- Harm. First, can the plaintiffs establish a claim by asserting they were harmed as a result of the defendant’s actions (or in many cases, inaction) in either the ineffective safeguarding or the unauthorized use of plaintiffs’ personal information? For example, did they suffer financial loss as a direct result of the defendant’s failure to safeguard their information in a data breach? Or, was their identity stolen as a direct result of the defendant’s disclosing information to a disreputable business or hacker posing as a business?
- Class. Second, is there a class of individuals that suffered the same harm resulting from the same failure by the defendant? To be sure, class building or “certification” is not unique to privacy cases, but because of the size of data breaches, such as the Target breach of 2013, it is often used to do several things, including increase judicial efficiency, enable many plaintiffs with small losses to share the costs and potentially collect larger damages, or bring attention to a company’s behavior that would not normally occur through smaller individual suits.
So far this year, we have seen a lot of activity on both fronts, which makes the challenge of anticipating success in either an individual claim or establishing or challenging a class even more difficult.
Hulu. We saw both of these issues in play in an attempted class action against Hulu, the online provider of television programming. Four plaintiffs initially alleged that Hulu violated the Video Privacy Protection Action (“VPPA”) by engaging third parties to perform web analytics on Hulu’s website. These providers, such as Google Analytics, provide such analytics by tagging users—using web beacons or cookies—to track customer behavior on Hulu’s website as well as third-party sites. The essence of their claims was the question of whether the technology constitutes a VPPA violation by disclosing users’ viewing habits without their consent. The judge, in denying summary judgment for Hulu allowed the question to stand as to whether personally identifiable information now includes context specific data, such as what is disclosed and to whom. (Now, anyone familiar with indirect or “quasi” identifiers would think this question long resolved, but the court shall consider the question here).
In addition to their claims against Hulu for violating the VPPA, plaintiffs were seeking to certify a class-action case. In June of this year, the court denied the plaintiffs’ putative class-action lawsuit, without prejudice. However, the case continues on the behalf of the initial four plaintiffs. We still would expect a refiling by the plaintiffs in an attempt to re-establish class by another means.
LinkedIn. In June a federal judge said a case against LinkedIn may be established by customers that claim the company violated their privacy by accessing their external e-mail accounts, downloading their contacts’ e-mail addresses and soliciting business from those contacts. The court acknowledged that customers may have consented to the original “endorsement e-mail”, or a message that would be sent on their behalf to recruit their contacts to LinkedIn. However, that consent did not extend to authorize LinkedIn to send two reminder e-mails when the initial e-mail was ignored. The judge stated that such a practice “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network.” In an interesting dive into other areas of privacy law, the judge said such a practice potentially violated the user’s right of publicity, using their likeness for the company’s commercial purposes. The judge also said claims could be advanced under California’s unfair competition laws.
Charleston Area Medical Center. The West Virginia Supreme Court ruled that plaintiffs would be allowed to proceed with a class action suit over a data breach even without establishing that they had been harmed by the data breach, specifically not showing that their data was misused.
Genesco, Inc., v. Visa. Genesco, a retailer, operates more than 2,400 stores throughout the United States and internationally under various names, including Journeys, Lids and Johnson & Murphy. Visa Inc. operates a retail electronic payments network to facilitate payment between financial institutions and businesses. For a period of one year, from December 2009 to December 2010, hackers accessed Genesco’s computer network, utilizing a packet-sniffing malware that captured unencrypted credit card data at the point of sale (“POS”) as the data was being transmitted to Wells Fargo and Fifth Third for authorization. Genesco’s complaint alleged that because the PCS DSS standards did not require the POS data to be encrypted while being transmitted for authorization, it never actually violated the PCI DSS. Visa moved to dismiss the Unfair Competition Law (“UCL”) and common law claims under California law, arguing that Genesco failed to adequately plead fraud for its UCL claim, that express provisions of Visa’s contracts with the banks precluded Genesco’s common law claims seeking equitable relief and that Genesco couldn’t rely on the contracts between Visa and the banks given the language of the contracts themselves. The court denied Visa’s motion to dismiss, holding that violations of public policy and harm to competition and consumers are actionable under California’s UCL and California common law. The case is currently proceeding.
So what to take from it all? After years of denying privacy claims with no showing of actual harm, it would appear some courts are willing to reconsider that requirement and are evaluating the information at issue differently, as well. What is clear is that courts continue to adjust the standard by which such claims are evaluated and allowed to proceed beyond the motion to dismiss stage. Also, plaintiffs and defendants, alike, are availing themselves of other statutes to advance their privacy interests, such as in the Hulu and Genesco cases, respectively. Plaintiffs are getting the judges’ ears, so businesses would do well to take notice.