California Jury Orders Google to Pay Millions for Data Privacy Violations 

By Anna Hergert^*

PDF Available

A California jury ordered Google to pay $425 million in compensatory damages for violating privacy policies in a class-action lawsuit.^[1] This comes in the wake of Google’s $1.4 billion settlement with Texas earlier this year in two data privacy lawsuits.^[2]

The California class-action lawsuit, filed in July 2020, sought $31 billion in damages and alleged that Google violated privacy assurances in Google’s Web & Activity setting by accessing users’ data through their mobile devices.^[3] Through the Web & Activity setting, 98 million users turned off a toggle that they thought would prevent Google from tracking and sharing their data, though Google continued to do so.^[4] The plaintiffs’ attorney, David Boies of Boies Schiller Flexner LLP, showed the jury internal emails between Google software engineers who called the Web & Activity setting and the privacy policy language “misleading.” ^[5] The plaintiffs alleged that Google’s data collection extended into “hundreds of thousands of apps,” including Uber, Amazon, Facebook, and Venmo.^[6]

Google argued that users consented to data tracking because their privacy policy stated that “turning off the toggle would still allow collection of anonymized data.”^[7] Anonymized data is not personally identifiable information.^[8] Google stated that this data is stored in “segregated, secured, and encrypted locations.”^[9] Google also pointed out that after users turned off the toggle, an “Are You Sure?” window popped up, giving individuals the opportunity to click a link and read more about the privacy policy.^[10]

The jury was not persuaded by this defense, finding that the language in Google’s privacy policy was not “obvious to the average user.”^[11] The average user, the jury determined, would skim, rather than read, Google’s privacy policy.^[12] After ten hours of deliberation, the eight-person jury in the United States District Court for the Northern District of California found Google liable for two privacy violation claims.^[13] Boies reports that the plaintiffs were “very pleased” with the $425,651,947 verdict,^[14] which, shared among 98 million users, amounts to approximately $4 per device. 

The two successful claims were invasion of privacy under the California Constitution and common law intrusion upon seclusion.^[15] Though the two claims are distinct, they consist of similar elements: “(1) whether there exists a reasonable expectation of privacy and (2) whether the intrusion was highly offensive.”^[16] The jury found that the plaintiffs had a reasonable expectation of privacy and that Google’s lack of transparency over the Web & Activity toggle was “offensive conduct.”^[17]

However, the jury determined that Google did not act with malice, a finding that would have yielded punitive damages.^[18]According to California’s Computer Data Access and Fraud Act (CCDAFA), a person who “accesses and without permission takes, copies, or makes use of any data from a computer” is guilty of a public offense.^[19]  If it is proved by clear and convincing evidence that the defendant has violated CCDAFA with malice, the court may award punitive damages.^[20] Per the California Civil Code, “malice” means conduct intended to cause the plaintiff injury or “despicable conduct” with a “willful and conscious disregard of the rights or safety of others.”^[21]

Google plans to appeal the case, alleging that the decision “misunderstands how [their] products work” and that they “honor” users’ decisions to turn off personalization in Google settings.^[22] The appeal is expected to delay the proceedings for several years.^[23]

Though the $425 million verdict against Google seems like a big win for tech users, this case should urge those concerned with data privacy to read the fine print. In a digitally dependent world, simply opting out of data collection is not a practical remedy. Most consumers won’t stop using essential technologies over an unfavorable term or policy, and companies like Google know this. This case displays the problematic relationship between companies and their users: as long as a company’s terms, conditions, and policies are readable to the “average user,”^[24] companies have legal consent to share user data, even if that consent allows data to be used for “purposes we never imagined.”^[25] Though Google must pay the price of violating privacy interests, “it will take a lot more than $425 million for a giant company like Google to change,”^[26] leaving consumers with the burden of protecting their own data. Even if this case incentivizes companies to rethink their privacy policies, users should make a habit of reading and understanding the terms and conditions they agree to when downloading apps, using search engines, or purchasing new devices. In an online era, informed consent is the only tangible way for users to protect their information. 

---

^* J.D. Candidate, Class of 2027, Sandra Day O’Connor College of Law at Arizona State University

^[1] Peter Hoskins & Lily Jamali, Google Told to Pay $425m in Privacy Lawsuit, BBC (Sept. 4, 2025), https://www.bbc.com/news/articles/c3dr91z0g4zo. 

^[2] Isaiah Poritz & Christopher Brown, Google’s Trial Loss Shows Distaste of Complicated Privacy Terms, Bloomberg Law (Sept. 5, 2025, at 8:00 AM MST), https://news.bloomberglaw.com/litigation/googles-trial-loss-shows-distaste-of-complicated-privacy-terms.

^[3] Hoskins & Jamali, supra note 1.

^[4] Poritz & Brown, supra note 2.

^[5] Id.

^[6] Truman Lewis, Google Ordered to Pay $425m over Privacy Breach, Consumer Affairs (Sept. 4, 2025), https://www.consumeraffairs.com/news/google-ordered-to-pay-425m-over-privacy-breach-090425.html.

^[7] Poritz & Brown, supra note 2.

^[8] Jaclyn Diaz, A Judge Ordered Google to Share Its Search Data. What Does That Mean For User Privacy?, NPR (Sept. 19, 2025, at 5:00 AM ET), https://www.npr.org/2025/09/19/nx-s1-5538073/google-search-antitrust-data-privacy.

^[9] Google Must Pay $425 Million in Class Action Over Privacy, Jury Rules, CNBC (Sept. 3, 2025, at 8:21 PM EDT), https://www.cnbc.com/2025/09/04/google-must-pay-425-million-in-class-action-over-privacy-jury-rules.html?msockid=3c3850f7210c6e3b00c0443420366fe3.

^[10] Poritz & Brown, supra note 2. 

^[11] Id.

^[12] Id.

^[13] Hoskins & Jamali, supra note 1.

^[14] Google Must Pay $425 Million in Class Action Over Privacy, Jury Rules, supra note 9.

^[15] Rodriguez v. Google LLC, 772 F.Supp.3d 1093, 1098 (N.D. Cal. 2025).

^[16] Id. at 1104.

^[17] Poritz & Brown, supra note 2.

^[18] Hoskins & Jamali, supra note 1.

^[19] California Computer Data Access and Fraud Act, Cal. Penal Code § 502(c)(2) (2020).

^[20] California Computer Data Access and Fraud Act, Cal. Penal Code § 502(e)(4) (2020).

^[21] Exemplary Damages; when allowable; definitions, Cal. Penal Code § 3294(c)(1) (1992).

^[22] Hoskins & Jamali, supra note 1.

^[23] Diaz, supra note 8.

^[24] Poritz & Brown, supra note 2.

^[25] Diaz, supra note 8.

^[26] Poritz & Brown, supra note 2.