Federal Jury Awards $425.7 Million in Google Privacy Case: Key Takeaways on Consent Design and Litigation Risk

In the closely watched class action Rodriguez et al. v. Google LLC, a federal jury in the Northern District of California awarded $425.7 million in compensatory damages to a class of approximately 98 million users. The plaintiffs alleged that Google continued collecting data from third-party apps even after users disabled the “Web & App Activity” (WAA) setting, asserting claims under California’s constitutional right to privacy and common law intrusion upon seclusion.

While the jury ultimately found in favor of the plaintiffs, the case raises important questions about how privacy settings are interpreted by users, the limits of user consent, and how juries are responding to legal theories presented in cases involving allegations of deceptive practices involving consumer data.

Trial Highlights and Google’s Defense

The three-week trial featured extensive testimony from both sides, including fact witnesses, user experience experts, and computer scientists.

Google’s defense emphasized several key points:

Anonymization and aggregation: Google maintained that the data at issue was anonymized and used only in aggregate form for analytics and product improvement, not for identifying or targeting individual users.
User interface design: Google’s user-experience expert testified that the company’s approach to privacy settings was designed to avoid “cognitive overload” and promote usability. The “Are You Sure?” confirmation screen was cited as a meaningful consent checkpoint.
No Personally Identifiable Information (PII): Google’s technical experts, including a university professor in computer science, testified that the company’s systems were designed to prevent the collection or use of PII in the context of the disputed data flows.
Rejection of “shadow account” allegations: Google’s product lead for Analytics directly refuted the plaintiffs’ claim that the company maintained “shadow accounts,” clarifying that no data was organized in a way that could identify individual users.

Despite these arguments, the jury found in favor of plaintiffs’ claims for invasion of privacy and intrusion upon seclusion but declined to find Google violated California’s Computer Data Access and Fraud Act. Further, the jury declined to award punitive damages. The $425.7 million award was significantly lower than the plaintiffs’ $31 billion damages model.

The jury’s verdict—roughly $4 per class member—reflects a nuanced view of harm and culpability. Google has announced plans to appeal, on the basis that the jury misunderstood the functionality of its privacy tools and that users were adequately informed through layered disclosures and consent flows.

Implications for Regulated Entities

While the verdict is significant, it should not be viewed in isolation. It is part of a broader trend in which courts and juries are increasingly scrutinizing how companies communicate privacy choices and what constitutes meaningful consent.

Key Considerations for In-House Counsel and Compliance Teams

Clarity in consent mechanisms: Even well-intentioned design choices can be second-guessed in litigation. Ensure that privacy toggles and disclosures are not only accurate but also intuitive to the average user.
Documentation of design rationale: Maintain internal records explaining the rationale behind privacy UX decisions. This can be critical in defending against claims of deception or intent to mislead.
Evaluate risk from passive data collection: Background or passive data flows, especially those not clearly surfaced to users, are increasingly fertile ground for litigation.
Prepare for expanding legal theories: Plaintiffs are successfully advancing claims under state constitutional privacy provisions and common law torts, even in the absence of statutory violations or data breaches.
Monitor parallel proceedings: This case follows a $314 million state court verdict involving Android data transfers and precedes a nationwide federal trial scheduled for April 2026. The litigation landscape is far from settled.

Final Thoughts

The Rodriguez verdict underscores the importance of proactive privacy governance and litigation readiness. While the jury’s decision reflects growing public sensitivity to digital privacy, it also highlights the challenges companies face in balancing usability, transparency, and legal compliance in a rapidly evolving regulatory environment. Thompson Coburn’s cybersecurity and privacy team will continue to monitor developments in this case and advise clients on best practices for mitigating risk in the design and deployment of consumer-facing technologies.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Related People

total commitment.