The Legal Footholds of Three States and the District of Columbia Against a Technological Goliath

Written by Hannah G. Babinski, Class of 2024 

I. Introduction

To no one’s surprise, Big Tech is in trouble yet again for attempting to overstep the boundaries of consumer privacy. From the notorious Facebook controversy involving Cambridge Analytica in 2018 to the most recent ballad of chronic misinformation stemming from Spotify’s perpetuation of Joe Rogan’s podcast, it seems that Big Tech’s complacency or even compliance with problematic practices connected to its online presence consistently leaves many Americans scratching their heads. Google is the latest tech conglomerate to stumble in the public arena.

This is not a historic moment for the California-based tech giant whose business model is heavily dependent on its prolific digital advertising, collection, surveillance, and auction of user data, including location tracking which alone earned the company an estimated $150 billion dollars in 2020.[1] In October 2020, the U.S. Justice Department and eleven states sued Google in federal court, alleging that Google abused its dominance over the search engine market—comprising 90% of web searches globally—and online advertising.[2] Then, in December of 2020, ten states separately sued Google in federal court on the grounds of alleged anti-competitive conduct.[3] Undoubtedly, Google’s utter electronic control over the online market is equally as impressive as it is troubling—a sentiment resounded by the bombardment of state-instigated suits—but it pales in comparison to the basis of the most recent lawsuit.

In January of 2022, the attorneys general for the District of Columbia (D.C.), Washington, Texas, and Indiana brought suit against Google in their respective state-level courts, seeking injunctions and damages in the amount of the profits accrued from the mining and sale of user data collected without user consent over a multi-year period.[4] The phrase ‘collected without user consent’ in regard to data is often interpreted by members of the public to align with ‘collected absent permission,’ but in the present case, the phrase more accurately translates to ‘collected sequent refusal.’ The data in controversy was mined from users after Google led users to believe they could turn off location tracking generally while using the service by manipulating settings in the Google Maps application while, in actuality, the company continued to monitor and track user activity and locations through its other application interfaces regardless of user preference.[5] Though the company did not explicitly claim that manipulation of location tracking settings within the Maps feature would disable location tracking across the other applications on the platform, Google neglected to inform users of the limitations of disabling location tracking within the Maps feature–leading a reasonable person to believe that by disabling location tracking within the Maps feature, he or she was disabling location tracking throughout the entire service.

This practice came to light following the August 2018 publication of an Associated Press investigation into Google’s disregard for user preferences and lack of consent for data harvesting.[6] Princeton University researchers then confirmed the results of the investigation, cementing Google’s place in figuratively hot water.[7]

This latest accusation against Google only highlights the abuses of power inextricably linked to the unbridled control of technological goliaths over the rapidly evolving tech industry and, more importantly, the lives of millions of people globally. It further underscores the insufficient degree of established safeguards and legal precedent aimed at protecting the rights of online users and their personal data. With all eyes fixed on this impending suit, the question stands: what legal grounds do the states and D.C. have to stand on? The answer to this question is likely each state and D.C.’s own consumer protection laws: D.C. will likely rely on the Consumer Protection Procedures Act (CPPA), Washington will  likely rely on the Consumer Protection Act (CPA), Texas will likely rely on the Deceptive Trade Practices Act (DTPA), and Indiana will likely rely on the Deceptive Consumer Sales Act (DCSA).

Therefore, to explore the question of what legal arguments the instigating parties could potentially raise in their pursuit of injunctions and damages against the conglomerate, this analysis will first turn to the local statutes of the participating states and district to determine how Google possibly violated local consumer protection laws with its alleged trespasses on user privacy. Further, this analysis will conduct a thorough examination of the statutes, evaluating the language of the statutes, definitions provided within the statutes, and the plain meaning of the text incorporated within the statutes. This analysis will then look to the past applications of the statutes in question to previous cases brought before the courts in each jurisdiction to examine the interpretation of the statutes within the common law.

