Gmail Data Privacy Class Done In By Predominance
The plaintiffs in the In re Google Inc. Gmail Litigation have been thwarted by a roadblock that has hindered other cybersecurity plaintiffs, namely establishing Civil Rule 23(b)(3) predominance at the class certification stage. The plaintiffs allege that Google’s interception of e-mails violates the Electronic Communications Privacy Act of 1985 (the “ECPA” or the “Wiretap Act”) and various state wiretap acts. Consent is a defense to a claim under the Wiretap Act, and the court held that class certification would be inappropriate because individual issues of consent are likely to predominate over any issues common to the class. The bases for that conclusion highlight some of the difficulties in attaining class certification in a data privacy case.
As explained by the Gmail Litigation court, the Wiretap Act’s consent exemption can be based on either express consent or implied-in-fact consent, that is “whether the surrounding circumstances demonstrate that the party whose communications were intercepted knew of such interceptions.” Of course, Google argued that Gmail users had expressly consented based on its Terms of Service and Privacy Policies. While the court said that express consent may be a common question with respect to two of the four proposed classes, individualized inquiries would still be required for at least one class, the “Education Class” whose Google e-mail accounts were set up through a school they were attending, because those class members received vastly different disclosures that varied by educational institution.
But even if express consent could be decided on a class-wide basis, the court would still need to examine implied consent, and the court said implied consent is an intensely factual question. The court agreed with Google that in addition to Google’s own disclosures, implied consent could be based on “a broad swath of evidence,” including third-party disclosures and news articles. Exemplifying how broad that swath of evidence is, the court cited a New York Times article comparing Microsoft’s privacy policy to Google’s treatment of e-mails sent through the Gmail system. While the court noted that the diversity of Google’s disclosures and whether the class members had viewed those disclosures presented their own individualized issues, the third-party disclosures and news articles seem particularly important to the court’s decision because it allowed implied consent to apply to non-Gmail users thereby preventing class certification for claims under state wiretap acts that require consent by both parties to the communication.
TAKE AWAY: The court summed up its analysis by pointing out that with multiple disclosures and sources of disclosures, including the news media, the disclosures “were unlikely to be uniformly viewed by members of the putative Classes.” Determining what disclosures class members had been exposed to and whether the disclosures were sufficient to establish consent presented an “intensely individualized” factual inquiry. These are issues often confronted in data privacy cases.
In This Article
You May Also Like
Is It Still CMMC 2.0? DoD Clarifies the Forthcoming Cybersecurity Standard New Illinois Law Restricts Use of AI in Employment Practices