A class action filed Feb. 19 in California accuses Google of transmitting Americans' browsing data to Chinese-affiliated ad partners via real-time bidding, violating federal national security rules.
A class action lawsuit filed on February 19, 2026, in the United States District Court for the Northern District of California accuses Google LLC of systematically transmitting the private browsing data of millions of Americans to advertising entities owned by, controlled by, or subject to the jurisdiction of the People's Republic of China - doing so through the very infrastructure that powers its $307.4 billion annual advertising business.
The case, docketed as 3:26-cv-01446 and styled McGrath v. Google LLC, was brought by plaintiff Nicole McGrath, a New Hampshire resident, on behalf of a nationwide class estimated to number in the tens of millions. It targets three specific advertising partners active inside Google's real-time bidding (RTB) ecosystem: Pangle, operated by ByteDance Pte. Ltd., the Chinese parent company of TikTok; MediaGo, operated by Baidu USA LLC, a subsidiary of the Beijing-based search giant Baidu; and Temu, operated by Whaleco Services LLC, a wholly owned subsidiary of PDD Holdings Inc., which maintains substantial operations and personnel in China.
The complaint, filed by Freed Kanner London & Millen LLC together with Carroll Shamberg LLC, alleges violations of the federal Electronic Communications Privacy Act (18 U.S.C. § 2511), California's wiretapping statute (Cal. Penal Code § 631), California's pen register statute (Cal. Penal Code § 638.51), California's computer fraud statute (Cal. Penal Code § 502), the California constitutional right to privacy, California's Unfair Competition Law, and the common law tort of intrusion upon seclusion. The lawsuit seeks statutory damages of $10,000 or $100 per day per violation under the ECPA - whichever is greater - plus $5,000 per violation under California's wiretapping and pen register statutes, in addition to compensatory and punitive damages.
To understand the legal theory, it helps to understand the plumbing. Each time a user loads a webpage that carries Google advertising code - through products including Google Ads, Google Ad Manager, Google Publisher Tag, Google Ad Exchange, and the underlying DoubleClick infrastructure - Google executes a real-time bidding auction in a fraction of a second. According to the complaint, Google sends "bid requests" to approved advertising partners, furnishing them with information about the user and the page being viewed. Those bid requests, according to the filing, include the full URL of the page, the user's IP address, IP-derived geolocation, and cookie data.
But the complaint goes further, citing Google's own technical documentation. Bid requests may also carry audience classification codes drawn from the IAB TechLab Audience Taxonomy, a standardized list of over 1,999 characteristics assignable to individual users - including, according to the filing, their involvement in aerospace and defense procurement or their use of payday and emergency loans. They may additionally carry content classification codes from the IAB TechLab Content Taxonomy, which categorize the subject matter of the page being viewed across sensitive categories including bankruptcy, mental health, substance abuse, sexual conditions, and specific religious traditions.
Beyond the bid request itself, Google runs a parallel process called cookie syncing - which Google itself calls "cookie matching." The mechanism works like this: Google assigns each user an internal identifier, the Google GID, which is not stored in the user's browser but instead embedded directly into communications with advertising partners. Because different advertising companies use different identifiers, cookie syncing allows a partner receiving a bid request from Google to link Google's identifier for a user to that partner's own records for the same individual. Once the link is established, the partner can recognize that user across every subsequent auction and build profiles accordingly.
According to the complaint, Google transmits the Google GID to Pangle (identified internally in Google's systems as "toutiao_usd"), MediaGo (identified as "baidu_mediago"), and Temu (identified as "whaleco_services_llc") through this cookie syncing process on sensitive websites including Drugs.com, BibleHub.com, and Parents.com. On Drugs.com, for instance, a search for "lithium" or a visit to a page on opioid safety transmits those terms within URLs to Google's DoubleClick infrastructure alongside the user's identifying cookies, IP address, and device information. That data then flows, via RTB bid requests, to all three Chinese-affiliated partners simultaneously.
The complaint also draws attention to Google's IDE and DSID cookies. The IDE cookie tracks and profiles users even when they are not signed into a Google account. The DSID cookie is linked directly to a user's Google account, meaning Google can associate browsing activity collected across third-party websites with an identified individual who is logged into Gmail or YouTube in the same browser. Together with the Google GID and IP addresses, these identifiers constitute what the filing describes as a comprehensive, cross-site dossier capable of profiling users' daily routines and behaviors.
At the legal core of the case sits the Bulk Sensitive Data Rule (BSDR), a federal regulation that took effect on April 8, 2025. The rule originates in Executive Order 14117, under which the President determined that commercial transfers of Americans' bulk sensitive personal data to countries of concern - including China - present a national security risk. The Department of Justice implemented the rule through the Data Security Program, codified at 28 C.F.R. Part 202 and administered by the National Security Division.
