In 2023, we discussed the uptick in data privacy and cybersecurity class action lawsuits; as expected, this trend has persisted throughout 2024 as plaintiffs continue to test new theories of liability and the boundaries of constitutional standing. In privacy class actions before the federal courts of the First Circuit, plaintiffs have brought state tort and contract law claims, as well as privacy-specific statutes, in their attack on businesses’ electronic data collection practices. These claims can be separated into two distinct categories: the first is based on electronic data breaches, in which an unauthorized party accesses private information; and the second rests on a theory of digital surveillance, when a user’s online activity is collected and shared with a third party, allegedly without the user’s consent. In the first half of 2024, four motions to dismiss four such class action cases were adjudicated—three in Massachusetts federal district court and one on appeal to the First Circuit. In each of the three cases before the District of Massachusetts, the court denied the motions to dismiss class action privacy claims.
Data Breach Claims Survive Dismissal Despite “Tenuous” Injuries
The District Court of Massachusetts recently considered a motion to dismiss the claims asserted in Weekes v. Cohen Cleary, P.C., which concerns a law firm’s data security practices. Following an electronic data breach that exposed personal client information to hackers, a representative plaintiff brought negligence and contract-based claims for monetary and injunctive relief. The court permitted the negligence claim for damages against the firm to continue, while it dismissed the plaintiffs’ contract-based claims and request for an injunction. In discussing the plaintiffs’ standing to seek monetary relief, the court expressed skepticism about “tenuous” allegations that any actual misuse of personally identifiable information (PII) had occurred but decided the complaint sufficiently pleaded facts to survive the motion to dismiss. The analysis relied heavily on last year’s First Circuit decision in Webb v. Injured Workers Pharmacy, LLC., in which the court held that alleged actual misuse of data acquired in the breach established a cognizable injury, but also concluded that the exposure to material risk of future misuse of highly sensitive information, and the expenditure of productive time to address that risk, can establish Article III standing. In a prior post, we highlighted the potential for Webb to invite plaintiffs to assert claims based on purported exposure to future misuse and alleged mitigation costs based on loose inferences, and the Weekes decision validates that prediction.
VPPA and Wiretap Claims in the Context of Digital Privacy
The remaining three cases concern the alleged non-consensual disclosure of consumers’ PII to third parties, with plaintiffs relying on novel claims under federal video privacy and state wiretap laws. These statutes were enacted before the digital age but have been recently redeployed by plaintiffs in new contexts to assert new theories of class action privacy liability not originally contemplated by these laws. For a more comprehensive discussion of privacy claims commonly asserted by plaintiffs, see our prior alert on this topic.
The District Court of Massachusetts recently considered a motion to dismiss one such case in Saunders v. Hearst Television, Inc., where consumers sued pursuant to the Video Privacy Protection Act (VPPA) the owner of several mobile news applications (apps) for purportedly non-consensually disclosing to a third party its users’ PII along with a record of every video they viewed via the app. While some defendants have successfully dismissed VPPA claims for failing to meet the statutory definition of “video tape service provider,” the Saunders court determined that Hearst’s claim it was not a video tape service provider was “too narrow a reading of the VPPA,” because, although the VPPA was “originally passed in the era of rental video stores, Congress amended the VPPA in 2012” to include “‘on-demand’ cable services and Internet streaming.” On this and other bases, the court denied Hearst’s motion to dismiss in its entirety.
Massachusetts federal courts also grappled with applying state wiretap laws to new digital contexts at the same time the Commonwealth’s highest court is considering the same question. In Doe v. Tenet Healthcare Corporation, plaintiffs sued a healthcare company for purportedly tracking users’ PII and/or protected healthcare information without consent and allegedly transmitting that data to third-parties. The plaintiffs’ claims run the gamut from state negligence and contract law to state statutory consumer protection and privacy law. The District of Massachusetts denied the defendant’s motion to dismiss most of the claims asserted. Of note is the court’s comment on the question of whether analytics software that captures users’ website activity is eavesdropping under the Massachusetts wiretap statute. The District of Massachusetts observed that this very same issue is currently pending before the Massachusetts Supreme Judicial Court (SJC) in Vita v. New England Baptist Hospital, No. SJC-13542, and deferred ruling on the issue until after the SJC’s forthcoming decision. And while the First Circuit had the opportunity to address the potential applicability of Massachusetts’ wiretap laws to website technology in Rosenthal v. Bloomingdales.com, LLC, it dismissed the case on procedural grounds, leaving the SJC poised to decide the question first.
What to Watch for in Pending Privacy Class Action Cases
The resolution of Vita will govern the trajectory of wiretap claims based on website activity and determine how the Commonwealth’s wiretap statute, which was enacted before the advent of the Internet, applies in the digital landscape. Possible future summary judgment and class certification decisions rulings in the three privacy class actions permitted to proceed past the pleading stage before the District of Massachusetts—Cohen Cleary, Hearst Television, Inc., and Tenet Healthcare Corporation—will also have the potential to shape privacy litigation in the First Circuit for years to come.
* * *
Thank you to firm summer associate Jennifer Henning for her contribution to this post.