Privacy advocates are asking state attorneys general in California and New York to investigate Google over how the company handles user-data requests from law enforcement agencies such as ICE. The Electronic Frontier Foundation (EFF) argues that Google does not notify users before handing over their personal data, and that this practice may be “hidden but systemic,” according to a letter cited by The Verge.
The complaint: notice and disclosure practices
At the center of the complaint is a case involving Amandla Thomas-Johnson, a former PhD candidate at Cornell University. Thomas-Johnson said he received no notice that ICE had accessed his university email, even though the EFF says Google has promised to notify users before disclosing personal data to law enforcement. The dispute highlights questions about how notice systems are implemented, what legal categories trigger disclosure, and how internal processes decide when to send data and when to inform the account holder.
The EFF’s letters, as reported by The Verge, ask California and New York attorneys general to investigate Google for deceptive trade practices. The advocacy group claims Google has promised “for nearly a decade” that it will notify users before disclosing their personal data to law enforcement, but that it did not do so in Thomas-Johnson’s case.
The EFF alleges that this is not an isolated incident. The group claims that Google sometimes sends data over without user authorization “in order to save time and avoid delay with complying with a government demand.” The EFF characterizes the behavior as a “hidden but systemic practice,” saying it has likely violated Google’s notice promise “numerous other times over the years,” per The Verge.
The specific case: ICE access and legal basis
Thomas-Johnson told the Cornell Daily Sun that the “big question” was whether Google used his Cornell emails to “track us as well,” as described by The Verge. The EFF’s complaint hinges on Thomas-Johnson’s assertion that he received no notice when ICE accessed his university email.
Google’s response, according to The Verge, was that its “processes for handling law enforcement subpoenas are designed to protect users’ privacy while meeting our legal obligations.” A Google spokesperson also said Google reviews “all legal demands for legal validity,” and that it “push[es] back against those that are over broad or improper,” including objecting to some entirely.
Google told the Cornell Daily Sun that Thomas-Johnson’s subpoena requested “basic subscriber information” and did not include the contents of his email. Thomas-Johnson shared records with the Sun showing that his information was accessed under federal communications law 18 USC 2703(c)(2), which, as quoted in The Verge report, “may require” communications providers to hand over users’ address, telephone number, telephone connection records “of session times and durations” and credit card or bank account number.
Even when message contents are not disclosed, metadata and account-linked identifiers can be revealing. The EFF’s framing suggests that the company’s notice and authorization practices may not adequately account for how these categories are operationally handled and communicated to users.
Administrative subpoenas and compliance authority
The EFF’s position, as reported by The Verge, is that the subpoenas at issue were administrative subpoenas issued by DHS. The group argues that companies can refuse to comply with such subpoenas and “face no repercussions” for doing so. The EFF’s letter, as described by The Verge, treats this as a reason Google should have declined or adjusted its compliance posture.
From an operational perspective, this concerns how compliance decisions are structured. When providers receive demands they believe are overbroad or improper, the internal review process becomes a workflow question: what checks are performed, how legal standards are translated into operational rules, and how those rules affect both disclosure and notification. The EFF’s claims suggest that even when review occurs, the notification layer may not be triggered in ways that align with user expectations.
What the EFF is requesting and potential impact
In its letters to California and New York, the EFF asks for an investigation and seeks injunctive relief, including civil penalties of up to $2,500 per violation in California, as reported by The Verge. The EFF also says Google should “commit to ending its deception and pay for its past mistakes,” according to the same reporting.
The dispute signals what privacy advocates see as a gap: a mismatch between public notice promises and the operational reality of responding to government requests. If states investigate and require changes, observers may watch for adjustments to how providers implement notice triggers, document compliance decisions, and communicate which data categories are disclosed under which legal authorities.
The case illustrates how communications platforms manage the balance between legal compliance and user transparency. Even where providers say they review demands and object to overbroad requests, the EFF’s complaint suggests that users may experience non-notice outcomes—particularly when demands are tied to administrative processes. That tension between process and transparency is likely to remain a focal point for privacy discussions around large-scale email and communications services.
Source: The Verge