Last Tuesday, District Judge Lucy Koh of the Northern District of California partially granted the plaintiffs’ motion for class certification in In re Yahoo Mail Litig., allowing the plaintiffs to pursue their claims for injunctive relief on behalf of class members under the Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”).  The plaintiffs, none of whom has a Yahoo email account, originally filed suit alleging that Yahoo scanned emails they exchanged with other individuals’ Yahoo email addresses and used the results for advertising purposes.  Last August, Judge Koh partially granted Yahoo’s motion to dismiss, eliminating the plaintiff’s claims under the Wiretap Act and the California Constitution but allowing the SCA and CIPA claims to proceed.

In response to the class certification motion, Yahoo argued that the plaintiffs did not have standing to pursue their claims under Article III, since the plaintiffs consented to Yahoo’s practices by continuing to exchange email messages with Yahoo email users despite knowledge of Yahoo’s alleged scanning practices.  The court, however, rejected this argument as “overly narrow.”  Under Yahoo’s argument, Judge Koh stated, the plaintiffs would have to cease exchanging emails with Yahoo users to avoid consenting to Yahoo’s conduct, but would still have to show a real and immediate threat of future injury in order to demonstrate Article III standing by alleging that they intended to continue emailing Yahoo users.  Rather than subject plaintiffs to an “impossible” choice that would “artificially preclude” injunctive relief, the court concluded that plaintiffs demonstrated sufficient Article III standing by alleging both past and intended future exchange of emails with Yahoo users.

In light of Judge Koh’s recent decision in In re Gmail Litig., denying certification of a class seeking money damages under Rule 23(b)(3)’s predominance requirement, the plaintiffs in Yahoo had moved for only class-wide injunctive relief under Rule 23(b)(2).  Yahoo cited Gmail for the argument that the plaintiffs’ class could not satisfy Rule 23(a)’s commonality requirement due to variations in how individual class members may have consented to Yahoo’s practices, but the court considered Gmail inapplicable to commonality determinations.  Instead, the court held that plaintiffs satisfied the requirement by identifying several common questions of law and fact, including how Yahoo allegedly intercepts and scans email messages between Yahoo users and non-Yahoo users.  Yahoo also argued that the plaintiffs could not adequately represent class members’ interests after choosing not to pursue statutory damages claims available under the SCA and CIPA.  The court rejected this argument, concluding that there is no bar to plaintiffs seeking money damages in another lawsuit, though Judge Koh’s decision in In re Gmail Litig. would presumably be a roadblock to class certification of any such “damages” lawsuit.

Finally, the court found that the plaintiffs satisfied the requirements of Rule 23(b)(2) by alleging that Yahoo utilized a uniform scanning policy for its users’ emails.  However, the court refused the plaintiffs’ request to certify a nationwide class for their CIPA claims, agreeing with Yahoo that other states’ interests in applying their own wiretap laws to the claims at issue rendered certification of a nationwide class for these claims inappropriate.  Instead, the court certified a nationwide class for the plaintiffs’ SCA claims and a class of California residents for the plaintiffs’ CIPA claims.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.