privacy

An Ohio federal district court recently dismissed for lack of subject matter jurisdiction a class action complaint asserting claims arising from a data breach experienced by defendant Associated Materials, LLC.  See Marlin v. Associated Materials, LLC, 2024 WL 2319115 (N.D. Ohio May 22, 2024).Continue Reading Ohio Federal Court Dismisses Data Breach Lawsuit for Lack of Article III Standing

A federal judge in the Western District of Washington recently dismissed a class action complaint accusing Overlake Hospital Medical Center of unlawfully disclosing the health data of patients who accessed its websites to third parties.  See Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709 (W.D. Wash. May 13, 2024).  Plaintiff Jacq Nienaber, an Overlake patient, alleged that the hospital shared her private data with Meta and other third parties through the use of the Meta Pixel and Meta’s Conversions Application Programming Interface on its public website and private patient portal. Continue Reading Washington Federal Court Dismisses Privacy Claims Involving Hospital Website

An Illinois federal district court recently dismissed for lack of personal jurisdiction a publicity privacy suit against Geneanet, which the complaint alleges is a French subsidiary of Ancestry.com that owns and operates an interactive genealogy website. See Shebesh v. Geneanet, S.A., No. 23-cv-4195 (N.D. Ill. May 3, 2024). Plaintiff Ethan Shebesh sued on behalf of himself and a putative class under the Illinois Right of Publicity Act, which prevents the use of an individual’s identity for a commercial purpose without the individual’s consent. 765 ILCS 1075/30(a). Shebesh asserted that Geneanet unlawfully used his and the putative class members’ names and other identifying information to advertise and sell premium memberships. Concluding that the plaintiff failed to show that Geneanet intentionally directed its conduct at Illinois, the court granted Geneanet’s motion to dismiss.Continue Reading Illinois Federal Court Dismisses Publicity Privacy Suit Against French Genealogy Site for Lack of Personal Jurisdiction

Courts have recently been grappling with an influx of class actions alleging that company websites are in violation of wiretapping and other privacy laws when using third-party technology to provide services on their websites.  Three different federal courts recently dismissed cases on similar grounds, demonstrating the challenges plaintiffs face with maintaining them and strategies defendants should keep in mind to defeat them. 

Two of the cases accuse healthcare providers of improperly sharing personal health information with third-party technology companies through the use of pixel technologies on the healthcare provider’s website.  In the first case, Doe v. Davita, Inc., plaintiffs accused Davita—a kidney dialysis provider—of violating the California Invasion of Privacy Act (“CIPA”) and other laws by purportedly collecting “patients’ personal and sensitive medical information on the Online Platforms and … improperly shar[ing] [this information] with the Tracking Technologies without patients’ consent.”  2024 WL 1772854, at *2 (S.D. Cal. April 24, 2024).  The court disagreed and dismissed the claims, holding that plaintiffs did “not explain what specific information they provided to Defendant” and calling their claims “conclusory.”  Id.  The complaint, said the court, was “devoid of any facts supporting” plaintiffs’ contentions that Davita disclosed “personal, confidential, and sensitive medical information; medical treatment; and payment information” with the third party.  Id. Continue Reading Lack of Plaintiff-Specific Allegations Dooms California, Pennsylvania Privacy-Based Class Actions

A district court judge in the Northern District of California recently denied class certification in a putative privacy class action against Google and its Real Time Bidding (“RTB”) advertising system. Plaintiffs moved to certify both damages and injunctive relief classes based on allegations that Google shared personal information through its RTB system. The court denied with prejudice certification under Rule 23(b)(3), finding that individual questions about class member’s past consent to—and subjective understanding of—Google’s disclosures would predominate. The district court also denied the proposed injunctive relief class on the grounds that the proposed class definition was “fail-safe” and that plaintiffs had not met their burden to prove that their data was representative of the proposed class, but the court did so with leave to amend and requested further briefing. Plaintiffs subsequently petitioned for leave to appeal the denial to the Ninth Circuit.Continue Reading Affirmative Defense of Consent Leads to 23(b)(3) Class Certification Denial in Google Ad Bidding Privacy Litigation

Plaintiffs appear to be increasingly focused on keeping certain types of class actions, including cases brought under the California Invasion of Privacy Act (CIPA), in California state court, likely seeking to take advantage of less rigorous pleading and class certification requirements.  Some plaintiffs are even bringing individual claims and affirmatively alleging that less than $75,000 is at stake to avoid removal under CAFA or diversity jurisdiction, while purporting to reserve the right to add class allegations at a later stage.  See, e.g., Casillas v. Hanesbrands Inc., 2024 WL 1286188 (C.D. Cal. Mar. 22, 2024) (remanding individual CIPA claim to state court). 

A recent decision in the Central District of California, Doe v. PHE, Inc., 2024 WL 1639149 (C.D. Cal. Apr. 15, 2024), should help defendants seeking to remove putative class actions to federal court under CAFA.Continue Reading A Closer Look: Recent C.D. Cal. Decision Strengthens Defendants’ Arguments for CAFA Removal

Another federal district court has dismissed a putative class action complaint asserting that an online retailer’s chat feature violated the users’ privacy under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seqSee Garcia v. Build.com, Inc., Case No. 22-cv-1985-DMS-KSC (S.D. Cal. Mar. 29, 2024), ECF 37. Continue Reading Federal Court Dismisses Class Action Asserting California Wiretapping Claim Based on Website Chat Feature

Defendants in privacy class action lawsuits increasingly face assertions by plaintiffs and putative class members that they should be awarded statutory penalties that vastly exceed any purported actual damages. A recent decision under the False Claims Act reinforces the constitutional limitations plaintiffs may face in pursuing these outsized awards.

The United States District Court for

A federal judge in the Southern District of California recently granted Hwareh.com’s motion to dismiss a proposed class action claiming that third-party source code on its website unlawfully routed information about consumer information to that third party.  See Zarif v. Hwareh.com, Inc., No. 3:23-cv-00565-BAS-DEB (S.D. Cal.).  The court found that the plaintiff—whose claims included asserted violations of the Federal Wiretap Act, 18 U.S.C. § 2510 et seq., and the California Invasion of Privacy Act, Cal. Pen. Code § 631—failed to establish that the court had personal jurisdiction over Hwareh.com, an online pharmacy.  Hwareh.com is incorporated in Delaware and maintains its principal place of business in Missouri, but the plaintiff alleged that its website was available in California and that it maintained a non-resident pharmacy license in the state.  The court’s decision is the latest in a series of decisions clarifying personal jurisdiction in the context of privacy claims.Continue Reading Federal Court Dismisses Wiretapping Claims Against Pharmacy for Lack of Personal Jurisdiction

In class actions challenging data collection, whether the defendant’s privacy policy disclosed the collection is almost always a key question at the dismissal stage.  In a memorandum decision likely to be useful to defendants, the Ninth Circuit recently affirmed dismissal of claims challenging Google’s collection of data from third-party apps on its Android mobile operating system, holding that Google’s Privacy Policy clearly disclosed the collection.  See Hammerling v. Google LLC, No. 22-17024 (9th Cir. Mar. 5, 2024) (unpublished).Continue Reading Ninth Circuit Affirms Dismissal of Data Privacy Claims Based on Disclosure of Collection in Privacy Policy