The EFF filed complaints with California and New York AGs on April 14, 2026, accusing Google of handing a student's data to ICE without prior notice, breaking a decade-long promise.
The Electronic Frontier Foundation this week escalated its legal campaign against Google, filing formal complaints with the California and New York Attorneys General accusing the company of deceptive trade practices after it handed user data to Immigration and Customs Enforcement without first notifying the account holder - a step Google had pledged to take as standard practice for nearly a decade.
The complaints, filed on April 14, 2026, center on the case of Amandla Thomas-Johnson, a dual British and Trinidad and Tobago citizen who was a Ph.D. candidate studying in the United States on a student visa. According to the EFF, ICE sent Google an administrative subpoena in April 2025 requesting Thomas-Johnson's account data, following his brief attendance at a pro-Palestinian protest at Cornell University in September 2024. Google complied with the subpoena in May 2025 - turning over the data without informing Thomas-Johnson, and without giving him any opportunity to challenge the request in court.
Google's user notification policy has been in place for close to a decade. The company states that it reviews all subpoenas and informs users when their accounts have been subpoenaed, "unless under legal order not to or in an exceptional circumstance," according to a statement provided by a Google spokesperson to Android Authority. The policy is designed to give users the chance to seek legal counsel and contest data requests before any information changes hands. Thomas-Johnson's case, according to the EFF, fits none of the stated exceptions.
F. Mario Trujillo, Senior Staff Attorney at the EFF, was direct in his assessment. According to Trujillo: "The subpoena targeting Amandla did not fit any of Google's exceptions. Google screwed up, and it needs to own its mistakes. There was no gag order, Amandla's personal account was targeted, the investigation did not involve child safety or threats to life, and his account was not hijacked."
Android Authority reported that it asked a Google spokesperson to clarify which specific exception the company believed applied to this case. No response had been received at the time of publication.
Thomas-Johnson, writing directly for the EFF on April 14, 2026, described receiving what appeared to be a routine email from Google while he was in Geneva, Switzerland - weeks after he had crossed into Canada at Niagara Falls, believing his ordeal with U.S. immigration authorities was behind him. The email was not a warning. It was a notification that data had already been released. The language, according to Thomas-Johnson, was final: "Google has received and responded to legal process from a law enforcement authority compelling the release of information related to your Google Account."
His lawyer at the EFF subsequently obtained a copy of the subpoena itself. According to Thomas-Johnson's account, the request focused primarily on subscriber information: IP addresses, physical address, other account identifiers, and session times and durations. Individually, these data points may seem limited. Taken together, they form a detailed surveillance profile. IP logs can approximate location across time. A physical address shows where someone sleeps. Session timestamps reveal patterns of communication - when a person was in contact with friends, family, or associates. The subpoena requested none of the content of messages, but the metadata alone constructs what Thomas-Johnson described as "intimate and invasive" picture of a person's life.
A key factual distinction runs through the EFF's complaints. While ICE requested that Google not notify Thomas-Johnson about the subpoena, that request was not backed by a court order. It was not a gag order, which is a legal instrument issued by a judge and enforceable as such. It was an agency-level request, with no judicial authority behind it. Google chose to honor it anyway, departing from a policy that exists specifically to protect users in exactly this kind of situation.
The EFF's position is that Google treated a non-binding request as though it carried the force of a court order - and in doing so, denied a user the chance to challenge a subpoena that, had he known about it, he could have contested legally. His associate Momodou Taal had received advance notice from both Google and Facebook when his data was similarly requested; law enforcement ultimately withdrew those subpoenas before either company complied. Thomas-Johnson was not given the same opportunity.
The case arrives at a moment when Google's relationship with user data is under sustained legal and regulatory scrutiny on multiple fronts. A federal jury in San Francisco delivered a $425.7 million verdict against Google in September 2025for continuing to collect data through its Firebase software development kit even after users disabled tracking through their Web and App Activity settings. Texas finalized a $1.375 billion settlement with Google on October 31, 2025, covering allegations of unlawful location tracking, incognito monitoring, and biometric data collection without consent. A federal judge approved a separate class-action settlement in March 2026 requiring Google to introduce a new control allowing users to limit what personal data the company shares during real-time bidding auctions - the first consumer-facing disclosure Google had ever made about its ad auction practices, according to the plaintiffs.
Each of these cases addresses a different dataset and a different legal theory. What they share is a pattern: Google maintaining data collection or data disclosure practices that diverge from what users are told to expect. PPC Land has tracked this accumulation of privacy enforcement actions across Google's products and services as the regulatory environment around data handling in the United States has hardened considerably in recent years.
The EFF chose to file with the California and New York Attorneys General specifically because both states have consumer protection statutes that cover deceptive trade practices - a legal category that extends beyond outright fraud to include situations where companies make explicit promises to users that they then fail to honor. California's Attorney General has been particularly active in privacy enforcement. The $1.55 million settlement with Healthline Media in July 2025 marked the largest monetary penalty imposed under the California Consumer Privacy Act to date, following a finding that the company continued sharing personal data with advertisers after users had opted out. New York's consumer protection framework similarly allows enforcement against companies that make material misrepresentations about how they handle personal information.
