Google's Gemini Privacy Win Rewrites AI Rules
Court ruling reshapes AI consent landscape for developers.
Model Diplomat9 min readNorth America

Google's Gemini Privacy Win Rewrites the AI Consent Rulebook
A federal judge dismissed the Thele v. Google class action on July 7, 2026, handing AI developers a template to bypass state privacy laws by defaulting features on and daring users to prove concrete harm.
The dismissal of Thele v. Google LLC on July 7, 2026 is not a routine standing loss — it is a road map for every AI vendor with consumer data. By ruling that plaintiffs failed to show "concrete harm" when Google silently switched on Gemini's access to Gmail, Chat, and Meet accounts in October 2025, Judge Noël Wise of the U.S. District Court for the Northern District of California effectively told AI developers that default-on data ingestion is federally litigation-proof so long as users cannot yet name what was taken. The decision widens the gap between what state legislatures wrote into privacy statutes and what federal courts will enforce — and it lands as California's own Privacy Protection Agency prepares its first substantive AI rulemaking.
What the court actually decided
Thomas Thele and co-plaintiff Melo Porter sued Google in the Northern District of California on November 11, 2025, alleging that on or about October 10, 2025 the company "secretly turned on Gemini for all its users' Gmail, Chat, and Meet accounts," letting the model scan private communications without consent. The complaint, captioned No. 5:25-cv-09704, brought claims under the California Invasion of Privacy Act (CIPA), the California Computer Data Access and Fraud Act, the federal Stored Communications Act, and the California Constitution's privacy clause, according to the class action complaint on file with the Northern District.
Judge Wise, a 2024 Biden appointee confirmed by the U.S. Senate, granted Google's motion to dismiss but gave plaintiffs leave to amend. Her core finding, as reported by
Bloomberg Law, was procedural but decisive: the named plaintiffs "didn't allege when they signed up for Google's services, why they chose Oct. 10, 2025, as the start date for their claims, whether the Gemini features were enabled when they created their accounts, or whether they had since disabled the features." They also "failed to identify the personal data that Google accessed or used."
"Plaintiffs have so far only alleged that Gemini could be used to track their data. This is insufficient to allege an injury in fact."
That sentence is the load-bearing beam of the ruling. It converts the plaintiffs' theory of harm — that a model capable of reading every email defaults into every account — into a hypothetical, and hypotheticals fail TransUnion v. Ramirez, the 2021 Supreme Court decision that has become the dominant filter for federal privacy suits.
The TransUnion trap, applied to generative AI
The doctrinal engine behind Wise's ruling is not novel — it is the same one that has been quietly gutting statutory privacy claims for five years. In TransUnion, the Supreme Court held that a bare statutory violation, "divorced from any concrete harm," cannot satisfy Article III. Georgetown's Daniel Solove and BU's Danielle Citron argued in a widely cited SSRN paper that the decision "severely limits the effective enforcement of privacy laws" and reflects a "crabbed and inadequate understanding of privacy harms."
The Ninth Circuit hardened the standard for Google's home circuit in Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025), which required plaintiffs to plead that the collected information was "embarrassing, invasive, or otherwise private" — not merely that a tracker fired. A recent Central District of California order applying Popa to dismiss a TikTok tracking suit, available on CourtListener, warned that "Spokeo is not an open-ended invitation for federal courts to loosen Article III based on contemporary, evolving beliefs about what kinds of suits should be heard in federal courts."
The empirical picture from academia is bleaker than headlines suggest. A recent study of 96 federal data-breach rulings post-TransUnion, published on SSRN, found that 60% of plaintiffs still cleared standing — but access "may depend on geography," meaning identical facts win in the Third Circuit and lose in the Ninth. Thele filed in the Ninth. That was decisive.
Why the architecture matters more than the ruling
Read the docket and the ruling together and a second-order effect appears: the way generative AI is being wired into consumer platforms is nearly impossible to challenge under existing Article III doctrine.
A September 2025 arXiv analysis of six frontier LLM developers — OpenAI, Google, Anthropic, Meta, xAI, and Microsoft — found that all six now train on consumer chat data by default, with enterprise customers opted out by default. Google's default retention for Gemini chats is 18 months, and three years for chats reviewed by human raters, per the same paper. The two-tiered system — paying customers get privacy, free users generate training corpus — is the industry norm, not an outlier.
That architecture generates a specific litigation problem. To satisfy TransUnion and Popa, a plaintiff must plead which email, which message, which specific attribute Gemini read — before discovery, before any subpoena for Google's internal logs. Google, meanwhile, controls the only records that would prove it. In parallel copyright litigation, In re Google Generative AI Copyright Litigation, Magistrate Judge Susan van Keulen ruled in a December 19, 2025 order that "the only record and the only means of determining what materials Google used to train its AI models is the training data itself" — and she denied plaintiffs' request to force Google to identify which class works survived preprocessing. The information asymmetry is total, and standing doctrine locks the courthouse door before it can be pierced.
Who wins, who loses
Google is the obvious winner, but the more important beneficiary is the entire generative AI industry's default-on business model. King & Spalding, defending Google, has now produced a template motion — pinpoint the missing "when did you sign up, what data specifically, what harm specifically" allegations — that will be recycled against every Gemini, Copilot, Meta AI, and Apple Intelligence consumer suit in the Ninth Circuit.
The immediate losers are Ahdoot & Wolfson, the plaintiffs' firm that has built a practice on California privacy class actions, and the private-enforcement model that undergirds CIPA. As Georgetown's Solove has argued in a follow-up SSRN paper, "the American constitutional law of standing, as shaped by the Supreme Court, has become a potent threat to data privacy" — nullifying the private rights of action Congress and state legislatures wrote into statute.
