March 2018, instead of choosing to be transparent about the Google+ Data Breach, Google explicitly chose to conceal it from the public until after the public outcry following Facebook’s widely publicized Cambridge Analytica scandal had exhausted – hoping to avoid both public and Congressional scrutiny.
The complaint alleges that the Google+ Data Breach, and Google’s conduct following the breach, violated unfair competition laws and the Colorado Security Breach Notification Act. Additionally, the complaint alleges negligence, invasion of privacy, deceit by concealment, and a breach of Google’s implied contract with its users.
On January 6, 2020, plaintiffs asked Judge Edward J. Davila to approve a proposed settlement in which Google agreed to pay Google+ users $7.5 million to settle their class action claims related to the data breach.
Related Media
Google To Pay $7.5M To End Google+ Data Breach Suit
Google Exposed User Data, Feared Repercussions of Disclosing to Public
Google+ Will Shut Down After Security Hole Exposed User Data to Outside Develpers, Report Says
Google shutting down Google+ in the aftermath of a privacy glitch
Google faces mounting pressure from Congress over Google+ privacy flaw