The plaintiffs in the In re Google Inc. Gmail Litigation have been thwarted by a roadblock that has hindered other cybersecurity plaintiffs, namely establishing Civil Rule 23(b)(3) predominance at the class certification stage. The plaintiffs allege that Google’s interception of e-mails violates the Electronic Communications Privacy Act of 1985 (the “ECPA” or the “Wiretap Act”) and various state wiretap acts. Consent is a defense to a claim under the Wiretap Act, and the court held that class certification would be inappropriate because individual issues of consent are likely to predominate over any issues common to the class. The bases for that conclusion highlight some of the difficulties in attaining class certification in a data privacy case.
As explained by the Gmail Litigation court, the Wiretap Act’s consent exemption can be based on either express consent or implied-in-fact consent, that is “whether the surrounding circumstances demonstrate that the party whose communications were intercepted knew of such interceptions.” Of course, Google argued that Gmail users had expressly consented based on its Terms of Service and Privacy Policies. While the court said that express consent may be a common question with respect to two of the four proposed classes, individualized inquiries would still be required for at least one class, the “Education Class” whose Google e-mail accounts were set up through a school they were attending, because those class members received vastly different disclosures that varied by educational institution.
TAKE AWAY: The court summed up its analysis by pointing out that with multiple disclosures and sources of disclosures, including the news media, the disclosures “were unlikely to be uniformly viewed by members of the putative Classes.” Determining what disclosures class members had been exposed to and whether the disclosures were sufficient to establish consent presented an “intensely individualized” factual inquiry. These are issues often confronted in data privacy cases.