Users Settle Google COVID-19 Contact Tracing App Data Exposure Class Action with Injunctive Relief-Only Agreement


The plaintiffs alleging that Google LLC failed to safeguard their information despite promises otherwise in it and Apple’s contact-tracing COVID-19 app, have resolved the dispute with Google, according to the motion for preliminary approval filed late last week. With the settlement comes changes that will purportedly help ensure that Google will keep its data privacy promises in relation to its Emergency Notification (EN) System app.

As previously reported, individuals filed suit alleging that Google misrepresented that the  identities of users and their COVID-19 status would remain anonymous, and would not be collected by Google or shared with other users. By March 2021, over 28 million users had allegedly signed up for the system, thereby disclosing medical and other identifying information to the defendants.

According to the plaintiffs’ “detailed forensic analysis,” Google did not hold up its end of the bargain. “Google fundamentally erred in its design and implementation of its EN System by leaving users’ private health information unprotected on Android device ‘system logs’ to which Google and third party app developers had routine access,” the filing explained. 

Further, though it became aware of the flaw in its contact-tracing app in February 2021, yet “failed to inform the general public or to satisfactorily address the security flaws to prevent the problems moving forward.”

The motion for preliminary approval notes that the parties reached agreement while Google’s motion to dismiss, filed last August, was pending. Therein, Google argued that the plaintiffs lack constitutional standing for failure to allege requisite injury.

Now, the plaintiffs tout that the settlement resolves the dispute quickly and rectifies the flaws identified. Under the terms of the settlement, Google must make several commitments, though the filing notes that it has already taken several measures to remediate the security vulnerabilities in its EN.

The injunctive relief includes confirming that no EN user’s data is available on internal systems and including an explanation of the heightened security and privacy protections that address the concerns raised in the action. Counsel also asserts that it will seek attorneys’ fees of no more than $ 2 million.

The plaintiffs are represented by Lieff Cabraser Heimann & Bernstein and Google by Willkie Farr & Gallagher LLP.