Skip to content
Main Menu
Utah Attorney General
Search
Attorney General
Sean D. Reyes
Utah Office of the Attorney General
Secondary Navigation

Utah AG Leads Bipartisan Lawsuit against Tech Giant Google

Utah v. Google says Google Illegally Maintains an App Store Monopoly; Unfairly Edges Out Competition

SALT LAKE CITY – Today, Utah Attorney General Sean D. Reyes led a coalition of 37 attorneys general to file a lawsuit against Google in California. Utah v. Google alleges exclusionary conduct relating to the Google Play Store for Android. This antitrust lawsuit is the newest legal action against the tech giant, claiming illegal, anticompetitive, and/or unfair business practices.   Reyes and the States accuse Google of using its dominance to unfairly restrict competition with Google Play Store, harming consumers by limiting choice and driving up app prices. In addition to Utah, the named party in the filing, the lawsuit is co-led by AGs in New York, Tennessee, and North Carolina.

“Google’s monopoly is a menace to the marketplace. Google Play is not fair play. Google must be held accountable for harming small businesses and consumers. It must stop using its monopolistic power and hyper-dominant market position to unlawfully leverage billions of added dollars from smaller companies, competitors and consumers beyond what should be paid,” said Utah Attorney General Reyes. 

“Most consumers have no idea that for years Google has imposed unnecessary fees far beyond the market rates for in-app transactions, unlawfully inflating costs for many services, upgrades and other purchases made through apps downloaded on the Google Play Store. As a result, a typical American consumer may have paid hundreds if not thousands of dollars more than needed over many years,” Reyes added. “Utah and the other states in our coalition are fighting back to protect our citizens and innovative app developers—including many small businesses across America—from Google’s unlawful practices.”

According to the lawsuit, the heart of the case centers on Google’s exclusionary conduct, which substantially shuts out competing app distribution channels. Google also requires that app developers that offer their apps through the Google Play Store use Google Billing as a middleman. This arrangement, which ties a payment processing system to an app distribution channel forces app consumers to pay Google’s commission – up to 30% – on in-app purchases of digital content made by consumers through apps that are distributed via the Google Play Store. This commission is much higher than the commission that consumers would pay if they had the ability to choose one of Google’s competitors instead. The lawsuit alleges that Google works to discourage or prevent competition, violating federal and state antitrust laws. Google had earlier promised app developers and device manufacturers that it would keep Android “open source,” allowing developers to create compatible apps and distribute them without unnecessary restrictions.  The lawsuit says Google did not keep that promise. 

Google Closed the Android App Distribution Ecosystem to Competitors

When Google launched its Android OS, it originally marketed it as an “open source” platform. By promising to keep Android open, Google successfully enticed “OEMs”—mobile device manufacturers such as Samsung—and “MNOs”—mobile network operators such as Verizon—to adopt Android, and more importantly, to forgo competing with Google’s Play Store at that time. Once Google had obtained the “critical mass” of Android OS adoption, Google moved to close the Android OS ecosystem—and the relevant Android App Distribution Market—to any effective competition by, among other things, requiring OEMs and MNOs to enter into various contractual and other restraints. These contractual restraints disincentivize and restrict OEMs and MNOs from competing (or fostering competition) in the relevant market. The lawsuit alleges that Google’s conduct constitutes unlawful monopoly maintenance, among other claims.

In aid of Google’s efforts discussed above, the AGs allege that Google also engaged in the following conduct, all aimed at enhancing and protecting Google’s monopoly position over Android app distribution:

  • Google imposes technical barriers that strongly discourage or effectively prevent third-party app developers from distributing apps outside of the Google Play Store. Google builds into Android a series of security warnings (regardless of actual security risk) and other barriers that discourage users from downloading apps from any source outside Google’s Play Store, effectively foreclosing app developers and app stores from direct distribution to consumers.
  • Google has not allowed Android to be “open source” for many years, effectively cutting off potential competition. Google forces OEMs that whish to sell devices that run Android to enter into agreements called “Android Compatibility Commitments” or ACCs. Under these “take it or leave it” agreements, OEMs must promise not to create or implement any variants or versions of Android that deviate from the Google-certified version of Android.
  • Google’s required contracts foreclose competition by forcing Google’s proprietary apps to be “pre-loaded” on essentially all devices designed to run on the Android OS, and requires that Google’s apps be given the most prominent placement on device home screens.
  • Google “buys off” its potential competition in the market for app distribution. Google has successfully persuaded OEMs and MNOs not to compete with Google’s Play Store by entering into arrangements that reward OEMs and MNOs with a share of Google’s monopoly profits.
  • Google forces app developers and app users alike to use Google’s payment processing service, Google Play Billing, to process payments for in-app purchases of content consumed within the app. Thus, Google is unlawfully tying the use of Google’s payment processor, which is a separate service within a separate market for payment processing within apps, to distribution through the Google Play Store. By forcing this tie, Google is able to extract an exorbitant processing fee as high as 30% for each transaction and which is more than ten times as high as the fee charged by Google’s competitors.

This effort is led by Utah Attorney General Sean D. Reyes, New York Attorney General Letitia James, North Carolina Attorney General Josh Stein and Tennessee Attorney General Herbert Slatery III. States joining the lawsuit include Alaska, Arkansas, Arizona, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Idaho, Indiana, Iowa, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Oregon, Rhode Island, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.

Click here to see Frequently Asked Questions regarding the lawsuit.

Click here to see the text of the Utah v. Google lawsuit.

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

FOR IMMEDIATE RELEASE
July 11, 2019

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

Premera Breach Affects Millions Nationwide; Including about 50,000 Utahns

OLYMPIA, WA — Premera Blue Cross, the largest health insurance company in the Northwest has settled a lawsuit over failing to fix known security problems that exposed personal information of more than 10.4 million consumers nationwide, including approximately 50,000 Utahns to a hacker.

Utah Attorney General Sean D. Reyes and 29 other attorneys general filed a settlement today that requires Premera Blue Cross to pay $10 million total to states, over its insufficient data security and failure to secure the consumer data, including protected health and personal information.

A nearly year-long investigation focused on Premera’s cybersecurity vulnerabilities that gave a hacker unrestricted access to the data for almost a year. Under the settlement, Premera will:

  • Pay a total of $10 million to states.  (Premera settled a class action lawsuit for $74 million earlier this year.)
  • The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general.
  • Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.

“This was clearly a violation of Federal and Utah privacy laws and is simply unacceptable,” said Utah Attorney General Sean D. Reyes.  “Even worse, but the company knew about the deficient data security for nearly a year and didn’t take necessary measures to fix it.  Consumers deserve much, much better.”

The complaint asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Utah Protection of Personal Information Act (UPPIA) by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for almost a year.

From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year.

Today’s settlement also requires Premera to:

  • Ensure its data security program protects personal health information as required by law
  • Regularly assess and update its security measures
  • Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office
  • Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
  • Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

Today’s multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.

A copy of the settlement can be viewed here.

-30-