Corporate Accountability Project | Case No. 4:26-cv-01481 | N.D. California | Filed February 19, 2026
Class Action ยท Privacy & National Security
Google Sold Your Private Browsing to Chinese Spyware Companies
A federal lawsuit filed in 2026 alleges Google systematically fed Americans’ health searches, religious habits, and sensitive browsing data to ByteDance, Baidu, and Temu โ companies legally obligated to share data with Beijing.
๐ด Critical Severity
TL;DR
Every time you searched for a medication on Drugs.com, read a Bible verse on BibleHub, or browsed a parenting article on Parents.com, Google secretly intercepted that activity and sold your persistent digital identity to Pangle (ByteDance/TikTok), MediaGo (Baidu), and Temu, three Chinese technology companies legally required by Beijing to hand over data to state intelligence agencies. Google generated $307.4 billion in 2024 revenue doing exactly this. A federal law passed in April 2025, the Bulk Sensitive Data Rule, explicitly banned these transfers as a national security threat. Google kept doing it anyway. Millions of Americans had their most intimate online behavior handed to a foreign adversary without their knowledge, without their consent, and with no way to stop it.
Your medical searches, your faith, your family concerns โ Google turned them into a commodity for Chinese state surveillance. Demand accountability. Share this story.
$307.4B
Google annual revenue from advertising
3
Chinese-linked ad companies receiving American data
100K+
U.S. persons’ data per transfer (BSDR threshold)
1,999+
User characteristics assignable in bid requests
$10K
Statutory damages per violation (ECPA max)
21
State attorneys general who warned about Temu’s data practices
The Allegations
Core Allegations: What Google Did
Surveillance infrastructure ยท 9 points
โพ
| 01 | Google operates the world’s largest digital advertising network generating approximately $307.4 billion in annual revenue, the substantial majority from online advertising built on mass user surveillance. | high |
| 02 | Google embeds tracking scripts (Google Publisher Tag, DoubleClick, Google Ad Manager) on millions of websites, automatically intercepting users’ browsing activity without their knowledge or consent as pages load. | high |
| 03 | Google assigns persistent advertising identifiers (IDE, DSID, and Google GID cookies) that track individuals across websites and devices, linking browsing history to identified Google accounts when users are logged in through Gmail or YouTube. | high |
| 04 | Through real-time bidding auctions, Google transmits users’ IP addresses, page URLs (which reveal the substance of what users are reading and searching), persistent identifiers, and geolocation data to third-party advertisers in fractions of a second, thousands of times per day. | high |
| 05 | Google formally approved Pangle (ByteDance/TikTok parent), MediaGo (Baidu), and Temu (PDD Holdings) to participate in its real-time bidding ecosystem and receive American users’ sensitive data โ all three companies are legally subject to Chinese government intelligence laws requiring data cooperation with Beijing. | high |
| 06 | On websites including Drugs.com, BibleHub.com, and Parents.com, Google intercepted users’ health searches, religious queries, and parenting concerns, then transmitted this data to all three Chinese-linked advertising partners as verified in the complaint. | high |
| 07 | Google’s bid requests can include over 1,999 audience classification codes โ spanning categories such as bankruptcy, mental health struggles, substance abuse, sexual conditions, specific religious traditions, and cancer diagnoses โ all potentially transmitted to Chinese-linked companies. | high |
| 08 | Google’s RTB infrastructure is documented to have transmitted segment data identifying users as active military personnel, national security government employees, judges, aerospace workers, and other sensitive-role individuals to commercial data brokers. | high |
| 09 | The complaint alleges Google continued these transfers after April 8, 2025 โ when the Bulk Sensitive Data Rule took legal effect โ constituting ongoing criminal and tortious conduct for which statutory damages of $100 per day per violation or $10,000, whichever is greater, are sought. | high |
Regulatory Failures: How Oversight Broke Down
BSDR violation ยท ECPA violation ยท 5 points
โพ
| 01 | The Bulk Sensitive Data Rule (BSDR), effective April 8, 2025, categorically prohibits commercial transfers of Americans’ bulk personal data including IP addresses and persistent identifiers to entities subject to the jurisdiction of China, identifying such transfers as an “unusual and extraordinary threat” to national security. | high |
| 02 | The Department of Justice confirmed in 2025 that advertising-technology data transfers of precisely the type Google conducts constitute prohibited data brokerage, citing examples nearly identical to Google’s operations in the BSDR’s own regulatory text. | high |
| 03 | The Federal Wiretap Act (ECPA) prohibits intentional interception of electronic communications. Because Google’s interception enabled criminal BSDR violations, it cannot claim the “party exception” and faces liability to every American whose communications it captured and transmitted to Chinese-linked entities. | high |
