The Non-Financial Ledger

Barbara Jenkins lives in Baltimore. She has an Android phone linked to her Google account. She uses Google Chrome, because that is what the phone came with and because a decade of design decisions by Google made switching difficult. When she needed to look something up about her health, she went to Drugs.com, the way millions of Americans do every day. She typed something into a search bar. Maybe it was the name of a medication. Maybe it was a symptom. Maybe it was a drug interaction she was worried about. Whatever it was, it was private. It was between her and a website she chose to visit.

She did not choose to tell Google. She did not choose to tell a company called MediaGo, which is owned by Baidu, the Chinese government-aligned search giant headquartered in Beijing. She did not choose to share that health search with Pangle, the advertising network operated by ByteDance, the Chinese parent of TikTok, which has been the subject of congressional investigations and proposed federal bans precisely because of how it handles American data. She did not choose to send it to Temu, whose app has been called spyware by the attorneys general of Nebraska and Kentucky, and whose parent company PDD Holdings was flagged by twenty-one state attorneys general for invasive data practices.

None of that was her choice. It happened automatically, invisibly, before the page even finished loading, in the fraction of a second between her pressing Enter and the search results appearing on her screen. Google’s code was already embedded in the website. Google’s servers were already receiving her data. Google’s auction had already begun. And Google’s approved partners, including those three Chinese-affiliated companies, were already receiving her persistent tracking identifier, her IP address, and the URL of the page she was visiting, which contained the exact search terms she typed.

She was not warned. There was no pop-up that said: “We are transmitting your health search to companies subject to Chinese law.” There was no opt-out button, no meaningful disclosure, no moment where she could have said no. The lawsuit notes directly that Plaintiff “did not know, nor had reason to know, that Google surreptitiously collected and disseminated information about her web activity (including her IP addresses) to its partners” and that she “did not consent to Google intercepting, reading, or using her communications.”

Now think about what this means at scale. Every day, millions of Americans visit Drugs.com to look up medications, opioid interactions, lithium dosages, or symptoms they are scared to ask a doctor about. Every day, people visit BibleHub.com to look up verses about adultery, temptation, addiction, or grief. Every day, parents visit Parents.com to research childhood behavioral disorders or newborn health crises. All of those searches, every URL, every search term, every page viewed, are being captured by Google’s embedded code and transmitted to companies that Chinese law requires to cooperate with state intelligence operations.

The federal government has determined this is a national security emergency. The Department of Justice said these transfers pose an “unusual and extraordinary threat” to the United States. But for Barbara Jenkins and the tens of millions of people like her, it is also something quieter and more personal: a betrayal. They trusted the internet to be a place where they could look up what ails them, what they believe, what worries them as a parent, without those private moments being handed to a foreign government. That trust was violated. Not by a hacker. Not by a breach. By the deliberate business decisions of one of the most powerful companies in the world.

Legal Receipts: What the Documents Actually Say

The following are direct quotes from the complaint and from documents cited within it. No paraphrasing. No spin. These are the words on the page.

“Google transmits personal information at massive scale and without meaningful notice or valid consent, to third-party advertising entities participating in its ecosystem, including entities owned by, controlled by, or subject to the jurisdiction of the People’s Republic of China.” Jenkins v. Google LLC, Case No. 4:26-cv-01481, Complaint ¶ 6 (N.D. Cal. Feb. 19, 2026)

• This is the lawsuit’s foundational charge. Google is not a passive conduit. It actively transmits American users’ data to Chinese-jurisdiction companies. The complaint uses the phrase “without meaningful notice or valid consent,” which directly undercuts any argument that Google’s privacy policy buried in fine print constitutes legal consent.
• The phrase “at massive scale” is load-bearing. Scale matters because the Bulk Sensitive Data Rule triggers at 100,000 U.S. persons in a 12-month period. Google’s system reaches hundreds of millions of users. The scale is not incidental; it is the entire point of the business model.

