Last Tuesday, District Judge Lucy Koh of the Northern District of California partially granted the plaintiffs’ motion for class certification in In re Yahoo Mail Litig., allowing the plaintiffs to pursue their claims for injunctive relief on behalf of class members under the Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”).  The plaintiffs, none of whom has a Yahoo email account, originally filed suit alleging that Yahoo scanned emails they exchanged with other individuals’ Yahoo email addresses and used the results for advertising purposes.  Last August, Judge Koh partially granted Yahoo’s motion to dismiss, eliminating the plaintiff’s claims under the Wiretap Act and the California Constitution but allowing the SCA and CIPA claims to proceed.

In response to the class certification motion, Yahoo argued that the plaintiffs did not have standing to pursue their claims under Article III, since the plaintiffs consented to Yahoo’s practices by continuing to exchange email messages with Yahoo email users despite knowledge of Yahoo’s alleged scanning practices.  The court, however, rejected this argument as “overly narrow.”  Under Yahoo’s argument, Judge Koh stated, the plaintiffs would have to cease exchanging emails with Yahoo users to avoid consenting to Yahoo’s conduct, but would still have to show a real and immediate threat of future injury in order to demonstrate Article III standing by alleging that they intended to continue emailing Yahoo users.  Rather than subject plaintiffs to an “impossible” choice that would “artificially preclude” injunctive relief, the court concluded that plaintiffs demonstrated sufficient Article III standing by alleging both past and intended future exchange of emails with Yahoo users.

In light of Judge Koh’s recent decision in In re Gmail Litig., denying certification of a class seeking money damages under Rule 23(b)(3)’s predominance requirement, the plaintiffs in Yahoo had moved for only class-wide injunctive relief under Rule 23(b)(2).  Yahoo cited Gmail for the argument that the plaintiffs’ class could not satisfy Rule 23(a)’s commonality requirement due to variations in how individual class members may have consented to Yahoo’s practices, but the court considered Gmail inapplicable to commonality determinations.  Instead, the court held that plaintiffs satisfied the requirement by identifying several common questions of law and fact, including how Yahoo allegedly intercepts and scans email messages between Yahoo users and non-Yahoo users.  Yahoo also argued that the plaintiffs could not adequately represent class members’ interests after choosing not to pursue statutory damages claims available under the SCA and CIPA.  The court rejected this argument, concluding that there is no bar to plaintiffs seeking money damages in another lawsuit, though Judge Koh’s decision in In re Gmail Litig. would presumably be a roadblock to class certification of any such “damages” lawsuit.

Finally, the court found that the plaintiffs satisfied the requirements of Rule 23(b)(2) by alleging that Yahoo utilized a uniform scanning policy for its users’ emails.  However, the court refused the plaintiffs’ request to certify a nationwide class for their CIPA claims, agreeing with Yahoo that other states’ interests in applying their own wiretap laws to the claims at issue rendered certification of a nationwide class for these claims inappropriate.  Instead, the court certified a nationwide class for the plaintiffs’ SCA claims and a class of California residents for the plaintiffs’ CIPA claims.

Tags: Advertising, California, Class Action, Litigation
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less