A handful of Chrome users have sued Google, accusing the browser maker of collecting personal information despite their decision not to sync data stored in Chrome with a Google Account.
The lawsuit [PDF], filed on Monday in a US federal district court in San Jose, California, claimed Google promises not to collect personal information from Chrome users who choose not to sync their browser data with a Google Account but does so anyway.
"Google intentionally and unlawfully causes Chrome to record and send users’ personal information to Google regardless of whether a user elects to Sync or even has a Google account," the complaint stated.
Filed on behalf of "unsynced" plaintiffs Patrick Calhoun, Elaine Crespo, Hadiyah Jackson and Claudia Kindler – all said to have stopped using Chrome and to wish to return to it, rather than use a different browser, once Google stops tracking unsynced users – the lawsuit cited the Chrome Privacy Notice.
Since 2016, that notice has promised, "You don’t need to provide any personal information to use Chrome." And since 2019, it has said, "the personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by turning on sync," with earlier versions offering variants on that wording.
Nonetheless, whether or not account synchronization has been enabled, it's claimed, Google uses Chrome to collect IP addresses linked to user agent data, identifying cookies, unique browser identifiers called X-Client Data Headers, and browsing history. And it does so supposedly in violation of federal wiretap laws and state statutes.
Google then links that information with individuals and their devices, it's claimed, through practices like cookie syncing, where cookies set in a third-party context get associated with cookies set in a first-party context.
Features vs compatibility: Google Chrome team promises more 'rigour', but what does that mean?READ MORE
"Cookie synching allows cooperating websites to learn each other’s cookie identification numbers for the same user," the complaint says. "Once the cookie synching operation is complete, the two websites exchange information that they have collected and hold about a user, further making these cookies 'Personal Information.'"
The litigants pointed to Google's plan to phase out third-party cookies, and noted Google doesn't need cookies due to the ability of its X-Client-Data Header to uniquely identify people.
Google has previously said it doesn't use the X-Client-Data Header for that purpose and has other methods of matching data to profiles and of creating unique identifiers.
The lawsuit also challenged the use of ad tech like Google Tag Manager code that creates interactions with other servers and exchanges data that can be connected to personal information.
The reception these claims receive in court likely depends on what qualifies as personal information, whether data that can be linked to personal information should be classified in the same way, and the extent to which Chrome privacy commitments bind data transactions that occur through general web technology.
The lawsuit went on to attempt to paint Google as a hypocrite for publicly declaring that non-consensual electronic surveillance represents "dishonest" behavior – a statement made as part of a Google prohibition on ads promoting products for covert surveillance – while continuing to gather information via Chrome.
"Although Google promises that Chrome users can opt out of Google surveillance by not providing any personal information to use Chrome and not synching their data, those promises are not true," the lawsuit contended. "Unbeknownst to users, Google has programmed Chrome for surveillance no matter what the user does."
Google did not respond to a request for comment. ®