“As early as 2014, senior Google executives discussed concerns about whether companies receiving RTB bid requests were reselling the data. The internal discussion concluded that auditing what buyers do with the data is ‘tough because we mostly send data, not ingest.'” Jenkins v. Google LLC, Complaint ¶ 65, citing Plaintiffs’ Exhibit PTX0326, Google Document (Mar. 31, 2016), United States et al v. Google LLC, No. 1:23-cv-00108 (E.D. Va. 2023)

• This quote proves Google knew its RTB partners might be reselling user data as far back as 2014, and its internal conclusion was that they could not effectively audit what happened to that data after transmission. That is not ignorance. That is deliberate acceptance of an uncontrolled data flow.
• “We mostly send data, not ingest” is an admission that Google’s role in the system is as a fire hose, not a filter. Once the data leaves Google, Google has chosen not to track where it goes. That choice was made at the executive level and documented internally.

“In January 2021, Google’s Chief Marketing Officer wrote to CEO Sundar Pichai urging a strategic shift, explicitly characterizing ‘real time bidding on user data’ as ‘bad.’ Pichai did not act on this recommendation.” Jenkins v. Google LLC, Complaint ¶ 65, citing Email from Lorraine Twohill to Sundar Pichai, et al. (Jan. 29, 2021), United States, et al., v. Google, No. 1:20-cv-03010 (D.D.C.)

• Google’s own Chief Marketing Officer, the person responsible for the company’s public image, told the CEO in writing that the core mechanism being challenged in this lawsuit was “bad.” This is the company’s internal expert on brand and ethics flagging that RTB was a problem.
• Sundar Pichai’s non-response is documented. He did not act. This is critical for the complaint’s argument that Google’s conduct was not negligent but intentional. Leadership-level awareness plus inaction plus continued operation equals a knowing violation.

“An internal planning document from late 2021 set the objective to ‘Make RTB privacy safe’ over the following three years; Google failed to implement it. Instead, in December 2024, Google announced a policy change that was ‘less prescriptive with partners in how they target and measure ads,’ loosening prior restrictions on the use of IP addresses and device-level data.” Jenkins v. Google LLC, Complaint ¶ 65, citing Plaintiffs’ Exhibit PTX1069, 2022 AViD Sellside Plan, United States et al v. Google LLC, No. 1:23-cv-00108 (E.D. Va. 2023); and Google Platform Policies Help (Dec. 18, 2024)

• Google set a three-year internal goal to make RTB privacy-safe and then abandoned it. The timeline matters: the goal was set in late 2021, would have concluded by late 2024, and instead of completing it, Google announced in December 2024 that it was giving partners more access to IP addresses and device-level data, the opposite direction.
• This is the clearest documented evidence of what the complaint calls Google’s deliberate business decision. There was a path to compliance. Google chose not to take it. It chose more data sharing, not less.

“[W]hy would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access? . . . The [BSDR program] makes getting that data a lot harder.” Deputy Attorney General Todd Blanche, U.S. Dep’t of Just. Press Release (Apr. 11, 2025), quoted in Jenkins v. Google LLC, Complaint ¶ 48

• The Deputy Attorney General of the United States is explicitly describing the pipeline that Google operates as a substitute for traditional espionage. The U.S. government’s position is that China does not need to hack American systems when it can purchase, or compel companies it controls to provide, the same data through legal commercial channels.
• The BSDR was designed specifically to close this loophole. Google’s continued operation of RTB transfers to Chinese-affiliated partners after April 8, 2025 is the lawsuit’s central factual claim of a post-rule violation.

“Google’s bid requests can include content classification codes that categorize the subject matter a user is viewing across sensitive categories including bankruptcy, mental health, substance abuse, sexual conditions, cancer, divorce, and specific religious traditions.”

