Google ordered to pay $425.7 million in privacy violation verdict

A federal jury in San Francisco delivered a $425.7 million verdict against Google on Wednesday, September 3, 2025, finding that the tech giant violated privacy rights of nearly 100 million users who explicitly disabled data tracking through their Web & App Activity settings. The eight-person jury determined that Google continued collecting personal information through its Firebase software development kit even after users turned off what the company described as comprehensive privacy controls.

The compensatory damages award represents one of the largest privacy settlements against a technology company, though significantly smaller than the $31 billion initially sought by plaintiffs. The jury found Google liable for invasion of privacy and intrusion upon seclusion under California's Constitution while rejecting claims under the state's Computer Data Access and Fraud Act.

According to the verdict in Rodriguez v. Google LLC (Case No. 3:20-cv-04688), Google violated user expectations by maintaining two separate data collection systems. While users believed toggling off Web & App Activity would stop all tracking, Google continued gathering information through Firebase SDK embedded in third-party mobile applications including Shazam, Lyft, The New York Times, and Duolingo.

The class action lawsuit, filed July 14, 2020, centered on Google's Firebase software development kit technology that automatically collects user data from mobile applications regardless of privacy settings. Firebase SDK captures what Google internally terms "automatically collected events" including page location, page referrer, and page title from every user interaction with participating applications.

Expert testimony revealed that Firebase SDK operates independently from Google's Web & App Activity controls, creating what plaintiffs characterized as deceptive privacy practices. David Monsees, Google's director responsible for Web & App Activity settings, testified that he understood the toggle to prevent data storage in user accounts but acknowledged continued collection for analytics purposes.

The lengthy litigation process included multiple amended complaints and extensive discovery phases. Google moved to dismiss various claims throughout the proceeding, with the court partially granting motions while allowing privacy-related allegations to proceed. The case survived class certification challenges and proceeded to trial in August 2025.

Michael Lasinski, the plaintiffs' damages expert, calculated losses using a conservative estimate of $3 per affected device monthly. The calculation assumed minimal data collection periods despite evidence suggesting longer tracking durations. Google successfully limited expert testimony to this conservative framework during pre-trial motions.

The jury verdict follows increased regulatory scrutiny of Google's privacy practices globally. France's data protection authority previously fined Google €50 million for similar Android data collection issues, while Arizona's Attorney General filed separate complaints alleging deceptive location tracking practices.

Firebase SDK deployment spans approximately 1.5 million applications, including 97% of the top thousand Android applications and 54% of leading iOS applications according to trial testimony. The technology enables Google Analytics integration and advertising services, creating financial incentives for widespread adoption among app developers.

Google's defense emphasized legitimate business purposes for data collection, arguing that Firebase analytics help developers improve application performance and user experiences. The company maintained that privacy disclosures adequately informed users about data practices and that continued collection served valid commercial interests.

Class representatives Anibal Rodriguez of Florida and JulieAnna Muniz of California testified about their expectations when disabling Web & App Activity settings. Rodriguez described his belief that the toggle would prevent all Google data collection from his mobile applications, while Muniz detailed similar privacy expectations for her iOS device usage.

The verdict addresses a fundamental tension between user privacy expectations and technology industry data collection practices. Firebase SDK's automatic operation means users cannot directly control its functionality, creating dependency on Google's privacy setting implementations for data protection.

Legal experts note the decision's significance for establishing user privacy rights in complex technology ecosystems. The ruling suggests that companies cannot rely on technical distinctions between data collection systems when making privacy representations to consumers.

Google spokesperson statements emphasized the company's commitment to user privacy while indicating potential appeals. The company argued that AI advancements and increased market competition have transformed the competitive landscape since the original practices occurred.

The case reflects broader digital privacy concerns as companies increasingly rely on interconnected data collection systems. Consumer advocacy groups highlighted the verdict as validation of growing privacy rights enforcement across technology platforms.

Technical evidence presented during trial revealed Google's internal communications about Firebase data collection capabilities. Documents showed company executives understood the distinction between Web & App Activity settings and Firebase operations while maintaining public messaging about comprehensive privacy controls.

The San Francisco federal court's jurisdiction over the case reflects California's role as a center for technology regulation and privacy litigation. California's constitutional privacy rights provided the legal framework for successful liability claims against Google's data practices.

Settlement negotiations preceded the jury verdict, though specific discussion details remain confidential under court orders. The substantial damages award may influence future privacy litigation strategies and corporate data governance practices industry-wide.

