Photo of Kathryn Cahoy

Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

The American Arbitration Association (“AAA”) recently published a set of modified Mass Arbitration Supplementary Rules and a new Consumer Mass Arbitration and Mediation Fee Schedule, both effective January 15, 2024.  The modified rules and fee schedule aim to address the increasingly prevalent tactic of plaintiffs’ firms launching mass arbitration campaigns against defendants with arbitration agreements in their consumer contracts.

The AAA defines a mass arbitration as 25 or more similar demands for arbitrations filed against or on behalf of the same party or related parties where representation of all parties is consistent or coordinated across arbitrations.  The modified rules implement the following key changes:Continue Reading AAA Introduces Rule Changes Tailored for Mass Arbitrations

The District Court for the Northern District of Illinois recently granted in part a motion to dismiss a putative class action complaint asserting wiretapping, Illinois Biometric Information Privacy Act (“BIPA”), and consumer protection claims relating to their eufy home security cameras and video doorbells (the “Eufy Products”).  See Sloan, et al. v. Anker Innovations Ltd., No. 22-CV-7174 (N.D. Ill. Jan. 9, 2024).  Plaintiffs contend in their complaint that the Eufy Products applied a facial recognition program to differentiate images of known and unknown individuals within home security services and purportedly misrepresented data storage and encryption practices for the Eufy Products.Continue Reading Illinois Federal Court Partially Dismisses Wiretapping, BIPA Claims Involving Home Security Products

The Ninth Circuit recently upheld a California district court’s dismissal of a proposed class action against Shopify for lack of personal jurisdiction, cautioning that subjecting web-based platforms to jurisdiction in every forum in which they are accessible would lead to the “eventual demise of all restrictions” on personal jurisdiction.

In Briskin v. Shopify, Inc., 2022 WL 1427324 (N.D. Cal. May 5, 2022), the plaintiff alleged that Shopify, a Canadian-based company that provides online merchants throughout the United States with an e-commerce payment platform, violated California privacy and consumer protection laws by allegedly collecting his sensitive personal information while using a California-based retailer’s website.  The district court in the Northern District of California dismissed the action, finding that it lacked both general and specific personal jurisdiction over Shopify. 

A panel of the Ninth Circuit affirmed the district court’s dismissal of the complaint for lack of personal jurisdiction, holding that Shopify could not be subjected to jurisdiction in California where it did not expressly aim the alleged conduct implicated by the lawsuit toward California.  Briskin v. Shopify, Inc., 2023 WL 8225346 (9th Cir. Nov. 28, 2023).  Briskin confirms the Ninth Circuit’s view that for interactive websites and other web-based services and platforms that operate nationwide, “something more” is needed to satisfy the express aiming requirement for personal jurisdiction.Continue Reading Ninth Circuit Finds No Personal Jurisdiction in California Over Website

A federal district court in the Northern District of California granted a motion to dismiss a putative class action where the plaintiff claimed that the defendant violated the California Invasion of Privacy Act (“CIPA”) § 631 for using a third-party chat feature on its website. The court dismissed the plaintiff’s claim for lack of Article III standing but granted leave to amend.Continue Reading Federal Court Dismisses Chatbot Claim for Lack of Article III Standing Where Plaintiff Could Not Show Concrete Injury

Only one claim survived dismissal in a recent putative class action lawsuit alleging that a pathology laboratory failed to safeguard patient data in a cyberattack.  See Order Granting Motion to Dismiss in Part, Thai v. Molecular Pathology Laboratory Network, Inc., No. 3:22-CV-315-KAC-DCP (E.D. Tenn. Sep. 29, 2023), ECF 38.Continue Reading All but One Claim in Pathology Lab Data Breach Class Action Tossed on Motion to Dismiss

A federal district court in the Northern District of California granted in part a motion to dismiss putative class action claims filed against Western Digital, a hard drive manufacturer whose older devices experienced a cyber-attack, where the plaintiffs alleged that their stored data was deleted but not that it was stolen.  While plaintiffs will be permitted to maintain claims related to the data loss, they lack standing to assert claims based on future data misuse.Continue Reading Federal Court Partially Dismisses Hacked Hard Drive Claims Where Plaintiffs Could Only Show Data Deletion, Not Theft

Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023).  The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.Continue Reading Eleventh Circuit Holds Having Payment Information Posted to Dark Web Establishes Standing in Data Breach Case, Remands Class Certification Order

A U.S. district court recently granted in part and denied in part the New York Times’s motion to dismiss claims that its subscription renewal terms violated North Carolina’s little-used Automatic Renewal Statute.  The plaintiff, on behalf of a putative class, claimed that the Times subscription process failed to adequately disclose the automatic renewal and cancellation options as required by the statute.  The court dismissed several of the plaintiff’s claims, but the case was allowed to proceed on allegations that the methodology for canceling was not clearly and conspicuously disclosed, and that the terms of subscription price increases were not provided in the format required by the statute.Continue Reading In a Case of First Impression Under North Carolina’s Automatic Renewal Statute, Judge Dismisses Some Claims but Allows Others to Proceed

Late last year, our colleagues highlighted a wave of class action litigation asserting novel claims under state wiretap laws against website operators that use session replay software and chatbots on consumer websites.  Federal district courts in California have now ruled on the first round of chatbot cases, most brought by a handful of “tester” plaintiffs under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seq., and have nearly uniformly rejected the claims.  These initial favorable rulings should be helpful for defendants facing similar claims.Continue Reading A Closer Look: Courts Reject California Wiretap Claims Based on Website Chat Features

            In Attias v. CareFirst, Inc., 15-cv-00882-CRC (D.D.C. Mar. 28, 2023), the court’s application of TransUnion v. Ramirez, 141 S. Ct. 2190 (2021), reinforced that inclusion of uninjured class members in the class definition can defeat certification.  In CareFirst, Plaintiffs alleged that the data breach that CareFirst, Inc. (“CareFirst”), a health insurance company, suffered in 2014 exposed the plaintiffs to increased risk of fraud and identity theft.  Plaintiffs claimed they had to spend time and money on services such as credit and identity theft monitoring programs.  They sought to represent classes that included all CareFirst customers in certain states whose personal information was impacted by the breach, regardless of whether those customers incurred additional expenses as a result of the breach. Continue Reading D.D.C.’s Application of TransUnion Echoes the Importance of Actual Injury to Class Certification