Google and Facebook: Too big to sue?

Internet privacy is not just under siege from the NSA. Google is fighting two huge class action suits based upon privacy violations. Facebook recently settled two privacy-based class action lawsuits. These lawsuits are colossal because Google and Facebook are two mammoth companies with enormous numbers of customers.

One class is comprised of everyone who has a Gmail account or sent a message to a Gmail account over the last two years. How huge is that? The last time Google released the number of Gmail accounts was in June, 2012: 425 million worldwide. I’ve opened two myself since then.  But that’s only the number of Gmail accounts and doesn’t include everyone sending messages to Gmail accounts. Facebook boasts more than 1 billion users. We mean huge.

The second Google case is In re Google Street View Electronic Communications Litigation. This class is every person in the U.S. whose home wifi Google tapped to perform its street view mapping. No one knows how many people that is, but it could be in the millions.

While lawyers typically look for moneyed defendants, the problem with lawsuits of this magnitude is that each privacy violation has a statutory penalty of up to $10,000 under the Wiretap Act. When the class of plaintiffs is so large, the penalties rapidly hit billions or even trillions of dollars – that is, if every class member decides to participate.

So what does this really look like? Facebook lucked out on its class action, Fraley v. Facebook, when the judge approved a settlement in August to pay each class member $15. The potential class included 150 million users but only 615,000 filed claims. Facebook paid $20 million into a settlement fund with $9.2 million going to class members; $5 million to Internet privacy watch dog groups, called cy pres awards; and $3.5 million in attorneys’ fees. So Facebook is lucky because $20 million is far less than $2.25 billion (150 million members x $15). If each class member got $1,000, more would likely have signed up and you can do the math.

Facebook managed to settle its next class action on the Beacon program (let’s broadcast details about our users’ personal lives!) with a $6 million cy pres award to a privacy group Facebook controls. Clearly, Facebook thought it “cracked the code” on managing its privacy problems but the case is being appealed. And what’s more, settling class actions with cy pres awards in lieu of compensating individuals is now losing favor in the 9th Circuit where Google and Facebook live. 

 The Google cases have been progressing through the litigation process with the plaintiffs largely winning. Even with gross revenues of $50 billion in 2012, awarding significant damages to each class member would likely bankrupt Google, leaving the claimants without payments and hundreds of millions without services.

Some commentators are arguing that the suits are “too big to settle”. In the class action world, once the class is certified by the court, settlements are very difficult. What usually happens is that prior to certification, the parties come up with their proposed settlement and present it to the court for approval. Once the class is certified, it’s up to the court to define the award. If the court won’t accept a cy pres award and applies statutory damages to each class member, we are looking at staggering judgments.

It’s reminiscent of the “too big to fail” arguments of the big banks and auto companies. But do they warrant it? No matter how you feel about class action suits, shouldn’t Google and Facebook be held accountable for privacy violations even though they are so large – or because they are so large? Would the impact of Google’s or Facebook’s demise be similar to bringing down the banking system or the auto industry? Or would the Internet ecosystem hiccup and move on?