Jul 62015

Plaintiffs and Privacy in Yahoo Data Privacy Case: Judge Koh Grants Class Certification in California

Marci Rozen and Ariel Atlas
,

On May 26, 2015, Judge Lucy Koh in the Northern District of California granted class certification to plaintiffs in In re Yahoo Mail Litigation, Case No. 13-CV-04980-LHK (N.D. Cal. May 26, 2015) (“Yahoo”). This ruling will likely have an effect on how class action claims are alleged and could impact email providers’ policies and procedures pertaining to email scanning and user consent.  In particular, companies may wish to review the impact of their privacy disclosures and consent framework to non-subscribers who may interact with users who have consented to the companies’ policies.

The Yahoo Decision

The plaintiffs in Yahoo are four individuals representing a class that did not use Yahoo Mail but had sent emails to Yahoo subscribers from non-Yahoo email addresses. The plaintiffs brought claims under the Stored Communications Act (SCA) and California’s Invasion of Privacy Act (CIPA) alleging that Yahoo intercepts, scans, and stores the content of emails sent to Yahoo users from non-Yahoo subscribers. According to plaintiffs, once an email has been intercepted, Yahoo then copies the email, extracts information, and uses that information to create targeted advertising for its subscribers, all in violation of the SCA and CIPA. Plaintiffs sought only injunctive and declaratory relief under Federal Rule 23(b)(2).

Judge Koh certified a nationwide class of non-subscriber plaintiffs who have sent or received emails from a subscriber to bring the SCA claim, and a California-only class of similar individuals to bring the CIPA claim. Plaintiffs claim that over one million non-Yahoo Mail subscribers will make up the class. The court, however, did refuse plaintiffs’ request to certify a nationwide class for the CIPA claims, agreeing with Yahoo that “the home states of non-California class members have a significant interest in applying their own wiretapping laws.”

Judge Koh found that plaintiffs had satisfied the many requirements for class certification. The plaintiffs had standing because they were able to allege an injury-in-fact—that Yahoo “wrongfully intercepted, disclosed, and used Plaintiff’s electronic communications.”  Yahoo had argued that by continuing to send emails to Yahoo subscribers after they had learned of Yahoo’s data mining practices, plaintiffs had consented to Yahoo’s policies. The court rejected this argument, finding that the logic would put plaintiffs in a “catch-22” because they must demonstrate a threat of future injury (from continuing to send emails to Yahoo users) to pursue injunctive relief. Therefore, the court concluded that plaintiffs properly filed suit upon discovering this conduct and will continue to send such emails, thus establishing threat of future injury.

Plaintiffs were also able to satisfy all four of the requirements for class certification under Federal Rule 23(a), including numerosity, commonality, typicality, and adequacy. Plaintiffs successfully argued that that the class is cohesive and that injunctive relief will benefit it as a whole. Yahoo argued that the class members must be more easily identifiable, but Judge Koh, deciding an issue of first impression in the circuit, found that such a showing should not be required at the pleading stage for this type of relief.

Why Certification Now?

The Yahoo ruling stands in stark contrast to Judge Koh’s ruling almost one year ago in a similar data privacy case, In re Google Inc. Gmail Litigation, Case No. 13-MD-02430-LHK (N.D. Cal. Mar. 18, 2014).  Judge Koh distinguished Yahoo from her ruling in Gmail on several grounds. The biggest difference in the two cases appears to be the injunctive-only relief that plaintiffs sought, which lowered the requirements at the pleading stage for a successful grant of certification.

The Gmail plaintiffs looked to certify a larger class than the Yahoo plaintiffs, one consisting of both Gmail and non-Gmail subscribers. Because the Gmail plaintiffs received varying privacy disclosures, determining whether a subscriber consented to Gmail policies (one of Google’s defenses) would require an individualized analysis and would “overwhelmingly predominate over common issues.”

While Yahoo made a similar argument, the lower pleading standard of Rule 23(b)(2) for injunctive relief made the plaintiffs’ allegations sufficient. Koh noted that the Yahoo plaintiffs, in light of the Gmail decision, “made the strategic decision to seek certification only under Rule 23(b)(2), which does not require common questions to predominate over individual issues.” Thus the decisions turned on different questions of law and led to different results.  The court also noted that the class “ascertainability” requirement does not apply in the 23(b)(2) context.

Implications of the Decision

Judge Koh’s decision in Yahoo is significant because it is one of just a handful of class actions that have been certified in connection with allegations of internet privacy violations. Courts most often have found that broad privacy policies and terms of use preclude claims under the SCA, ECPA and similar statutes, because plaintiffs consent to such policies through their use of the site or service in question. Going forward, however, plaintiffs may be encouraged to eschew damages and bring actions under Rule 23(b)(2) in the hopes that they can satisfy the rule’s lower pleading standards and survive a motion to dismiss, thus making it more likely that they can extract a settlement from a defendant. Although it is by no means clear that the court would rule in favor on the merits of plaintiffs’ claims in Yahoo, as free email services depend on email scanning to both generate revenue and protect its networks, online service providers may seek to bolster their notice and consent mechanisms – including notice to non-subscribers – to enhance defenses against future suits.

Marci Rozen

mrozen@sidley.com

Ariel Atlas

New York

aatlas@sidley.com

You might also like
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1

Digital Health Transformation: A Practical Guide for Life Sciences Companies

In 2022, many if not most pharmaceutical, medical device, and other life sciences companies established strategies to innovate digital health technology complementary to their existing strategic focus. The digital transformation of the life sciences industry is still widely unfolding across the marketplace. In 2023 and beyond, the race is on to launch the next generation of digital health technologies to innovate the delivery of therapies to patients.