It is worth noting that many of the statutes discussed in the following sections were constructed to be intentionally wide-reaching so as to apply to the ever-adapting body of consumer protection law.[8] Accordingly, in instances of novel application, the statutes will be subjected to a very fact-specific inquiry by the judiciary. Additionally, this analysis acknowledges that the statutory schemes involved at the state level are influenced by the Federal Trade Commission Act (FTCA), which states, “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”[9] Though many states will take note of the federal law and often formulate their own state-level laws with the federal regulations in mind, the states maintain the liberty to construct their statutes at will. Therefore, the wording of the statutes discussed below were most likely influenced by the FTCA but differ somewhat in the language employed,[10] making it necessary to examine each state statute in turn. The instigating parties involved in these suits have filed these actions within their individual state-level courts under alleged violations of state-level law, so this analysis is tailored to focus exclusively on the state-level laws applicable.

II. Analysis

Due to the fact that there are few legal grounds based exclusively in data privacy upon which the states and D.C. can rely in cases such as these, D.C., Washington, Texas, and Indiana will likely rely on previously established state statutes concerning consumer protection.

          a. District of Columbia

Under D.C.’s Consumer Protection Procedures Act (CPPA), “[i]t shall be a violation . . . for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby, including to . . . misrepresent as to a material fact which has a tendency to mislead.”[11] The phrase “trade practices” as defined by the statute means “any action which does or would create, alter, repair, furnish, make available, provide information about, or, directly or indirectly, solicit or offer for or effectuate, a sale, lease or transfer, of consumer goods or services.”[12] The term “person,” as defined by the statute, applies to any “individual, firm, corporation, partnership, cooperative, association, or any other organization.”[13] Therefore, to be liable under the CPPA, Google must (1) be considered a person and must (2) engage deceptively (3) in a trade practice. Clearly, Google satisfies the first element by meeting the statutory definition of “person” as a corporation, but did the conglomerate engage deceptively in a trade practice?

This consumer protection statute has been largely applied to cases involving misleading and deceptive advertisements and misrepresentation of insurance policies and loans. For example, the D.C. Court of Appeals held that there were sufficient grounds for suit under the CPPA when the Animal Legal Defense Fund challenged Hormel Foods Corporation’s use of words like “all natural,” “clean,” “honest,” and “wholesome” on packaged meat products produced through factory farming as the use of these words misled the public to believe that the animals were humanely raised.[14] The court discussed that the application of these descriptors in connection with the product could reasonably mislead a consumer into believing misrepresentations concerning the products’ origins.[15]

Similarly, in alignment with the court’s reasoning in Animal Legal Def. Fund v. Hormel Foods Corp., Google’s alleged act of informing users that the user could prohibit location tracking generally when disabling the feature through Google Maps can be considered a misrepresentation and misleading. This representation could lead a reasonable consumer to believe the consumer has authority over his or her own data and rely on this belief as fact. Likewise, an argument may be made that Google implicitly advertised to its users concerning an aspect of its service—limiting its tracking capacity at their request through the Maps application—and that its advertisements were false and misleading. By communicating to its users that the company would not track user locations if users requested so and leading the consumer to believe that this permission expanded to all of Google’s interfaces and not merely just to the Maps feature, Google was making a misleading advertisement on its website to its users, supporting a claim under the CPPA by creating a comparison to the existing applications of the consumer protection statute in the past. Thus, Google satisfies the second element for CPPA liability.

The argument for liability under the CPPA for the case against Google is relatively straightforward until arriving at the third element: the portion of the statute that addresses “trade practices.” The definition of “trade practices” as applied by the statute concerns “any action. . . [that] effectuate[s], a sale, lease or transfer, of consumer goods or services.”[16] To succeed with the claim against Google under the CPPA, D.C. may rely on a key term in the “trade practices” definition: services. Google’s use of deception misrepresentations that misled users of Google to believe they had control over the data they share with the conglomerate through manipulation of settings on Map feature applies directly to the presentation of Google as a service. Therefore, Google’s actions constituted deceit or misrepresentation in commission of a trade practice.