“Google’s RTB infrastructure is also capable of transmitting data broker segments that classify individual users as, among other categories, ‘decision makers for the Government Industry, specifically National Security and International Affairs,’ ‘People who work at companies in aerospace manufacturing,’ ‘active military’ personnel, and ‘people who are likely Judges.'” Jenkins v. Google LLC, Complaint ¶ 72, citing Johnny Ryan & Wolfie Christl, America’s Hidden Security Crisis, ICCL Enforce (Nov. 2023)

• This is the national security dimension in concrete terms. Google’s RTB system can and does classify users by their professional roles in government, defense, and the judiciary. When those classifications are transmitted alongside persistent identifiers and IP addresses to Chinese-affiliated companies, a foreign intelligence service can correlate specific individuals to their daily browsing habits, home locations, and health or financial vulnerabilities.
• Investigative reporting by Wired (cited in the complaint) confirmed that data sourced from RTB systems has been purchased commercially and used to track U.S. military and intelligence personnel to “nuclear vaults and brothels in Germany.” This is not hypothetical. The exploitation of this pipeline has already been documented.

How the Machine Works: The Technical Infrastructure of Betrayal

The complaint documents Google’s surveillance pipeline in granular technical detail. Understanding the mechanics is essential to understanding why this is not an accident.

• Google’s code is everywhere. Products including Google Ads, Google Ad Manager, Google Publisher Tag, Google Ad Exchange, and the DoubleClick infrastructure are embedded on millions of websites across virtually every category of online content. When you load any of those pages, Google’s tracking scripts execute automatically in your browser before you can interact with the page.
• Two cookies are doing the heavy lifting. The IDE cookie tracks and profiles users even when they are not logged into a Google account. The DSID cookie is directly linked to a user’s Google account, meaning Google can tie your anonymous browsing across third-party websites to your name, email, and Google profile if you are signed into Gmail or YouTube in the same browser.
• What gets captured is the substance of your communication. The full URL of every page you visit, including search terms in the URL, the referrer (where you came from), and contextual information about what you are reading. The ECPA defines “content” as “any information concerning the substance, purport, or meaning of that communication.” A URL containing “opioid-withdrawal-symptoms” or “my-child-has-ADHD” is content. Google captures it as the page loads, in real time, before the user finishes reading.
• The RTB auction happens in milliseconds. Every time you load a page with Google’s advertising code, Google runs an auction. It sends “bid requests” to approved advertising companies, who have a fraction of a second to decide how much to bid. Those bid requests contain your IP address, your cookie data, the URL of the page you are viewing, your approximate geographic location, and audience classification codes describing your demographics, health conditions, and professional role.
• Cookie syncing links your identity across companies. Through a process Google calls “cookie matching,” Google sends a persistent identifier called the Google GID to each advertising partner. This allows each partner to link Google’s identifier for you to their own internal tracking record for you. The result: every approved partner in Google’s ecosystem can now recognize you across every website where Google’s code runs, even if the partner never had a direct relationship with you.
• Google controls every gate. Google decides which companies get approved as advertising partners. Google controls what data goes into each bid request. Google controls which partners receive the GID through cookie syncing. Every step of this process was designed, built, and is maintained by Google from its Mountain View, California headquarters.

The Law Google Is Breaking: The Bulk Sensitive Data Rule

The Bulk Sensitive Data Rule (BSDR) is not a proposed regulation. It took effect April 8, 2025. Google’s RTB transmissions to Pangle, MediaGo, and Temu after that date are the basis for every federal claim in this lawsuit.

• Origin. The BSDR originates in Executive Order 14117, in which the President determined that the transfer of Americans’ bulk sensitive personal data to countries of concern, including China, is a national security risk. The DOJ implemented it through the Data Security Program, codified at 28 C.F.R. Part 202.
• What counts as sensitive personal data. The BSDR defines “listed identifiers” to include device identifiers, IP addresses, and cookie data. A listed identifier becomes regulated “sensitive personal data” when transferred in combination with any other listed identifier or when it is linkable to other sensitive data. Google’s RTB bid requests transmit all three types simultaneously.
• The bulk threshold. The BSDR’s prohibitions apply when the data relates to 100,000 or more U.S. persons in a 12-month period. Google’s RTB system reaches hundreds of millions of users. The threshold is crossed before breakfast on any given day.
• Who counts as a “covered person.” Any foreign entity at least 50% owned, directly or indirectly, by a country of concern. China is expressly designated a country of concern. Pangle is owned by ByteDance, which is headquartered in China. MediaGo is owned by Baidu, which is headquartered in Beijing. Temu is owned by PDD Holdings, which maintains substantial operations and executive oversight in China.
• What counts as “data brokerage.” The BSDR’s definition covers the sale, licensing, or transfer of data where the recipient did not collect or process the data directly from the individuals it relates to. Google’s RTB partners did not collect your data from you. Google collected it and handed it to them. This fits the statutory definition precisely.
• The DOJ’s own example confirms it. The rule includes illustrative examples. Example 5 describes a U.S. advertising exchange providing IP addresses and advertising IDs to advertisers headquartered in a country of concern. The DOJ explicitly calls this prohibited data brokerage. Google’s conduct matches this example point for point.
• Penalties. The BSDR provides for both civil and criminal penalties. The lawsuit also asserts violations of the Electronic Communications Privacy Act (ECPA), which allows statutory damages of $10,000 or $100 per day per violation, whichever is greater, and punitive damages.