The EFF's theory is straightforward: Google made a public, specific promise to notify users before complying with law enforcement data demands, subject to narrow exceptions. That promise is material to users deciding whether and how to use Google's services. Google broke it in Thomas-Johnson's case without any of the stated exceptions applying. Filing with state AGs rather than a federal court reflects a strategic choice - state consumer protection enforcement has historically moved faster and operated with fewer procedural barriers than federal litigation, as demonstrated by a string of state-level settlements over the past two years.
Thomas-Johnson has not been charged with any crime. He attended a pro-Palestinian demonstration at Cornell for, according to his own account, five minutes. The Trump administration's broader crackdown on international students at protests forced him into hiding for three months, during which federal agents visited his home and a friend was detained at Tampa airport and questioned about his whereabouts. He eventually left the United States, crossing into Canada at Niagara Falls. He was subsequently in Geneva when the Google notification arrived.
His account raises questions that extend beyond his individual case. He wrote that the consequences of what happened are not abstract: "I left the United States. But I do not feel that I have left its reach. Being investigated by the federal government is intimidating. Questions run through your head. Am I now a marked individual? Will I face heightened scrutiny if I continue my reporting? Can I travel safely to see family in the Caribbean? Who, exactly, can I hold accountable?"
Those questions have particular weight because they come from a journalist - Thomas-Johnson notes that before his Ph.D., he worked as a reporter. The subpoena therefore touches not just on immigration enforcement and student speech but on the question of whether law enforcement data requests, made without judicial oversight and honored without user notification, can effectively suppress journalistic activity and political expression conducted on U.S. soil.
The EFF's framing goes beyond the specific procedural failure. In Thomas-Johnson's account, what the case illustrates is a structural dynamic: government agencies can make data requests to large technology companies, and those companies hold sufficient data to construct detailed behavioral profiles of individuals without accessing the content of any communications. Session times, IP addresses, and physical addresses alone create, in Thomas-Johnson's words, something "far more powerful" than the sum of their parts - a picture that can be used to reconstruct patterns of association, movement, and communication.
The administrative subpoena mechanism that ICE used here differs from a court-issued subpoena in a significant respect: it does not require prior judicial approval. The agency can issue the request directly, and the recipient company decides whether to comply. Google's notification policy was designed to insert a check into that process - a window in which a user could seek a court order to quash or limit the subpoena. Removing that window, even at a non-binding request from the requesting agency, eliminates the only practical point at which a user can intervene.
For marketers and advertising technology professionals, the case illustrates the extent to which platform-held data - the same data that underpins audience targeting, behavioral analysis, and attribution modeling - can be redirected toward law enforcement purposes with limited friction. The IP addresses, session timestamps, and device identifiers that advertisers routinely work with are also, in a law enforcement context, instruments of surveillance. The EFF case makes visible what the Google RTB privacy litigation has documented in a different register: the same data infrastructure that powers digital advertising can be used for purposes that have nothing to do with commercial targeting.
That convergence matters for how the industry thinks about data minimization, retention policies, and user transparency. Advertisers and publishers operating on Google's platforms work with data that Google also holds in other contexts - account data, session data, identity data. The EFF's argument that Google's notification promise is a material representation to users who rely on the platform applies with equal force to any company that holds similar data at scale and makes similar commitments.
The complaints do not seek monetary damages. They ask the California and New York Attorneys General to investigate Google for deceptive trade practices and, if they find the evidence supports it, to take enforcement action. Whether either office opens a formal investigation remains to be seen. The EFF has said it will publish the subpoena and supporting documents, including the legal complaints filed with both offices.
Who: The Electronic Frontier Foundation (EFF), represented by Senior Staff Attorney F. Mario Trujillo, filed complaints against Google LLC on behalf of Amandla Thomas-Johnson, a dual British and Trinidad and Tobago citizen who was a Ph.D. candidate at Cornell University. The complaints were directed to the California and New York Attorneys General. ICE, operating under the Department of Homeland Security, is the federal agency that issued the original administrative subpoena.
What: The EFF filed formal complaints alleging that Google engaged in deceptive trade practices by handing Thomas-Johnson's account data to ICE without first notifying him, in violation of Google's own longstanding policy. The data disclosed included IP addresses, physical address, account identifiers, and session times and durations. The EFF argues that none of Google's stated exceptions to its notification policy applied - there was no gag order, no child safety concern, no threat to life, and no hijacked account.
When: ICE sent the administrative subpoena to Google in April 2025. Google provided the data in May 2025. The EFF filed its complaints with the California and New York Attorneys General on April 14, 2026. The EFF's public rebuttal to Google's response followed on April 17, 2026.
Where: The protest took place at Cornell University in September 2024. Thomas-Johnson subsequently left the United States and was in Geneva, Switzerland, when Google's notification email arrived. The legal complaints were filed with state-level offices in California and New York.
Why: The EFF contends that Google made a material promise to users - to notify them before complying with law enforcement data requests - and broke it by honoring a non-binding, non-judicial request from ICE not to notify Thomas-Johnson. The foundation argues this constitutes a deceptive trade practice under California and New York consumer protection law, and that it sets a dangerous precedent for how technology companies respond to government data demands without judicial oversight.