| 04 | Maryland’s Wiretap Act requires all-party consent. Google never obtained consent from Plaintiff or class members; the complaint argues the crime-tort exception independently voids any possible consent defense because the transfers to Chinese entities constitute independent criminal conduct. | med |
| 05 | Despite Google’s Chief Marketing Officer explicitly flagging in January 2021 that “real time bidding on user data” is “bad” in a memo to CEO Sundar Pichai, no corrective action was taken. In December 2024 โ with the BSDR already finalized โ Google loosened its data-sharing restrictions further. | high |
Profit Over People: The Business Model
Revenue model ยท Corporate decision-making ยท 4 points
โพ
| 01 | Google’s advertising revenue totals approximately $307.4 billion annually. The real-time bidding system that feeds Chinese-linked companies American user data is not a side product โ it is the core infrastructure generating this revenue. | high |
| 02 | The complaint explicitly states that Google’s integrations with Pangle, MediaGo, and Temu are “deliberate business decisions” that are “not incidental to its operations but central to its advertising business model.” | high |
| 03 | A 2021 internal Google planning document set the objective to “Make RTB privacy safe” over three years. Google did not implement the plan. Instead, it expanded data sharing and loosened IP-address and device-level tracking restrictions in December 2024. | high |
| 04 | Google monetizes users’ browsing activity without their knowledge or compensation. Users receive no payment, no service from Google in exchange for their data on third-party websites, and no practical mechanism to prevent Google from selling their intimate browsing history. | med |
Corporate Accountability Failures
Knowledge ยท Inaction ยท Cover ยท 4 points
โพ
| 01 | As early as 2014, senior Google executives internally raised concerns that companies receiving RTB bid request data may be reselling it. Google concluded auditing buyer behavior is “tough because we mostly send data, not ingest” โ and continued the practice regardless. | high |
| 02 | Google had actual and constructive knowledge of the BSDR before it took effect. Google designed, built, and controls the advertising infrastructure at issue, including which partners are approved, what data is sent, and who receives user identifiers via cookie syncing. | high |
| 03 | Despite Google’s own Chief Marketing Officer calling RTB data sharing “bad” in a 2021 memo to CEO Sundar Pichai, Pichai did not act. The company responded not by reforming the practice but by expanding it in late 2024. | high |
| 04 | The complaint alleges Google denied users any meaningful opportunity to detect, review, prevent, or opt out of the interception and foreign transmission of their browsing activity. The tracking executes automatically before users can act. | high |
Public Health and Safety: What Data Was Exposed
Sensitive categories ยท Specific harms ยท 5 points
โพ
| 01 | On Drugs.com, Google intercepted users’ searches for specific medications (including lithium, associated with bipolar disorder) and drug interaction information, transmitting these to Pangle, MediaGo, and Temu. Medical search terms appear in the URLs transmitted in plain text. | high |
| 02 | On BibleHub.com, Google captured searches related to religious beliefs, moral concerns, and spiritual struggles (including searches for terms like “temptation” or “adultery”) and transmitted these to Pangle and Temu, revealing deeply personal religious information to Chinese-linked companies. | high |
| 03 | On Parents.com, Google intercepted articles read about childhood behavioral disorders and newborn health concerns and transmitted page URLs โ revealing parents’ anxieties about their children’s health and development โ to Pangle and Temu. | high |
| 04 | Google’s RTB bid requests can include IAB Audience Taxonomy codes identifying users across over 1,999 characteristics including use of payday loans, bankruptcy status, cancer diagnosis, mental health conditions, substance abuse history, sexual conditions, and affiliation with specific religious traditions. | high |
| 05 | Investigative reporting cited in the complaint documents that data derived from RTB systems has been purchased on the open market and used to track U.S. military and intelligence personnel to sensitive installations, including nuclear facilities. | high |
Timeline of Events
2014
Senior Google executives internally raise concerns that RTB bid request recipients may be reselling user data. Google concludes auditing is “tough” and continues the practice.
Jan 2021
Google’s Chief Marketing Officer sends memo to CEO Sundar Pichai explicitly calling “real time bidding on user data” bad. Pichai takes no action.
Late 2021
Internal Google planning document sets three-year objective to “Make RTB privacy safe.” The plan is never implemented.
Aug 2024
Twenty-one state attorneys general issue formal warning about Temu’s invasive data practices and its legal obligations under Chinese national intelligence law.