Societal Impact Mapping

Public Health

Google’s tracking infrastructure is deployed across the health information ecosystem at a scale that turns ordinary health-seeking behavior into a surveillance event.

• When a user visits Drugs.com and searches for “lithium” or navigates to an opioid safety guide, the full URL, containing those specific medical terms, is transmitted to Google and then to MediaGo (Baidu), Pangle (ByteDance), and Temu (PDD Holdings). The search is no longer private. It is a data point in a corporate and potentially government-accessible profile.
• Google’s RTB audience classification system, which draws from the IAB TechLab Audience Taxonomy, contains over 1,999 user characteristics. Among them: categories identifying users by health conditions, prescription medication use, and substance abuse. These audience tags are included in bid requests, meaning a Chinese-affiliated advertiser can receive not just your browsing URL but a standardized label describing your medical situation.
• The chilling effect on health-seeking behavior is documented in the legal standard for privacy harm. The complaint cites that this conduct “would be highly offensive to a reasonable person” precisely because health information is among the most sensitive categories of personal data. When people know or suspect their health searches are tracked and sold, they may avoid searching for help entirely, including for conditions like addiction, mental illness, or sexually transmitted infections.
• The complaint documents that Google’s content classification codes used in RTB include categories covering mental health, substance abuse, sexual conditions, and cancer. These are transmitted as part of bid requests to all approved partners, including the three Chinese-affiliated entities.

Economic Inequality

Google’s RTB system extracts the most value from the most vulnerable users, then sells that vulnerability to the highest bidder, including entities that may funnel it to a foreign government.

• Google’s audience classification system includes segments identifying users by estimated income brackets, payday loan and emergency loan use, and financial distress categories. These financial vulnerability tags are transmitted in RTB bid requests. A Chinese-affiliated advertising company can receive data telling it a specific tracked user is likely in financial crisis.
• The people least likely to understand that their browser is running invisible code that transmits their searches to foreign companies are also the people least likely to have the technical ability to prevent it. The complaint is explicit that users “lack a reasonable means to detect, prevent, or opt out of Google’s data collection and sharing with foreign-controlled entities.”
• The class action structure exists specifically because individual damages from privacy violations are often too small for any one person to sue over. Google generates $307.4 billion in annual revenue, the substantial majority from this advertising infrastructure. The economic model depends on the fact that each individual victim’s harm feels abstract while Google’s aggregate profit is enormous and concrete.
• The complaint notes that data broker segments in Google’s RTB ecosystem identify users by status as a minor, sexual orientation, ethnicity, and political media consumption. When financial vulnerability is combined with these identifiers and transmitted to entities under Chinese law, the result is a profile that enables both commercial exploitation and potential political or coercive targeting.

The Timeline of Knowing: Every Step Google Chose Not to Take

The complaint establishes a documented record of Google’s awareness stretching over a decade. This is not a company that failed to anticipate a problem. It is a company that identified the problem, discussed it internally, set goals to fix it, and then walked away from those goals.

Anatomy of a Bid Request: What Google Sends to China-Linked Companies

Every time a webpage with Google’s code loads, a bid request is assembled and broadcast to approved partners in milliseconds. Here is what that request contains.

