Sophisticated businesses face complex and fast-changing privacy laws. On the internet, many companies have chosen to address that dynamism by serially amending their privacy policies. Such efforts are used to satisfy regulators and defeat potential class action litigation. However, instead of simply adding to those policies, a recent Ninth Circuit decision makes it clear that companies must work to harmonize and consolidate their policies.

On August 20, 2024, the Ninth Circuit issued an opinion in Calhoun v. Google LLC that provides important guidance as to how complex a privacy policy can be while still remaining effective. The court sent the case back to the district court to evaluate whether a “reasonable” user of the Google Chrome browser should be presumed to have consented to a general privacy policy when they had specifically opted out of syncing their information from Chrome with their Google accounts.

The Calhoun plaintiffs declined to sync their Chrome browser programs with their Google accounts. According to the complaint, these plaintiffs believed, based on the Chrome’s privacy notice, that Google would not use or sync certain personal information collected while they browsed the internet. However, personal browsing data from these Chrome users was, in fact, transmitted to Google. In response, Google did not deny the data collection but instead alleged that the plaintiffs agreed to this data collection when they consented to the more permissive terms of Google’s general privacy policy. After holding an evidentiary hearing, the district court concluded that Chrome users had consented to Google’s data collection under the general privacy policy and granted summary judgment for Google.

The Ninth Circuit did not agree. In reversing, the Ninth Circuit held that the district court failed to conduct a proper “reasonable person” inquiry. The Ninth Circuit explained that the issue of consent should not be determined by “attributing to that user the skill of an experienced business lawyer or someone who is able to easily ferret through a labyrinth of legal jargon to understand what he or she is consenting to.” Rather, the Ninth Circuit instructed the district court to consider a reasonable user with “a level of sophistication attributable to the general public.”

Since the procedural posture calls for a new hearing in the district court, this story is not yet completed. However, a few lessons are clear even at this point:

First, companies should work to harmonize and de-conflict their privacy policies. The Ninth Circuit decision makes it unlikely that you can win on privacy policy terms that are disclosed in one policy but not in another. 

Second, that harmonization work should be done with an eye toward a “reasonable user” standard. As such, technical language or “legal jargon” should be minimized. 

Third, companies should be prepared to deal with lengthy evidentiary hearings in cases involving similar challenges. The first evidentiary hearing was more than seven hours long. We can expect the Ninth Circuit ordered repeat hearing to be similarly long. The specter of a similar mini-trial on the policies should inform companies’ approach to their policies.

Finally, companies should brace for a bloom of new cases attempting articulate similar claims. Some of these cases will likely involve existing class action theories. However, time will tell if a new and distinct theory of recovery comes from this decision.