Therefore, under the CPPA, Google meets the statutory definition of a “person,” and the company “engage[d] in an unfair or deceptive trade practice” and “misrepresent[ed] as to a material fact which has a tendency to mislead” by leading consumers to reasonably believe that the tracking of user data could be disabled generally by manipulating settings within the Maps feature.[17] Resultantly, Google is liable under D.C.’s CPPA.

           b. Washington

The Washington statute  likely to be applied in this case against Google appears to be more concise than D.C.’s consumer protection statute. However, the Washington statute also presents a potentially disastrous set of challenges for the state’s attorney general to maneuver. Washington’s Consumer Protection Act (CPA), which was intended to be construed liberally and to evolve over time,[18] states that “unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.”[19] “Trade” and “commerce” are defined by the statute as “the sale of assets or services, and any commerce directly or indirectly affecting the people of the state of Washington.”[20] Therefore, under the CPA, it is unlawful to employ unfair methods of competition and unfair or deceptive practices during the sale of assets or services or during any commerce directly or indirectly affecting Washingtonians.

The application of the CPA to a case involving Big Tech is largely novel for Washington courts. In the past, the CPA has been applied to cases often involving misrepresentations in advertising and insurance. For example, the Court of Appeals of Washington affirmed the trial court’s decision that the corporation Living Essentials violated the CPA by making misleading advertising claims concerning its product, 5-Hour ENERGY, which were not supported by fact, including the claim that the product was “superior to coffee,” the claim that the decaffeinated version of the product provided “energy, alertness, and focus ‘for hours,’” and the implication that “73% of doctors” would recommend the product to their patients.[21] The court reasoned that “‘a plaintiff need not show that the act in question was intended to deceive, but that the alleged act had the capacity to deceive a substantial portion of the public’” and that “a truthful statement ‘may be deceptive by virtue of the ‘net impression’ it conveys.’”[22]                                                                                                  

Applying the reasoning of the court in Living Essentials with the knowledge that the CPA was intended to be construed liberally to cases involving trade and commerce, Google, like Living Essentials, arguably promulgated misrepresentations to consumers concerning an aspect or the extent of its service through its website communications with its users.

Concerning the statutory language of the CPA, it is of importance to recognize that the statute makes a point to define trade and/or commerce as “the sale of assets or services” and “any commerce directly or indirectly affecting the people of the state of Washington.”[23] The second clause of the definition— “any commerce directly or indirectly affecting the people”— is significant in the sense that it effectively creates a safety net for the citizens of Washington as well as a golden ticket for Washington prosecutors, bringing almost anything involving commerce under the jurisdiction of the court.[24] The broad nature of this second clause renders this statute elastic and expands the legislature’s power over a vast array of unsavory and dishonest business practices if there is any effect whatsoever on Washingtonians.

The broadness of the statute makes the CPA widely applicable but may also provide an unexpected set of challenges for Washington’s attorney general, namely the fact that vagueness within the law presents the opportunity for a judicial interpretation that may not favor the state or even a constitutionality challenge on the grounds of due process. The Due Process Clause of the Fourteenth Amendment of the Constitution protects against state violations of life, liberty, or property absent due process of the law,[25] and if the law is so ambiguous that covered entities do not understand what constitutes a violation of the law, then those entities are not on notice and cannot fairly be afforded adequate due process of law.[26] On grounds of ambiguity, Google could assert an ignorance in regard to the reach of the phrase “directly or indirectly affecting the people of the state of Washington” and may argue that CPA compliance is impossible because most actions will directly or indirectly affect the people of Washington in some fashion.[27]