The Cost of a Life Metric

What Now? Watchlist, Action Steps, and Who to Hold Accountable

The lawsuit is filed. The law is documented. What you do next determines whether Google faces real consequences or weathers this the way it has weathered every prior privacy scandal: by waiting it out.

Key Corporate Roles to Hold Accountable

• CEO, Google LLC / Alphabet Inc. The complaint documents that Sundar Pichai received a direct written recommendation from his CMO in 2021 characterizing RTB data sales as “bad” and chose not to act. The BSDR violations began accruing on April 8, 2025, under his leadership.
• Google’s Authorized Buyers / Ad Exchange Leadership The decision to approve Pangle, MediaGo, and Temu as authorized bidding partners, and to maintain those integrations after the BSDR took effect, reflects choices made by the teams managing Google’s advertising partner ecosystem.
• ByteDance (Pangle), Baidu (MediaGo), PDD Holdings (Temu) Each of these parent companies is subject to Chinese law requiring cooperation with state intelligence operations. They are named as the receiving entities for prohibited data transfers in the lawsuit.

Regulatory Watchlist

• U.S. Department of Justice / National Security Division: The BSDR is a DOJ rule. The National Security Division administers the Data Security Program. File a complaint at justice.gov. The complaint specifically cites the DOJ’s own illustrative examples confirming Google’s conduct violates 28 C.F.R. §§ 202.210 and 202.214.
• Federal Trade Commission (FTC): The Electronic Privacy Information Center (EPIC) and ICCL Enforce filed a complaint with the FTC on January 16, 2025 specifically about Google’s RTB practices. The FTC has jurisdiction over deceptive trade practices. The FTC complaint is publicly available and cited in this lawsuit.
• Your State Attorney General: Twenty-one state attorneys general already sent a formal warning to Temu in August 2024 about its data practices. Nebraska and Kentucky have sued Temu directly. Contact your state AG’s office and ask what they are doing about Google’s BSDR violations specifically.
• U.S. Senate and House Intelligence Committees: ByteDance and TikTok have already been the subject of congressional investigations. The complaint documents that Pangle, ByteDance’s advertising arm, is an approved Google RTB partner receiving American users’ health, religious, and financial browsing data.
• EU Data Protection Authorities (for non-U.S. readers): Temu’s Dublin offices were raided by EU regulators in December 2025 over Chinese state subsidy concerns. GDPR enforcement actions related to RTB practices have been pending in multiple EU jurisdictions.

“The interception is instrumentally necessary to effectuate the prohibited transfers. Without the interceptions described herein, Google could not conduct the auctions that produce the BSDR violations.”

Grassroots and Mutual Aid Actions

• Join or share the class action. The lawsuit covers all individuals in the United States whose electronic communications with websites incorporating Google’s advertising technology were intercepted and whose personal information was transmitted to Pangle, MediaGo, Temu, or other covered persons on or after April 8, 2025. The law firm is Milberg, PLLC. Contact information: William J. Edelman at wedelman@milberg.com and Heather M. Lopez at hlopez@milberg.com.
• Use Firefox with uBlock Origin. This is not a comprehensive solution, but it is the most effective widely-available tool for blocking Google’s tracking scripts before they execute. It blocks the DoubleClick infrastructure that the complaint describes as the collection mechanism. It is free and open-source.
• Organize in your community around digital literacy. The complaint is explicit that users “lack a reasonable means to detect, prevent, or opt out” of this surveillance. Older adults, low-income communities, and communities with low English literacy are particularly vulnerable. Digital privacy workshops at libraries, community centers, and mutual aid organizations can change that.
• Demand institutional accountability from Google’s enterprise clients. Google’s advertising infrastructure is supported by the publishers who embed its code. If the websites you use, including health information sites, religious organizations, and parenting publications, embed Google’s tracking code, contact them directly and ask whether they have conducted a BSDR compliance review.
• Push your elected representatives on the BSDR enforcement gap. The rule exists. The DOJ has acknowledged the threat. But no enforcement action against Google has been announced. Public pressure and constituent communication are among the most documented mechanisms for moving regulatory agencies from passive acknowledgment to active enforcement.