By Adam Ira, Frost Brown Todd LLC
Recently, the Indiana Attorney General’s Office filed a complaint on behalf of the state of Indiana against Google LLC. State of Indiana v. Google LLC is pending in Marion Superior Court 4 under Cause No. 49D04-2201-PL-002399. In the complaint, the state alleges that Google harvests consumers’ personal data, including location data, when consumers use Google products. Google in turn allegedly uses this data to target advertisements to consumers and evaluate the effectiveness of these advertisements.
The thrust of the complaint is that Google has allegedly “systematically misled, deceived and withheld material facts from consumers regarding how their location is tracked and used by the company and how and to what extent consumers can protect their privacy by stopping Google’s tracking and use of their location.” The complaint further alleges that “there is effectively no way for consumers to prevent Google from collecting, storing and profiting from their location data.” An investigation by multiple states purportedly revealed that “while Google purports to offer consumers meaningful choices as to the data Google collects and uses through customizable controls, Google’s ambiguous, contradictory and incomplete statements about these controls all but guarantee that consumers will not understand when their location is retained by Google or for what purposes.”
The factual allegations in the complaint are quite detailed and span 47 pages. The allegations culminate in several causes of action under the Indiana Deceptive Consumer Sales Act seeking (among other things) a permanent injunction against the complained-of privacy practices and disgorgement of all profits and benefits obtained from the complained-of practices. In the absence of a comprehensive data privacy law in Indiana, consumers must turn to the Deceptive Consumer Sales Act, Ind. Code § 24-5-0.5-3, et seq, to provide a remedy for unlawful privacy practices.
A comprehensive data privacy law is important for both consumers and data processors. Consumers need to have defined rights, and data processors need clarity on exactly what those rights are so they can govern their privacy practices accordingly. The wheels of justice turn slowly, and at present, data privacy rights in Indiana are almost exclusively defined by the common law, either through common law tort jurisprudence, or judicial interpretation of statutes that were not specifically designed to enforce privacy rights.
On this point, there is a bill (Senate Bill 358) currently making its way through the Indiana General Assembly that could establish a Consumer Data Protection Act similar to what Virginia, Colorado and California have in place. The bill, as currently written, would not give consumers a private right of action to enforce privacy rights, but would confer enforcement authority to the Indiana Attorney General’s Office. Among the rights spelled out in the bill are:
• The right to know whether a controller is processing the consumer’s data.
• The right to access personal data processed by a controller.
• The right to correct information,
• The right to delete information.
• The right to data portability.
• The right to opt out of targeted advertising or sale of data.
• A guarantee that a consumer’s privacy rights are not contractually waivable.
E-Discovery, Information Governance & Cybersecurity Section Executive Committee member Michael Daniells recently wrote an insightful LinkedIn post explaining the new bill making its way through the Indiana General Assembly. While it is still in its infancy, and its fate uncertain, this bill could put Indiana on the forefront of data privacy reform in the United States.
One thing is certain: State of Indiana v. Google LLC is going to be an interesting case with a far-reaching impact on data privacy in Indiana, regardless of the result.•
This article was originally published on the IndyBar E-Discovery, Information Governance & Cybersecurity Section blog. To see more from the section, visit indybar.org/edisc.