The BSDR defines a set of "listed identifiers" that includes device identifiers, IP addresses, and cookie data. A listed identifier becomes a "covered personal identifier" - and therefore regulated sensitive personal data - when it is transferred in combination with any other listed identifier, or in combination with data that links or is linkable to other sensitive personal data. The rule prohibits such transfers when directed at a "covered person," defined as any foreign person at least 50 percent owned, directly or indirectly, by a country of concern. China is expressly designated as such. The prohibition triggers only for transfers meeting the "bulk" threshold: data relating to 100,000 or more U.S. persons in a 12-month period.
The complaint cites illustrative examples from the DOJ's own regulatory text. Example 4 in 28 C.F.R. § 202.214(b)(4) describes a U.S. company that operates a mobile app and provides IP addresses and advertising IDs of more than 100,000 U.S. users to an advertising exchange based in a country of concern - the DOJ concludes that transaction is prohibited. Example 5 involves a U.S. company providing the same data to a domestic advertising exchange, which then passes it to advertisers headquartered in a country of concern. The DOJ concludes the onward transfer is prohibited data brokerage because the foreign advertisers did not collect the data directly from the individuals. The complaint argues Google's position in the advertising chain closely parallels Example 5.
According to the filing, Google's RTB and cookie syncing systems function continuously across thousands of websites, users, and auctions at a scale that "surpasses the 100,000-person threshold that defines bulk transfers under the BSDR." The complaint therefore argues that Google's transfers to Pangle, MediaGo, and Temu constitute prohibited covered data transactions under 28 C.F.R. §§ 202.210 and 202.301(a).
The filing reconstructs a paper trail of internal awareness that stretches back more than a decade. According to a trial exhibit from United States et al. v. Google LLC, No. 1:23-cv-00108, a 2016 internal Google document noted that auditing what buyers do with RTB data is "tough because we mostly send data, not ingest." In January 2021, according to an email introduced in United States v. Google, No. 1:20-cv-03010, Google's Chief Marketing Officer wrote to CEO Sundar Pichai explicitly characterizing "real time bidding on user data" as "bad." Pichai did not act on the recommendation, according to the complaint. An internal planning document from late 2021, filed as a trial exhibit in the ad-tech antitrust case, set the objective to "Make RTB privacy safe" over the following three years. Google failed to implement it, the complaint alleges.
Then, in December 2024, Google announced a policy change described by the company as being "less prescriptive with partners in how they target and measure ads," according to Google's own platform policy documentation. The complaint characterizes this as loosening prior restrictions on the use of IP addresses and device-level data to identify individual users - moving in the opposite direction from the security improvements its own executives had called for.
The complaint devotes substantial attention to the legal frameworks applicable to each recipient. Temu is operated in the U.S. by Whaleco, Inc., a wholly owned subsidiary of PDD Holdings Inc. Although PDD Holdings nominally lists principal executive offices in Ireland, the filing notes substantial operations and personnel in China and points to Chinese law - including the National Intelligence Law, Cybersecurity Law, and Data Security Law - which can compel cooperation with government intelligence operations. In August 2024, twenty-one state attorneys general issued a formal warning about Temu's data practices and its obligations under Chinese law. By 2025, the attorneys general of Nebraska and Kentucky had each filed lawsuits against Temu alleging its mobile app functions as spyware. In September 2025, the Federal Trade Commission secured a $2 million settlement with Temu under the INFORM Consumers Act. Temu had also abruptly withdrawn from U.S. Google Shopping advertising on April 9, 2025.
Pangle is owned and operated by ByteDance Pte. Ltd., a subsidiary of ByteDance Ltd., the Chinese parent company of TikTok. ByteDance's relationship with the Chinese state has been the subject of congressional investigation and executive action. The complaint also notes that on January 22, 2026, TikTok USDS Joint Venture LLC announced its formation to comply with an executive order signed in September 2025, with ByteDance retaining a 19.9 percent stake. The TikTok data transfer debate has been litigated simultaneously in European courts, where the Irish High Court granted TikTok a stay on a €530 million fine for data transfers to China while its appeal proceeds.
MediaGo is owned and operated by Baidu USA LLC, an affiliate of Baidu, Inc., headquartered in Beijing. According to the complaint, MediaGo's own privacy policy expressly references its relationship to Baidu and the processing of information in connection with Baidu corporate operations.