Though Google is likely to challenge the ambiguity of the law under this unapologetically broad statute, Google’s alleged conduct qualifies for liability under Washington’s CPA because the company employed deceptive practices during the commission of commerce that directly or indirectly affects Washingtonians by falsely advertising the extent of data tracking and the consumer’s ability to control the tracking of their data.

            c. Texas

The Texas Deceptive Trade Practices Act (DTPA) states, “False, misleading, or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful and are subject to action by the consumer protection division. . . .”[28] The code goes on to define “false, misleading, or deceptive acts or practices” as including, but not limited to, “representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have. . . .”[29]

The DTPA has been applied to a vast number of cases involving deception and misrepresentation since its enactment in 1973, including Brown & Brown of Texas, Inc. v. Omni Metals, Inc. The First Court of Appeals of Texas held that an insurance company was liable for the false statements made by an agent in the company’s employment in regard to the coverage provided in a policy marketed to cover “All Risks.”[30] The court reasoned that when the insurance agent, knowing the policy did not cover items housed in storage for which a storage charge was being made, did not disclose this information to the owner of a warehouse where steel items were being stored and told the owner of the steel stored in the warehouse that the warehouse’s policy coverage included “property of others in custody of the insured,” he engaged in misleading and deceptive practices and opened his employer to liability under the DTPA.[31]

Similar to the insurance agent in Brown, Google implicitly made claims to its users that were decidedly misleading and systematically deceptive. In this manner, the Texas Attorney General will be able to make a notable argument supported by case law against the company regarding its liability under the DTPA. Moreover, the statutory language of the DTPA itself is against Google. As previously established, Google is the provider of a service, which the company “represented” as having “characteristics . . . of which [it] do[es] not” by misleading consumers to believe that they could limit location tracking data and data sharing with the company.[32] Though Google did not make the outwardly false claim that by disabling location tracking through the Maps feature location tracking across the platform would disengage, the company did not communicate that the disabling of location tracking in the Maps feature would not completely halt all location tracking. This omission resulted in a misrepresentation regarding the extent of the service itself and led consumers to believe that the service had characteristics it did not have.

Thus, Google engaged in “[f]alse, misleading, or deceptive acts or practices in the conduct of any trade or commerce”[33] by “representing that goods or services have . . . characteristics . . . which they do not have”[34] by implicitly communicating that its tracking services could be disabled across the platform through the Maps feature. By relying on Texas state law, the odds of success of an action against Google under the DTPA is highly likely.

            d. Indiana

Google’s alleged conduct is likely subject to liability in Indiana under Indiana’s Deceptive Consumer Sales Act (DCSA), which states,

A supplier may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction. Such an act, omission, or practice by a supplier is a violation of this chapter whether it occurs before, during, or after the transaction. An act, omission, or practice prohibited by this section includes both implicit and explicit misrepresentations.[35]

The term “supplier” as utilized in the statute is defined as “[a] seller, lessor, assignor, or other person who regularly engages in or solicits consumer transactions.”[36] “Consumer transaction” is defined within the statute as “a sale, lease . . . or other disposition of an item of personal property, real property, a service, or an intangible . . . or a solicitation to supply any of these things.”[37] Additionally, “person” is defined within the statute as “an individual, corporation . . . partnership, association, nonprofit corporation or organization, or cooperative or any other legal entity.”[38] These terms and the DSCA as a whole are “remedial and ‘shall be liberally construed and applied to promote its purposes and policies’ of protecting consumers from deceptive or unconscionable sales practices.”[39]