Timeline of Key Events

• July 14, 2020: Plaintiffs Anibal Rodriguez and JulieAnna Muniz file class action lawsuit Rodriguez v. Google LLC in Northern District of California
• 2020-2021: Multiple amended complaints filed as parties dispute case scope and legal theories
• May 21, 2021: Court grants partial motion to dismiss while allowing privacy claims to proceed
• 2022-2024: Extended discovery phase includes expert testimony and technical evidence gathering
• August 19, 2025: Trial begins with plaintiffs seeking $31 billion in damages
• September 3, 2025: Jury delivers $425.7 million verdict against Google

PPC Land explains

Firebase SDK: Google's software development kit that enables third-party mobile applications to integrate with Google's analytics and advertising services. The SDK automatically collects user data including page locations, referrers, and titles from every app interaction, regardless of user privacy settings. Firebase operates independently from Google's Web & App Activity controls, creating a separate data collection pathway that bypassed user privacy expectations. The technology spans approximately 1.5 million applications and serves as a critical component of Google's mobile advertising ecosystem.

Web & App Activity: Google's privacy control setting that users believed would stop all data collection when disabled. The toggle was designed to prevent Google from saving user activity to their personal accounts, but it did not halt Firebase SDK data collection from third-party applications. This disconnect between user expectations and actual functionality formed the core of the privacy violation claims. Google's internal documentation showed employees understood this distinction while maintaining public messaging about comprehensive privacy controls.

Class Action Lawsuit: A legal proceeding where Anibal Rodriguez and JulieAnna Muniz represented nearly 100 million Google users who disabled Web & App Activity settings but continued having their data collected. The lawsuit format allowed individual consumers to collectively challenge Google's privacy practices, which would have been economically unfeasible as separate cases. Class certification enabled the case to proceed despite each affected user suffering relatively small individual damages that accumulated into the $425.7 million verdict.

Privacy Rights: Legal protections under California's Constitution that establish individuals' expectations of confidentiality in their digital communications and data. The jury found Google violated these rights by continuing data collection despite users' explicit instructions to stop tracking. California's privacy framework provided stronger protections than federal law, enabling successful liability claims against Google's technical distinctions between data collection systems.

Data Collection: Google's systematic gathering of user information through multiple technological pathways, including direct account activity and third-party application analytics. The case revealed how modern data collection operates through interconnected systems that can bypass individual privacy controls. Evidence showed Google collected page locations, referrer information, and user interaction patterns even when users specifically opted out of tracking through their account settings.

Compensatory Damages: The $425.7 million monetary award designed to compensate class members for their privacy losses and Google's unauthorized use of their personal information. The damages calculation used expert testimony suggesting $3 per affected device monthly, though the actual collection periods likely extended longer. This award represents one of the largest privacy settlements against a technology company, establishing precedent for valuing digital privacy violations in complex technological environments.

Northern District of California: The federal court jurisdiction where the case was decided, reflecting California's role as the center for technology regulation and privacy litigation. The court's location in San Francisco provided proximity to both Google's Mountain View headquarters and the technology industry practices under scrutiny. California's legal framework, including constitutional privacy rights, enabled the successful prosecution of claims that might not have succeeded in other jurisdictions.

Third-Party Applications: Mobile apps developed by companies other than Google that integrated Firebase SDK to access Google's analytics and advertising services. These applications, including Shazam, Lyft, The New York Times, and Duolingo, served as conduits for Google's data collection even when users believed they had disabled tracking. The apps' dependence on Google's services for functionality created a ecosystem where user privacy choices became ineffective against background data collection.

Google Analytics: The web and mobile analytics service that provided data insights to application developers while simultaneously feeding information back to Google's advertising systems. Firebase SDK integration enabled Google Analytics to operate across third-party applications, creating comprehensive user profiles that transcended individual privacy settings. The service's widespread adoption among developers made it difficult for users to avoid Google's data collection ecosystem entirely.

California Constitution: The state constitutional framework that established privacy as a fundamental right and provided the legal basis for the successful lawsuit against Google. Article I, Section 1 explicitly protects privacy rights, creating stronger legal protections than federal law. The constitutional privacy provision, added through Proposition 11 in 1972, specifically aimed to prevent businesses from collecting and misusing personal information without consent, directly applicable to Google's practices.

Summary

Who: An eight-person federal jury in San Francisco ruled against Google LLC in a class action lawsuit representing nearly 100 million users who disabled Web & App Activity tracking settings.

What: The jury awarded $425.7 million in compensatory damages after finding Google violated privacy rights by continuing data collection through Firebase SDK despite users turning off tracking controls. Google was found liable for invasion of privacy and intrusion upon seclusion under California's Constitution.

When: The verdict was delivered Wednesday, September 3, 2025, following a trial that began August 19, 2025. The underlying data collection practices occurred over an eight-year period after users disabled privacy settings.

Where: The case Rodriguez v. Google LLC (Case No. 3:20-cv-04688) was decided in the United States District Court for the Northern District of California in San Francisco, with Google's headquarters in nearby Mountain View providing jurisdictional basis.

Why: The lawsuit emerged from Google's use of Firebase SDK technology that continued collecting user data from third-party mobile applications even after users specifically disabled Web & App Activity tracking, creating what plaintiffs successfully argued was deceptive privacy practices violating user expectations and California law.