The filing is unusual in the breadth of its national security framing. It points to a November 2023 report by researchers at the Irish Council for Civil Liberties, which documented commercially available Google RTB segments identifying users as "decision makers for the Government Industry, specifically National Security and International Affairs," "people who work at companies in aerospace manufacturing," "active military" personnel, and "people who are likely Judges." Other segments, cited in a joint FTC complaint filed by EPIC and ICCL Enforce in January 2025, identify users by estimated income brackets, health conditions, prescription medication use, sexual orientation, ethnicity, and political media consumption. A 2024 Wired investigation, cited in the complaint, documented that data derived from RTB systems had been purchased on the commercial market and used to track the movements of U.S. military and intelligence personnel to sensitive facilities.
PPC Land reported in January 2025 on the EPIC and ICCL Enforce complaint to the FTC that alleged Google's RTB system, which operates on 35.4 million websites, 91 percent of Android apps, and 75 percent of iOS apps, broadcasts data about U.S. individuals approximately 31 billion times per day. That complaint was the first ever filed under the Protecting Americans' Data from Foreign Adversaries Act. The Google-RTB national security nexus has now escalated from a regulatory complaint to a federal lawsuit.
This lawsuit arrives in the middle of an extraordinary period of legal pressure on Google's advertising infrastructure. In September 2025, a landmark RTB privacy settlement valued between $1.4 billion and $21.6 billion was filed for court approval in the Northern District of California, establishing a new "RTB Control" allowing users to remove all identifiers from bid requests. That settlement required Google to implement the control by February 13, 2026. Separately, a Virginia federal judge ruled in April 2025 that Google holds an illegal monopoly in publisher ad server and ad exchange markets, with remedies hearings proceeding through the fall. In September 2025, a court ruled that Google must disclose material changes to its ad auctions.
The McGrath complaint names conduct that overlaps with - but is legally distinct from - all of these proceedings. Where the RTB settlement addresses domestic privacy rights of Google account holders, the new suit invokes national security law and alleges an entirely separate category of harm: the transmission of Americans' sensitive behavioral data to entities subject to compelled-disclosure obligations under a foreign government's intelligence statutes.
The BSDR's civil and criminal penalties provisions underscore the seriousness with which the federal government treats these transfers. According to the complaint, Google's violation is not incidental to its operations but central to its advertising business model. The complaint asks the court to certify a class of all U.S. individuals whose electronic communications with websites incorporating Google's advertising technology were intercepted and whose personal information was transmitted to Pangle, MediaGo, Temu, or other covered persons under 28 C.F.R. § 202.211 on or after April 8, 2025. The exclusions are standard: Google's employees, the presiding judge, jurors, and counsel for both parties.
Google has not yet responded publicly to the complaint. No response from Google LLC had been filed as of the date of writing.
Who: Plaintiff Nicole McGrath, a resident of Hudson, New Hampshire, filed a class action on behalf of millions of U.S. internet users against Google LLC, a Delaware limited liability company headquartered in Mountain View, California and a wholly owned subsidiary of Alphabet Inc. The law firms Freed Kanner London & Millen LLC and Carroll Shamberg LLC represent the plaintiff class. The named advertising defendants within Google's ecosystem are Pangle (ByteDance), MediaGo (Baidu), and Temu (PDD Holdings).
What: The lawsuit alleges that Google's real-time bidding infrastructure and cookie syncing system intercept Americans' browsing activity - including sensitive health searches, religious content, and parenting topics - and transmit persistent user identifiers (the Google GID, IDE and DSID cookies, IP addresses, and device data) to Chinese-affiliated advertising entities, in violation of the Bulk Sensitive Data Rule, the Electronic Communications Privacy Act, and four California statutes. Statutory damages sought reach $10,000 per ECPA violation and $5,000 per California wiretapping and pen register violation.
When: The complaint was filed on February 19, 2026. The conduct alleged begins on or after April 8, 2025 - the date the Bulk Sensitive Data Rule took effect. Internal Google communications cited in the filing document awareness of RTB privacy risks going back to at least 2014, with documented executive concern as recently as January 2021.
Where: The case was filed in the United States District Court for the Northern District of California, where Google is headquartered. The advertising infrastructure at issue - including the cookie syncing systems and RTB platforms - is developed, maintained, and operated from Google's facilities in Mountain View, California. The data alleged to be transmitted flows to advertising entities subject to Chinese jurisdiction.
Why: The plaintiff argues that Google's integration of Chinese-affiliated advertising partners into its RTB ecosystem creates concrete national security harm. Under China's National Intelligence Law, Cybersecurity Law, and Data Security Law, the receiving entities can be compelled to cooperate with government intelligence operations and grant authorities access to private user data. The U.S. government's own assessment, codified in the Bulk Sensitive Data Rule, determined that commercial transfers of Americans' persistent identifiers to entities subject to Chinese jurisdiction represent an "unusual and extraordinary threat" to national security - a determination the complaint argues makes Google's secret facilitation of these transfers not merely a privacy violation but a federal offense.