Cases brought under the DSCA largely involve claims against insurance companies involving policy disputes. However, the Supreme Court of Indiana did apply the DCSA to an action concerning misleading and deceptive claims made by an agent of an auto dealership. In Kesling v. Hubler Nissan, Inc., the court held that an auto dealership’s advertisement describing a used car as a “‘Sporty Car at a Great Value Price’” was not a misrepresentation actionable under the DCSA,[40] but when the dealer knew of serious problems with the vehicle, was asked about the problems directly, and failed to disclose the true condition of the car, the agent committed fraud and misrepresentation actionable under the DCSA.[41] The court reasoned that “mere puffing” does not constitute a misrepresentation and, therefore, “cannot be the basis of a deception or fraud claim[]” under the DCSA, but downplaying a condition of a product in the “face of actual or constructive knowledge” and providing “a knowingly incomplete answer” to a consumer’s specific question is actionable as the basis of a fraud claim under the DCSA.[42]

A comparison may be drawn between the knowing deception or misrepresentation by omission of the agent in Kesling and Google’s practices that instigated Indiana’s suit against the company. Google’s implicit representation that the company would not track user data if asked not to by the user under the settings in the Maps feature extends beyond mere puffery concerning positive attributes of the service and constitutes, similar to the agent in the above case, a “knowingly incomplete answer” or omission regarding the company’s privacy policy.[43] Under the statute, an omission of this nature that results in an implicit misrepresentation is actionable.[44] Therefore, in this regard, Google is liable under the DSCA.

Concerning the statutory language and the relation between that language and Google, the statute provides that a “supplier,” which is “[a] seller, lessor, assignor, or other person [corporation] who regularly engages in or solicits consumer transactions,” including “a sale, lease . . . or other disposition of. . . a service,” may not “commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction” at any time “before, during, or after the transaction.”[45] Google satisfies the statutory definition of a supplier as a “seller” or even, being a corporation, as an “other person who regularly engages in or solicits consumer transactions” involving the disposition of its service, and Google committed an omission in connection with a customer transaction by implicitly misrepresenting the tracking capabilities and limitations of its service.[46]

Therefore, as demonstrated above, Google satisfies the definition of a supplier and engaged in a deceptive act or omission in connection with its consumer transactions by misleading and implicitly promulgating the notion that users could control or limit the collection of their location data across the platform by disabling tracking within the Maps feature and not informing users that this action did not constitute a complete disengagement of location tracking in general while using the service. As a result, Google falls within the sphere of  liability under Indiana’s DCSA.

III. Conclusion

This analysis has provided some of the potential legal grounds upon which the attorneys general for the states and the District of Columbia may base their arguments in the proceedings against the tech giant. Though privacy laws and case precedent concerning Big Tech are still in their infancy, the current consumer protection laws enacted within these states and district provide the attorneys general an option for recourse against the alleged abuses to the citizens living within these areas. The court commencement timelines and the minute details of the arguments that the attorneys general will employ to further validate their claims under their respective state-level consumer protection laws are unknown at this time, but what is known is the unquestionable importance of the outcome of the cases.

Despite the prevalence of advancing technology today, the legislature has been slow to adapt to the evolving circumstances and challenges posed by an increasingly technological dependent modern world. Principal Investigator of the Big Data Surveillance Project David Lyon provided, “To assume that ordinary people have the time, expertise or motivation to be constantly vigilant about surveillance is to sidestep questions of justice and informational fairness. The politics of information in the twenty-first century will increasingly be about how to increase the accountability of those who have responsibility for processing personal data.”[47] In this regard, legal professionals, legislators, and the public as a whole have a responsibility to hold large corporations accountable for missteps and abuses of the data within their stewardship and to encourage response to the growing needs for privacy safeguards, and these pending actions against Google are the first step towards accountability. These actions, regardless of the individual outcomes, will set a precedent in each state and district in which the action has been filed moving forward and will act as a pioneer action in the battle for data, but it undoubtedly will not be the last.

[1] Marcy Gordon, D.C., 3 States Sue Google Saying it Invades Users’ Privacy, Wash. Times (Jan. 24, 2022),

[2] Id.

[3] Id.

[4] Taylor Hatmaker, Google Gets Hit with a New Lawsuit Over ‘Deceptive’ Location Tracking, TechCrunch (Jan. 24, 2022, 3:11 PM),

[5] Gordon, supra note 1.

