When AI systems are presented as “Smart Features” designed to personalize user experience, the underlying assumption is that these tools will remain subordinate to user choice. It is also generally expected then that there be a certain level of transparency and consent when enabling such features across platforms containing sensitive information. However, Thele v. Google LLC, a recently filed federal class-action lawsuit, suggests that this may not always be the case.
Filed on November 11, 2025, in the U.S. District Court for the Northern District of California, the complaint alleges that Google enabled Gemini by default across Gmail, Google Chat, and Google Meet without obtaining affirmative, informed consent.
Gemini is Google’s large language model–based artificial intelligence system, developed to generate, summarize, and analyze text and other content across Google products. It is described by Google as a “multimodal” AI, designed to work across different types of inputs such as text, images, and data. Within Google’s communication platforms, Gemini is presented as part of the company’s suite of “Smart Features,” enabling functions such as summarizing emails or conversations, generating suggested responses, and extracting key points from messages or meetings.
The plaintiffs’ central argument in Thele v. Google LLC is that Google unlawfully enabled its Gemini AI system by default, thereby accessing and analyzing the contents of users’ private communications without obtaining knowing, affirmative consent.
According to the complaint, Google previously framed access to “Smart Features” in Gmail, Google Chat, and Google Meet as optional, telling users that “[w]hen you turn this setting on, you agree…” to the associated data use. The plaintiffs allege that around October 10, 2025, Google silently switched this setting on by default for users without providing notice or obtaining renewed consent, while continuing to use opt-in language that falsely suggested that users had affirmatively enabled the feature. As a result, Gemini began operating automatically within users’ accounts unless they independently discovered the setting and turned it off.
The complaint emphasizes that Gemini’s role goes far beyond routine message delivery or spam filtering. The plaintiffs allege that Gemini is capable of reading, storing, analyzing, and synthesizing the full substance of users’ communications - including emails, attachments, chats, and meeting content - in order to generate summaries, inferences, and responses. Because Gemini processes the content of communications rather than metadata alone, the plaintiffs argue that its operation constitutes an interception or use of confidential communications under privacy law.
To illustrate the scope and sensitivity of the information Gemini can derive from users’ communications, the complaint cites a report describing how Google’s AI systems can infer deeply personal details from long-term email histories. One example referenced in the complaint describes Gemini being able to identify information such as a user’s first romantic crush, drawn from years of private correspondence, as evidence of the system’s ability to reconstruct intimate aspects of a person’s life from their communications:
"When I asked about my first crush, Gemini was able to determine that it occurred in elementary school, as well as tell me the name of my first love, how we met, and when. Upon request, Gemini also told me who my top Facebook friends were in 2009 and who my best friend was in 2010. Gemini even explained that one of my character flaws is that I get “too laser-focused on what [I] want, which extracts a toll on [my] relationships, much like Drake from the Uncharted game.” And, yes, that’s one of my favorite game franchises, which apparently Gemini knows, too. (Alma Whitten, qtd. in Thele v. Google LLC)
The plaintiffs cite this excerpt to emphasize both the breadth of personal information Gemini can access and the breach of privacy that occurs when such analysis is conducted without users’ knowledge. Building on these facts, the plaintiffs argue that Google cannot reasonably rely on consent as a defense, because consent must be knowing and voluntary and thus cannot be inferred from silence or default settings. They contend that turning Gemini on by default, while continuing to describe the feature as something users “turn on,” created a misleading privacy architecture that deprived users of a genuine opportunity to choose whether their communications would be analyzed by AI. In the plaintiffs’ view, this design choice rendered any purported consent invalid.
The complaint further alleges that Google’s conduct violated the California Invasion of Privacy Act, which prohibits the intentional interception or use of confidential communications without the consent of all parties, as well as the Stored Communications Act, California’s Constitutional Right to Privacy, the Computer Data Access and Fraud Act, and the common-law tort of intrusion upon seclusion. Across these claims, the unifying allegation is that Google intentionally accessed communications in a manner that exceeded users’ reasonable expectations and was highly offensive given the personal nature of the information involved.
In response to public attention surrounding the lawsuit and related reporting, Google issued a post on X from the official Gmail account disputing how its use of Gemini has been characterized and emphasizing that it has “not changed anyone’s settings.” The post refuted what they deemed “misleading reports,” noting that Gmail’s “Smart Features” have existed for many years and asserting that it does not use Gmail content to train its Gemini AI model.
This dispute therefore turns on a distinction embedded in many privacy frameworks: the difference between formal disclosure and functional control. Google points to the existence of privacy settings and longstanding “Smart Features” as evidence that users retained agency over how their data was used. The plaintiffs counter that when an AI system capable of analyzing the full contents of private communications is activated by default - without direct notice or an affirmative opt-in - the mere availability of settings does not constitute meaningful control.
This distinction matters because many privacy statutes, including those invoked in Thele v. Google LLC, assume that individuals can meaningfully choose whether to permit access to their private communications. That assumption becomes strained when consent is no longer a decision users actively make, but a condition inferred from their failure to independently discover and disable a background system. The plaintiffs’ argument therefore tests whether existing privacy protections can accommodate technologies that operate continuously and invisibly, or whether those protections depend on a model of user behavior that no longer reflects how modern digital systems function.
The lawsuit also draws on broader evidence of public expectations regarding data control. As the complaint notes, a Pew Research Center study reports that 93 percent of U.S. adults consider it important to control who can access their personal information, and 90 percent believe it is important to control what information is collected about them. These figures are used to support the claim that users reasonably expect privacy settings to function as meaningful barriers to access, not as retroactive escape-hatches once their data has already been mass scanned. When AI analysis of private communications is enabled by default, the plaintiffs argue, those expectations are undermined in practice even if disclosures exist in theory.
Ultimately, Thele v. Google LLC highlights a growing gap between traditional consent-based privacy law and the realities of AI-driven infrastructure. The case presents a narrow but consequential legal question: will developments in the legal field support users’ privacy values, or will we be asked to reevaluate what constitutes digital constitutes as digital privacy in the modern era? If courts accept that consent may be inferred from silence in this context, then privacy protections risk becoming procedural rather than substantive, satisfied by disclosure alone regardless of how systems actually operate. If courts reject that view, the case may signal that default system design itself is subject to privacy scrutiny - especially when it governs access to deeply personal communications.
By Madison Mikayelyan