Happy CIPA Sunday! What feels like a routine online interaction with your state could be something else entirely. Imagine for a moment that you’re renewing your disability parking placard online. It’s another government form to fill out from the comfort of your home. You input your personal information, including sensitive details about your disability, and click submit. You don’t realize that an invisible digital hand may reach through your screen (figuratively speaking), quietly collecting your most sensitive personal information. Isn’t that a scary thought? This isn’t the plot of the new season of Black Mirror (or is it?); it’s the allegation at the center of Wilson v. Google L.L.C., No. 24-cv-03176-EKL, 2025 U.S. Dist. LEXIS 55629 (N.D. Cal. Mar. 25, 2025).

Here, Plaintiff was just trying to renew her disability parking placard through California’s “MyDMV” portal when she allegedly fell victim to what her lawsuit describes as Google’s secret data collection. According to the Opinion, Plaintiff provided the DMV with her personal information, including disability information,” only to later discover that Google secretly used Google Analytics and DoubleClick embedded on the DMV’s website when she renewed her disability parking placard to collect her personal information unlawfully. Like millions of Americans, Plaintiff trusted that her interaction with a government agency would remain private. This information, Plaintiff alleges, was then used to generate revenue for its advertising and marketing business. If proven true, Google essentially eavesdropped on what should have been a private interaction between a citizen and her state government.

The following legal issues reveal the complex landscape of privacy law in America. Pliantiff’s lawsuit hinges on two critical privacy laws. First, the Driver’s Privacy Protection Act (“DPPA”) is a federal law designed to prevent unauthorized disclosure of personal information from DMV records. Second, the California Invasion of Privacy Act (“CIPA”) protects against “the substantive intrusion that occurs when private communications are intercepted by someone who does not have the right to access them.” Campbell v. Facebook, Inc., 951 F.3d 1106, 1118 (9th Cir. 2020). Initially, these laws weren’t crafted with the advancement of digital technology in mind. However, they’re now legal shields designed for a different era and being tested against surveillance technologies. Together, these laws create a safety net meant to protect our personal information, but are they strong enough to catch Big Tech’s increasingly sophisticated data collection methods?

Google’s defense strategy is smart and calculated to exploit procedural technicalities rather than addressing the fundamental privacy questions at stake. Their first move was to argue that the California DMV was a “required party” under Fed. R. Civ. P. 19. They asserted the entire case should be dismissed since the DMV couldn’t be joined (due to sovereign immunity). It’s a clever technical legal argument that, had it succeeded, could have created a precedent for tech companies to evade privacy lawsuits involving government websites. Judge Eumi K. Lee wasn’t buying it, though. She rejected Google’s argument, finding that dismissing Plaintiff’s claims outright “would be draconian, particularly because Plaintiff seeks other relief too—including damages.” Wilson, 2025 U.S. Dist. LEXIS 55629, at *7. The Court rightfully distinguished the case from Downing v. Globe Direct L.L.C., 806 F. Supp. 2d 461 (D. Mass. 2011), noting that, unlike in Downing, where a vendor was explicitly contracted to include advertising, Plaintiff had alleged that Google encourages website operators—including the DMV—to use Google’s tools to obtain personal information that Google uses for its own advertising business.

Conversely, regarding Plaintiff’s DPPA claim, Google had more success. The Court focused on a technical but crucial question: Did Google obtain Plaintiff’s personal information from a motor vehicle record? The Ninth Circuit had previously ruled in Andrews v. Sirius XM Radio Inc. that the DPPA does not apply when “the initial source of personal information is a record in the possession of an individual, rather than a state DMV.” Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1260 (9th Cir. 2019). With this in mind, Judge Lee determined that because “the personal information that was allegedly transmitted to Google came from Plaintiff, it was not from a motor vehicle record.” Wilson, 2025 U.S. Dist. LEXIS 55629, at *11. This distinction creates a troubling loophole in privacy protection. Your data is protected when it sits in a DMV database, but it loses that protection when you’re transmitting it to the DMV. This is a seemingly minor distinction. Whether data was pulled from a DMV database or intercepted while being entered by a user made all the difference for Plaintiff’s DPPA claim, which was dismissed with leave to amend.