Dec 2024
Rather than tightening privacy protections, Google announces a policy change that is “less prescriptive” with advertising partners and loosens restrictions on IP address and device-level tracking.
Apr 8, 2025
The Bulk Sensitive Data Rule (BSDR) takes effect, explicitly prohibiting transfers of Americans’ bulk personal data to Chinese-linked entities as an “unusual and extraordinary threat” to national security. Google continues its data transfers.
JunโJul 2025
Attorneys general of Nebraska and Kentucky file lawsuits against Temu alleging its mobile app functions as spyware on Americans’ devices.
Feb 19, 2026
Barbara Jenkins v. Google LLC filed as a federal class action in the Northern District of California, seeking statutory damages of $10,000 per ECPA violation for millions of affected Americans.
Direct Quotes from the Legal Record
QUOTE 1
Internal recognition of RTB data risks
Corporate Accountability
“auditing what buyers do with the data is ‘tough because we mostly send data, not ingest.'”
๐ก Google’s own 2014 internal discussion admits the company knew it couldn’t track what Chinese-linked companies did with American user data โ and continued anyway for over a decade.
QUOTE 2
Google CMO calls RTB “bad” to CEO
Corporate Accountability
“real time bidding on user data” [is] “bad.”
๐ก Google’s own marketing chief told CEO Sundar Pichai in January 2021 that this practice was harmful. Pichai did not act. Google expanded the practice instead.
QUOTE 3
Government declares transfers a national security threat
Regulatory Failures
“why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access?”
๐ก Deputy Attorney General Todd Blanche described precisely what Google enabled: China didn’t need to hack American systems. Google sold Beijing a front door.
QUOTE 4
Data transfers declared an “extraordinary threat”
Regulatory Failures
“unusual and extraordinary threat” to the national security of the United States
๐ก This is the U.S. government’s own language describing exactly what Google was doing: routing private American browsing data to Chinese state-linked companies.
QUOTE 5
Google’s deliberate choice to partner with Beijing-linked firms
Core Allegations
“Google’s integrations with Pangle, MediaGo, and Temu are deliberate business decisions. Google’s conduct is not incidental to its operations but central to its advertising business model.”
๐ก The complaint directly contradicts any claim this was accidental or unknowing: Google chose these partners, approved them, and built systems to feed them American user data.
QUOTE 6
Users have no way to stop the interception
Core Allegations
“The user has no direct relationship with Google’s advertising infrastructure as deployed on third-party websites, receives no services from Google in connection with these transmissions, and has no meaningful opportunity to detect, review, or prevent Google’s acquisition of their browsing activity.”
๐ก This is the surveillance happening right now, on any website with a Google ad. You cannot see it. You cannot stop it. And Google profits from it.
QUOTE 7
Sensitive user categories transmitted to Chinese entities
Public Health and Safety
“decision makers for the Government Industry, specifically National Security and International Affairs,” “People who work at companies in aerospace manufacturing,” “active military” personnel, and “people who are likely Judges.”
๐ก These are the segment categories Google’s RTB system has transmitted to data buyers โ including entities subject to Chinese intelligence law. This is not profiling for cereal ads. This is a counterintelligence catastrophe.
QUOTE 8
Chinese laws compel data access for Beijing
Core Allegations
“companies and individuals are required to cooperate with government surveillance efforts and grant authorities access to private user data”
๐ก This is Chinese law applied to Pangle, MediaGo, and Temu. Google knew these companies operated under this legal framework and chose them as data partners anyway.
Commentary
How serious is this lawsuit?
โพ
This is one of the most significant privacy class actions filed in years. It combines violations of federal wiretapping law (the ECPA), a brand-new national security regulation (the Bulk Sensitive Data Rule), and two separate common law privacy torts. The BSDR violations alone carry criminal penalties, not just civil damages. The statutory damages sought under the ECPA are $10,000 per violation per person โ applied to millions of Americans, the potential liability is staggering. This is not a nuisance filing. It is a direct legal challenge to the infrastructure powering Google’s entire business model.
Why is this different from normal targeted advertising?
โพ
Normal advertising may feel creepy, but it generally stays within U.S. legal frameworks with some privacy protections. This case is fundamentally different: Google is allegedly transmitting Americans’ sensitive browsing data (health searches, religious habits, financial concerns) to companies that are legally required by China’s National Intelligence Law to hand over data to Beijing’s state security apparatus. The U.S. government has explicitly determined this constitutes a national security threat. That transforms a privacy violation into a potential counterintelligence crisis. If a U.S. military officer searched for information about their health condition on Drugs.com, that search may now be in a Chinese government database.
