On August 18, 2023, the Fourth Circuit decertified approximately 20 million putative class action claims arising out of a 2018 data breach involving Marriott Hotels. See here. The Fourth Circuit reversed the district court’s certification and required it to consider in the first instance whether all of the putative plaintiffs waived their claims by signing class action waivers when they registered to be part of the Starwood Preferred Guest Program (“SPG”). The SPG waiver specifically stated that “Any disputes arising out of or related to the SPG Program or the[] SPG Program Terms will be handled individually without any class action ….”Continue Reading Fourth Circuit Decision Highlights Class Action Waivers for Data Breaches are Alive and Well

Companies facing class action litigation stemming from Illinois’ Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA), will not get conclusive guidance from the U.S. Supreme Court on the issue of Article III standing. Despite the substantial increase in BIPA class actions filed between 2018 and 2019, and amici briefs imploring the Supreme Court to review a Ninth Circuit holding for one such case, the high court declined to weigh in and denied certiorari. As a result, questions persist as to whether class action plaintiffs bringing BIPA claims in federal court have Article III standing due to continued inconsistent treatment within the Ninth Circuit and elsewhere regarding what constitutes real, concrete and particularized injury in cases relating to intangible harms. Therefore, companies with Illinois employees or consumers will continue to face uncertainty, and plaintiffs may aggressively shop for favorable fora (including California) to bring such cases.
Continue Reading Uncertainty persists in biometric litigation

In a decision that may give genetic testing companies reason to breathe a sigh of relief, the U.S. Court of Appeals for the Ninth Circuit affirmed on August 21 the denial of a class certification bid by consumers suing under Alaska’s Genetic Privacy Act (the Act). In Cole v. Gene by Gene, Ltd., Plaintiff sought to represent a class of individuals alleging that Gene by Gene, Ltd. (Gene by Gene) violated Alaska Stat. Ann. § 18.13.010(a)(1) by disclosing customer DNA results and information without informed, written consent. According to the Ninth Circuit, the U.S. District Court for the District of Alaska did not abuse its discretion in finding that Plaintiff failed to show that common questions predominated over any questions affecting only individual members of the proposed classes, and that a class action was not superior to other methods of resolution. Thus, Plaintiff could not satisfy Fed. R. Civ. P. 23(b), and the litigation was not suitable for class treatment.

Plaintiff brought suit alleging that when consumers return DNA testing kits provided by Gene by Gene, the company not only permits consumers to view the results of its analysis, but also publishes the results of the DNA testing on publicly available websites – unbeknown to consumers. According to Plaintiff, this disclosure without consumer permission “carries serious and irreversibly privacy risks” and violates the Act. In his class certification motion, Plaintiff emphasized issues he claimed were common to all class members, such as whether consent was provided and whether the disclosure of information was for profit. Additionally, Plaintiff pointed out that the process for genetic information collection was the same, and the same types of genetic information were disclosed for each consumer.Continue Reading Ninth Circuit affirms class certification denial in genetic information privacy case

In data breach class actions, standing is often the major obstacle, and has taken on renewed focus following the U.S. Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016). See, e.g., Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion, Technology Law Dispatch (July 6, 2016); Wisconsin Federal Court Finds Spokeo Spells the End for Consumer Privacy Class Action, Technology Law Dispatch (June 21, 2016).  However, as a recent decision from the U.S. District Court for the Northern District of Illinois indicates, prevailing on standing is just one battle, but is far from winning the war.  Earlier this week, Barnes & Noble escaped a data breach class action after the court found plaintiffs cleared the standing hurdle but could not survive the retailer’s motion to dismiss because of a lack of out-of-pocket damages.
Continue Reading Despite Plaintiffs Satisfying Standing Requirements, Barnes & Noble Closes the Book on Data Breach Class Action

This post was also written by Joshua B. Marker.

California legislators have proposed revisions to the Shine the Light Act, which we first wrote about here. Under pending legislation, the Shine the Light Act would be renamed the “Right to Know Act of 2013,” with significantly expanded reach and requirements. If the proposed amendment