Isn’t this getting spicy? But here’s where the plot thickens. While Plaintiff’s DPPA claim stumbled, her state law claim under CIPA survived Google’s dismissal motion. Google had asserted it couldn’t be liable under CIPA because it was merely acting as a “vendor” for the DMV—an extension of the government website rather than a third-party eavesdropper. This is a fantastic assertion by Google’s defense team. Think of it as Google claiming to be the DMV’s trusted assistant rather than an uninvited guest at a private conversation. However, Judge Lee rejected this defense, noting that Plaintiff had sufficiently alleged that “Google intercepted and used her personal information for its own advertising services” and thus “did not act solely as an extension of the DMV.” Id. at *13. The Court further found that Plaintiff had adequately alleged Google acted “willfully” by detailing how Google “specifically designed” its tracking tools to gather information and “intentionally encourages” website operators to use its tools in ways that circumvent users’ privacy settings. Id. at *14. That kind of intentionality matters when pleading willfulness under CIPA.

In Google’s defense, Google tried to shield itself behind its terms of service, which allegedly prohibited websites from sharing personally identifiable information with Google. But Judge Lee noted that assertion created “a question of fact” that couldn’t be resolved at the pleading stage. Id. at *15. With this observation, the Court relied on Smith v. Google LLC, explaining that while “Google argues that judicially noticeable policy documents suggest that Google did not actually want to receive personally identifiable information and expressly prohibited developers from transmitting such data, this presents a question of fact that the Court cannot resolve at this stage.” Id. (quoting Smith v. Google, L.L.C., 735 F. Supp. 3d 1188, 1198 (N.D. Cal. 2024)). As a result, the message is clear…fine print in terms of service won’t necessarily provide legal cover for actual data collection practices if it occurs.

This case feels like déjà vu for privacy advocates because we’ve seen this before. Similar allegations were raised against LinkedIn in Jackson v. LinkedIn Corp., 744 F. Supp. 3d 986 (N.D. Cal. 2024). The parallels between these two cases are vastly similar, involving allegations that tech giants are harvesting sensitive data from DMV websites. Google even tried to use these similarities against Plaintiff, characterizing her allegations as “entirely boilerplate” and “almost identical to the same allegations” asserted against LinkedIn in the Jackson case. Wilson, 2025 U.S. Dist. LEXIS 55629, at *15. However, the Court rejected this argument too, noting that the similarity between the complaints does not render Plaintiff’s allegations conclusory, especially given that both cases challenge similar alleged conduct by two different advertising companies. Google tried to compare Byars v. Hot Topic, Inc., 656 F. Supp. 3d 1051 (C.D. Cal. 2023), where the Court criticized “copy-and-paste” privacy complaints filed in bulk. However, Judge Lee pushed back, emphasizing that, unlike in Byars, Plaintiff’s Complaint here includes “at least 48 paragraphs of detailed allegations specific to Google” and cannot be dismissed as generic boilerplate. Wilson, 2025 U.S. Dist. LEXIS 55629, at *16.

So what’s the takeaway? When you enter personal information into a government site, like renewing your vehicle registration or applying for a disability placard, it feels like a private exchange. But behind the screen, third-party tools might be collecting your data. It sounds like Black Mirror, but it’s essentially happening. It’s as if you’re filling out a paper form at the DMV counter, only to discover that a marketing executive is peering over your shoulder, taking notes on your personal information. The legal distinction between information stored in a government database and information you’re actively entering may seem arbitrary from a privacy perspective. But it creates a significant gap in legal protection.

As the case progresses, Plaintiff has been granted leave to amend her DPPA claim, and her CIPA claim will proceed. This case reminds us that data privacy isn’t just about keeping private things—well… private—it’s about controlling who knows what about us and how that information is used. With every click and keystroke, who else might be watching as you type?

As always,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!