[6] Id.

[7] Id.

[8] “In addition to passing broadly worded Consumer Protection Acts, states have in the last 20 years enacted a series of statutes aimed at controlling specific consumer abuses.” Shirley F. Sarna, State Consumer Protection, U.C. Davis Bus. L. J.

457, 466 (Jan. 21, 1999).

[9] 15 U.S.C.S. § 45(a)(1).

[10] “The scope of FTC jurisdiction is extremely broad, extending to virtually all domestic businesses and to any matter affecting commerce in which FTC oversight would be in the ‘interest of the public’ (15 U.S.C. § 41). While no private right of action exists under the FTCA, most states have legislation similar to the FTCA, which creates private rights of action. Moreover, FTC proceedings do not necessarily preempt state law claims arising out of the same set of facts as those that gave rise to the FTC proceeding.” Guide to Med. Device Reg. ¶ 1240 FTCA, 1993 WL 13580303.


[11] D.C. Code § 28-3904(e).

[12] Id. § 28-3901(a)(6).

[13] Id. § 28-3901(a)(1).

[14] Animal Legal Def. Fund v. Hormel Foods Corp., 258 A.3d 174, 180 (D.C. 2021).

[15] Id., at 179.

[16] Id. § 28-3901(a)(6).

[17] D.C. Code § 28-3904(e).

[18]State v. Living Essentials, LLC.,, 436 P.3d 857, 863 (Wash. Ct. App. 2019).

[19] Wash. Rev. Code § 19.86.020.

[20] Id. § 19.86.010(2).


[21] State v. Living Essentials, LLC, 8 Wn. App. 2d 1, 11-12, 436 P.3d 857, 863 (Wash. Ct. App. 2019).

[22] Id., at 16 (quoting Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn.2d 778, 785, 719 P.2d 531 (Wash. 1986)).

[23] Wash. Rev. Code § 19.86.010(2).

[24] Id.

[25] U.S. Const. amend. XIV.

[26] See LabMD, Inc., v. Federal Trade Commission 776 F.3d 1275 (11th Cir. 2015) (holding that the FTC’s application of its § 5 authority to a case of poor data security practices was “void for vagueness” because the issue was a matter of first impression, and the punished company could not have anticipated that its practices would be subject to such an action).

[27] Id.

[28] Bus. & Com. § 17.46(a).

[29] Id. § 17.46(b)(5).

[30] Brown & Brown of Tex., Inc. v. Omni Metals, Inc., 317 S.W.3d 361, 371-73 (Tex. App. 2010).

[31] Id., at 372, 402.

[32] Bus. & Com. § 17.46(b)(5).

[33] Bus. & Com. § 17.46(a).

[34] Id. § 17.46(b)(5).

[35] Ind. Code Ann. § 24-5-0.5-3(a) (LexisNexis 2020) (emphasis added).

[36] Id. § 24-5-0.5-2(a)(3)(A) (LexisNexis 2019).

[37] Id. § 24-5-0.5-2(a)(1) (LexisNexis 2019).

[38] Id. § 24-5-0.5-2(a)(2) (LexisNexis 2019).

[39] Kesling v. Hubler Nissan, Inc., 997 N.E.2d 327, 332 (Ind. Ct. App. 2013) (quoting I.C. § 24-5-0.5-1 (repealed 2007)).

[40] Id. at 329-30.

[41] Id.

[42] Id. at 336.

[43] Id.

[44] Ind. Code Ann. § 24-5-0.5-3(a) (LexisNexis 2020).

[45] Ind. Code Ann. §§ 24-5-0.5-2(A)(1)-(3), 3(a) (LexisNexis 2019-20).

[46] Id. §§24-5-0.5-2(A)(1)-(3) (LexisNexis 2019).

[47] 10 Privacy Quotes You Need to Know, Richmond News, (Feb. 3, 2022),