Two Dutch consumer groups, the Privacy Protection Foundation and Consumentenbond, have filed suit against Google over its targeted advertising auctions. The suit is seeking the equivalent of $804 for each Google user harmed by its “constant surveillance” and sharing of personal data.
The privacy lawsuit was first announced in May, and since then about 82,000 people have signed up for it. It was filed in Amsterdam District Court, and remains open to anyone who lives in the Netherlands and has used Google services anytime since March 2012.
Consumer groups blast Google for “constant monitoring”
In addition to seeking compensation for damages, the privacy lawsuit is looking to ban Google from any tracking and profiling of consumers due to alleged “large-scale” breaches of European privacy legislation. The Dutch courts have some history of finding in favor of complaints about big tech platforms that seek bans on targeted advertising; this happened to Meta in March of this year, with a more recent follow-up order from the Norwegian Data Protection Authority forbidding the company from using any personalized advertising systems due to lack of proper legal basis for processing user data. That suit also involved one of the same consumer groups.
At the core of the privacy lawsuit is Google’s bidding system for targeted ads, which has run into prior regulatory trouble throughout Europe. Advertisers engage in “real time bidding” for ad display slots targeted at their desired demographics and keywords, and the consumer groups argue that users in Europe can be exposed to this bidding process hundreds of times each day as they go about their normal internet activities.
In Google’s case, targeted ad data is supposed to be anonymized by assigning the user an individual ID number not tied to personally identifying information. However, in practice the system scoops up so much information that it is possible to identify someone by putting data points together, and this is before this information gets into the hands of third-party data brokers that build even more detailed profiles that can be connected to actual identities.
If the courts find for the plaintiffs and award the maximum damages requested, at present Google would be on the hook for at least $65 million given the current number of claimants. However, the privacy lawsuit is in an indefinite open period for new signups and likely every resident of the Netherlands (total population 17.5 million) that has a computer or smartphone has used a qualifying Google product at some point since 2012.
Privacy lawsuit boosted by recent developments in regional law
Part of the privacy lawsuit’s foundation is built on the Amsterdam District Court’s March decision that Facebook was in violation of EU data protection rules by failing to obtain proper consent from users and declare a valid lawful basis for processing. In a similar suit also organized by consumer groups, Facebook could be taxed for the period of 2010 to 2020 (with an estimated 10 million Netherlands residents potentially eligible as claimants). This decision is under appeal by Meta, however, which continues to operate as usual in the region.
Real time bidding has been under legal assault in the EU since 2018, when the GDPR went into effect, but multiple complaints by consumer groups have gone nowhere for years. Legal challenges to both the UK and Ireland’s data regulators have been filed over perceived foot-dragging on the issue. Countries have since started taking a different tack in dealing with the issue, exemplified by the recent actions in the Netherlands and an early 2022 decision by Belgium’s DPA that shook up the way in which companies can claim valid user consent.
The battery of actions from consumer groups and regulatory penalties does seem to have at least pushed Google to develop its alternative “Privacy Sandbox” program designed to replace tracking cookies with a more anonymized technology, though this too is already raising concerns about consent and actual ability to protect privacy as it begins rolling out to Chrome browser users.
Privacy lawsuits in the bloc also will likely benefit from a recent decision by the Court of Justice of the EU that established no threshold of seriousness for claims of non-material harm in cases involving privacy damage. This opens the door to claims of emotional or psychological distress caused by something like a theft of private or sensitive personal data.