The less obvious loser is the California Privacy Protection Agency. The CPPA is the only U.S. regulator with a bespoke consumer-privacy mandate, and its opt-out preference signal regulations are the most detailed in the country. But CIPA gives individuals a private right of action worth $5,000 per violation — private enforcement was supposed to do the heavy lifting the agency's small staff cannot. If federal courts keep dismissing those suits for lack of standing, the enforcement equilibrium collapses back onto the agency's own docket.
The regulatory frontier moves
The vacuum is already drawing new law. California's AB 2013, the AI Training Data Transparency Act, is being tested in X.AI LLC v. Bonta in the Central District of California, where Judge Jesus Bernal in a March 4, 2026 order let key disclosure provisions survive a First Amendment challenge, reasoning that "A.B. 2013 requires AI model developers to provide information about training datasets, thereby giving the public information necessary to determine whether they will use — or rely on information produced by — Plaintiff's model."
Overseas, the UK Competition and Markets Authority designated Google as having strategic market status on October 10, 2025 — the same day Thele alleges Gemini was silently switched on. The CMA's subsequent Publisher Conduct Requirement now obliges Google to give publishers "effective controls to withhold their Search Content from being used in generative AI services and features," including Gemini AI Assistant and Vertex AI. What British publishers get by regulatory fiat, American users cannot yet get through federal court.
The Senate is watching too. In a September 30, 2025 letter to Sundar Pichai, Senators Bill Cassidy and Josh Hawley demanded answers about Gemini's age-verification and safety auditing procedures. Google's own
October 29, 2025 written testimony to the Senate Commerce Committee, delivered weeks after the default-on switch, focused on content moderation and free expression — not on the consent architecture at issue in Thele.
The historical parallel: Gmail scanning, 2013 edition
There is a precedent that reframes the current fight. In In re Google Inc. Gmail Litigation a decade ago, plaintiffs argued that Google's automated ad-targeting scans of email content violated the Wiretap Act and CIPA. Google eventually ended ad-targeting email scans in 2017, the BBC reported, though it kept scanning for "Smart Replies" and malware. The retreat came not from a court order but from enterprise-customer pressure and Microsoft's marketing campaign — commercial dynamics, not litigation.
The Thele dismissal suggests the same pattern will repeat with generative AI: no federal court will force Gemini's default-on architecture to change. If change comes, it will come from Brussels, London, Sacramento, or Google's enterprise customers — never from a Northern District of California class action.
Diplomat View
The Thele dismissal will be cited in every AI privacy defense brief filed in the Ninth Circuit for the next 24 months. Our call: the ruling entrenches a two-track privacy regime — enterprise users protected by contract, consumer users protected only by state agencies whose enforcement bandwidth is a fraction of what plaintiffs' firms could deliver. Expect the plaintiffs' bar to migrate from federal CIPA claims to state-court filings under California Code of Civil Procedure § 396(a), which has a lower standing bar, and toward Illinois BIPA-style biometric theories that federal courts have been more willing to accept.
What would change this forecast: (1) the Ninth Circuit taking an interlocutory appeal on Article III standing in a Gemini or Copilot case and softening Popa; (2) the CPPA issuing enforceable "automated decisionmaking" regulations with mandatory opt-in for LLM training on consumer content — a rulemaking already in draft; or (3) Google settling a companion suit outside California on materially the same facts, signaling that the standing shield is thinner than Thele suggests. Absent one of those triggers, the default-on architecture is here to stay through the 2026 model cycle.
The deeper implication for tech policy: the American approach to AI regulation is being written not by Congress, not by an omnibus federal privacy law, but by the standing doctrine — a rule about who is allowed into court at all. That is the least democratic mechanism available for setting the terms of consent between a billion users and the companies training on them.
What to watch next
- ~August 6, 2026: Ahdoot & Wolfson's window to file an amended Thele complaint. Watch whether they name specific emails and content categories Gemini processed — or refile in California superior court to escape TransUnion.
- Q3 2026: CPPA's expected finalization of automated decisionmaking technology regulations. If the agency mandates opt-in for LLM training on Californian content, it will bypass the standing problem entirely.
- October 10, 2026: One-year anniversary of the default-on switch and the CMA's SMS designation — a natural trigger for a Bloomberg/Reuters retrospective and for Google to disclose (or not) how many users disabled Smart Features.
- In re Google Generative AI Copyright Litigation class certification: pending before Judge Eumi K. Lee. If certified, discovery will surface the training-data records that no privacy plaintiff has yet been allowed to see.
The Bottom Line
The bottom line: Thele v. Google is not really about Gemini — it is about whether U.S. federal courts will let consumers challenge default-on AI at all, and the answer, for now, is no. The ruling makes the Article III standing doctrine the de facto ceiling on American AI privacy regulation, and every consumer AI product on the market has been built to sit comfortably beneath that ceiling. Until Sacramento, Brussels, or the Ninth Circuit moves, the industry's default-on model is federally litigation-proof — and that is the real policy news out of San Jose this week.
Discover more

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.
US Politics
Congress Targets AI Chatbot Access for Terror
The House passed the Generative AI Terrorism Risk Assessment Act, focusing on AI's role in terrorism and potential surveillance implications.
Global Politics
Trump's Conflicting Messages on Iran War
Trump's mixed messages on Iran reflect a strategy of audience management, benefiting Tehran amid a complex geopolitical landscape.

Global
US Reinstates Iran Blockade, Splits Hormuz
US reinstates naval blockade of Iran on July 14, ending 26-day ceasefire. Strait of Hormuz splits into competing toll lanes as traffic collapses to 23 ships daily. 60-day war-powers clock ticks toward Congress.