Overview of Commonwealth v. Kurtz

On December 16, 2025, the Pennsylvania Supreme Court held that individuals do not have a reasonable expectation of privacy in general, unprotected Google search records. Commonwealth v. Kurtz, No. 98 MAP 2023 (Pa. Dec. 16, 2025). In this criminal case, law enforcement obtained a so-called “reverse keyword search warrant” from Google for records of searches of a victim’s name and address made the week prior to an alleged assault. A reverse keyword search warrant is a tool that allows law enforcement to ask a technology provider like Google to identify all users who searched for specific terms or phrases during a defined time frame. In this case, the resulting data tied a particular search to the defendant’s IP address. The majority held that entering a query into Google willingly “voluntarily turns over [the contents of the search] to third parties” and therefore negates any constitutionally recognized privacy interest in those search records.

While law enforcement in this case did obtain a warrant, the bulk of the decision focuses on whether any privacy protection would apply even if there was no warrant. This finding may create broad implications well beyond the criminal context.

What the Majority Decision Means

The Kurtz majority held that when users enter search terms into Google or similar search engines without using additional privacy protections, Pennsylvania law treats those search queries as information that users knowingly and voluntarily share with a third party (the search provider). Because of this voluntary exposure, the Court found that individuals do not have a reasonable expectation of privacy in that search data, meaning law enforcement can generally access it provided there is some form of legal process or enforceable request, though not necessarily a warrant.

The majority decision is grounded in the fact that Google’s privacy notice and online disclosures make it explicit that data from general searches will be collected and can be provided to law enforcement when “reasonably necessary to… meet any applicable law, regulation, legal process or enforceable request.” This “express warning” from Google to its users was sufficient for the majority to find that there is no recognized privacy right in such search term data.

Notably, the ruling does not mean that law enforcement can access search data without any process whatsoever. Rather, that process does not have to clear the same privacy bar or warrant standard as communications or data for which users do maintain a recognized privacy interest, including password-protected accounts or encrypted searches. In fact, the Court explicitly carved out potential expectations of privacy for users who take affirmative steps to shield searches, such as by using password-protected accounts, a VPN, or private browsing tools, stating that “this case is limited to general, unprotected internet use.”

The Dissent’s Perspective: Privacy in Search Is Fundamental

Not all judges agreed with the majority opinion. The dissenting opinion called this reasoning “divorced from reality and blind to the societal benefits flowing from ready access to infinite amounts of information available [through the internet],” emphasizing that search engines are now vital for daily life. It asserted that conglomerated internet search history “provides a virtual current biography of the user,” containing information about health, beliefs, and intent, and thus deserves robust privacy protection, paralleling banking and phone records under Pennsylvania’s constitution and statutes. The dissent also pointed to state law, including the Pennsylvania Wiretap Act, that generally recognizes a warrant requirement for access to stored electronic communications.

What Businesses Should Know

Although this decision may allow broader law enforcement access to ordinary internet search data in Pennsylvania, other jurisdictions—notably California—treat search data as subject to far stronger privacy rights. California’s Invasion of Privacy Act (CIPA) and California Consumer Privacy Act (CCPA) regulations place strict requirements on data sharing, including with government entities. These regulations mandate that businesses must provide clear transparency, opt-outs, and minimization around data use.

Businesses often operate across multiple states, so they should be aware of different state approaches to what constitutes a reasonable expectation of privacy. For example, California’s approach is different: both the CIPA and CCPA treat internet search data as sensitive. Though courts are split in the CIPA context on whether internet search history is subject to an expectation of privacy, at least some have found that “users [have a reasonable expectation of privacy] over URLs that disclose… unique search terms.” See, e.g., Brown v. Google LLC, No. 4:20-cv-3664-YGR, 2023 WL 5029899, at *20 (N.D. Cal. Aug. 7, 2023). Additionally, under the CCPA, personal information is any information that identifies or is reasonably capable of being associated with a consumer, and the term explicitly includes internet browsing and search history. As a result, businesses operating in California should publish clear privacy disclosures and restrict law enforcement access without valid legal processes. Given the different approaches, companies that do business nationally must carefully review and follow all applicable state laws.

The Kurtz decision leans on the presumption that users are aware of, and agree to, broad data collection and sharing practices through privacy policies. Considering this underlying reasoning, businesses should give explicit, accurate notice about search data collection, disclosure, and potential law enforcement access in their privacy notices. Privacy notices should be kept current through annual reviews, and businesses should notify users of material changes to any privacy practices. Pennsylvania does not currently have in place a comprehensive state consumer privacy law, but 20 states do. In many of these states, companies may not collect, use, or share more personal information than is necessary for the disclosed business purpose. In turn, businesses should also maintain documentation of justifications for data collection and retention, including data from search queries.

If your business offers search or browsing tools, you might consider enabling or encouraging privacy-protective features, such as incognito modes, VPN integration, and options to delete search history. Even where courts might find no legal privacy interest, regulators and consumers may still expect companies to make privacy features prominent.

The Kurtz decision is yet another reminder that the patchwork of U.S. privacy law is tilting in different directions. Still, consumer and regulatory expectations continue to rise. Future challenges to this finding, both in court and at the ballot box, are likely. Monitoring state and federal trends, updating policies and training, and centering privacy in design and operations should remain top priorities for every company processing user search data.