The recent Fourth Circuit decision denying class certification in the long drawn-out Marriott data breach litigation underscores the enforceability of class action waiver provisions in customer contracts.

Background

In 2018, Marriott announced that hackers had accessed the guest reservation database of its Starwood hotel chain. The breach affected 133.7 million guest records, including members of the Starwood Preferred Guest Program (SPG Program). Putative class actions were filed around the country by plaintiffs who asserted myriad contract, tort, and statutory claims against Marriott for failing to adequately safeguard their personal information. These cases were consolidated into a multi-district litigation (MDL¹) proceeding in Maryland federal court.

Procedural History

One of the key issues on appeal was whether the district court properly certified various classes in the litigation. Marriott opposed class certification by relying in part on a class action waiver provision in the SPG Contracts requiring that disputes “arising out of or related to” the SPG Program or Contract “be handled individually without any class action.”

Denial of Class Certification
The district court initially declined to consider the class action waiver provision in the SPG Contracts on the basis that this issue should be addressed at the merits stage of the litigation. The district court further indicated, in a footnote, that Marriott might have waived this defense by merely raising it as a boilerplate, affirmative defense as opposed to a separate motion. The district court proceeded to certify multiple state-specific damages classes against Marriott on the plaintiffs’ contract and consumer protection claims.

Initial Appeal and Remand (Marriott I)
In an initial appeal in the Marriott MDL proceeding, the Fourth Circuit held that the district court erred by failing to consider the impact of the class action waiver provision in the SPG Contracts prior to certifying class action claims against Marriott.²,³ The Fourth Circuit also questioned the district court’s suggestion that Marriott had waived this defense. Accordingly, the Fourth Circuit remanded the case to the district court to reconsider its ruling on class certification.

On remand, the district court concluded that Marriot had waived the class action waiver defense in the SPG Contracts by agreeing to the pre-trial consolidation of the data breach cases in an MDL proceeding in Maryland. The district court also opined that Marriott acted in a manner inconsistent with the SPG Contract terms, which included New York choice of law and venue provisions. Separately, the district court suggested that class action waiver provisions conflict with Federal Rule of Civil Procedure 23 (Rule 23) governing class actions. As such, the district court recertified the class claims against Marriott, which Marriott appealed. 

Second Appeal Denying Class Certification (Marriott II)
On June 3, 2025, the Fourth Circuit issued a published decision reversing the district court’s ruling and decertifying the claims against Marriott. In so ruling, the Fourth Circuit made the following key findings.

First, the Fourth Circuit rejected the district court’s decision that Marriott had “waived” its defense based on the class action waiver provisions in the SPG Contracts. As a procedural matter, the Fourt Circuit observed that Marriott properly invoked its class waiver defense in its motion to dismiss and in its answer, and in opposing class certification.

Second, the Fourth Circuit disagreed with the district court’s ruling that Marriott had somehow waived the defense simply by agreeing to participate in an MDL proceeding. The Fourth Circuit noted that “[p]arties in an MDL do not act in a representative capacity, and pretrial MDL consolidation does not strip cases of their ‘individual’ nature."⁴The Fourth Circuit also observed that it was not aware of any other court holding that a defendant participating in an MDL proceeding automatically waived its right to rely on a contractual class action waiver defense.⁵

Third, the Fourth Circuit rejected the district court’s position that by agreeing to an MDL proceeding in Maryland, Marriott acted inconsistently with the New York choice of law and venue provisions in the SPG Contracts. The Fourth Circuit pointed out that venue questions are typically resolved after the conclusion of pretrial MDL proceedings. Moreover, Marriott and the other parties “jointly and expressly reserved all choice-of-law arguments.”⁶

Fourth, the Fourth Circuit disagreed with the district court’s suggestion that the class action waiver provision in the SPG Contracts was invalid and unenforceable because it conflicted with Rule 23’s class action provision. “The Supreme Court made clear in 2013 that parties may indeed waive class-action litigation by contract."⁷ Accordingly, “[c]ourts now routinely enforce contractual class-action waivers.”⁸

Finally, the Fourth Circuit opined that the broad language of the class action waiver provision in the SPG Contracts was not limited to plaintiffs’ contract claims – but also applied to plaintiffs’ consumer protection and negligence claims. The waiver language applied to “[a]ny disputes arising out of or related to the SPG Program.”

The Fourth Circuit noted that the SPG Program was at the crux of all of plaintiffs’ claims: 

That is the program under which the plaintiffs’ provided the information at the heart of all of their claims; the personal data that Marriott … allegedly failed to properly safeguard comes from the plaintiffs’ SPG Program accounts. It is also the program under which the plaintiffs – to obtain the benefits of program membership – made the hotel reservations for which the allege they overpaid. We think that is enough to bring their claims under the broad umbrella of the class waiver’s ‘arising under or related to’ clause.

In summary, the Fourth Circuit held that the waiver of class litigation provision in the SPG Contracts was valid and enforceable, it broadly applied to all of plaintiffs’ claims, and Marriott did not waive this defense.

Conclusion

As more companies become victims of sophisticated cyber-attacks, it is common for them to be extorted twice – first by the cybercriminals and second by the plaintiffs’ class action bar, which routinely files data breach class actions with the expectation of receiving sizeable fee awards. The Fourth Circuit’s recent decision in Marriott II underscores the enforceability of class action waiver provisions in contracts as a strong defense to discourage plaintiffs from filing putative class actions on the heels of a data breach. 
_________________________________________________________________________________________

^{1 Maldini, et al. v. Marriott International, Inc., Docket No. 24-1064 in the U.S. Court of Appeals for the Fourth Circuit (Marriott II) (decided June 3, 2025).}

^{2 See In re Marriott Int’l., Inc. Customer Data Sec. Breach Lit., 78 F.4th 677 (4th Cir. 2023) (Marriott I).}

^{3 See Marriott II, p. 15 (internal citations omitted).}

^{4 Id. at pp. 15-16.}

^{5 Id. at p. 17.}

^{6 Id. at pp.18-19}

^{7 Id. at p. 19}

^{8 Id. at p. 23.}