Did Google know this was happening?
โพ
Yes, and extensively. The complaint documents knowledge going back to 2014, when Google internally acknowledged it couldn’t audit what ad buyers did with user data. In 2021, Google’s own Chief Marketing Officer told CEO Sundar Pichai in writing that real-time bidding on user data was “bad.” Google’s internal planning documents from 2021 set a goal to make RTB “privacy safe” โ a goal never implemented. Google designed, built, and maintains all of this infrastructure. It chose which companies were approved partners. It chose what data to include in bid requests. The complaint characterizes the decision to include ByteDance, Baidu, and Temu as “deliberate business decisions” at the core of Google’s revenue model. This is not negligence. This is a choice.
Am I affected if I used these websites?
โพ
If you visited any website running Google’s advertising code after April 8, 2025 โ which is the majority of websites on the internet โ and if any of your data was transmitted to Pangle, MediaGo, Temu, or other Chinese-affiliated entities, you may be a class member. The class definition in the complaint covers all U.S. individuals whose electronic communications were intercepted and whose personal information was transmitted by Google to these covered persons. The class size is estimated in the millions or tens of millions. Maryland residents may also be members of the Maryland Subclass with additional state law claims.
What data specifically went to these Chinese companies?
โพ
The complaint is specific. Through Google’s real-time bidding and cookie syncing systems, the following data was transmitted to Pangle, MediaGo, and Temu: full page URLs (which reveal exactly what users were reading and searching, including sensitive medical terms, religious content, and parenting concerns), IP addresses and IP-derived geolocation, persistent advertising identifiers (the Google GID, IDE, and DSID cookies), device information, and audience classification codes drawn from a taxonomy of over 1,999 user characteristics. The complaint also notes that RTB segment data has commercially included categories identifying users as active military, aerospace workers, national security officials, judges, and people with specific health conditions, income brackets, or sexual orientations.
Why is China’s involvement a legal issue, not just a political one?
โพ
China’s National Intelligence Law, Cybersecurity Law, and Data Security Law legally compel Chinese companies and individuals to cooperate with government intelligence operations and grant state authorities access to private user data. This is not a political opinion โ it is Chinese law, applied to ByteDance (Pangle), Baidu (MediaGo), and PDD Holdings (Temu). The U.S. government formally responded to this legal reality with the Bulk Sensitive Data Rule, which treats transfers to these entities as a categorical national security threat equivalent to giving Beijing a direct line to Americans’ private lives. Google’s continued partnership with these companies after the BSDR took effect is the alleged legal violation at the heart of this case.
What can I do to prevent this from happening again?
โพ
Individually: use a browser that blocks third-party trackers (Firefox with uBlock Origin, Brave, or Safari), use a VPN to mask your IP address, and avoid logging into Google accounts while browsing sensitive content. Delete third-party cookies regularly. Use private/incognito mode on sensitive sites. Collectively: contact your congressional representatives to demand full enforcement of the BSDR and expanded penalties for violations. Support organizations like the Electronic Frontier Foundation and the Electronic Privacy Information Center that litigate against surveillance capitalism. If you believe you are a class member, monitor ClassAction.org for updates. And share this story โ public pressure remains one of the most effective tools in forcing corporate accountability when regulators move slowly.
What happens next in the lawsuit?
โพ
Filed February 19, 2026, the complaint will proceed through class certification, which requires the court to determine whether the case can proceed on behalf of millions of Americans as a unified class. Google will almost certainly move to dismiss, arguing the party exception shields its conduct and that users consented through website terms of service. The plaintiffs’ strongest card is that Google violated the BSDR โ a criminal statute โ which eliminates the party exception and the consent defense under the crime-tort rule. Discovery will be critical: internal Google documents about its knowledge of the risks, its deliberate partner approvals, and its failure to implement its own stated privacy reforms will likely be central to the case.
๐ก Explore Corporate Misconduct by Category
Corporations harm people every day โ from wage theft to pollution. Learn more by exploring key areas of injustice.
- ๐ Product Safety Violations โ When companies risk lives for profit.
- ๐ฟ Environmental Violations โ Pollution, ecological collapse, and unchecked greed.
- ๐ผ Labor Exploitation โ Wage theft, worker abuse, and unsafe conditions.
- ๐ก๏ธ Data Breaches & Privacy Abuses โ Misuse and mishandling of personal information.
- ๐ต Financial Fraud & Corruption โ Lies, scams, and executive impunity.
