Class Action Certified in In re Yahoo Mail Litigation for Violations of Stored Communication Act and California’s Invasion of Privacy Act

On May 28, 2015, U.S. District Judge Lucy Koh in the Northern District of California certified a class of email users in a privacy action that claims Yahoo Inc. (“Yahoo”) violated the federal Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”) through its practice of scanning and analyzing emails of non-Yahoo Mail subscribers in order to display targeted ads to Yahoo Mail subscribers. In re Yahoo Mail Litigation, No. 13-CV-04980-LHK, (N.D. Cal. 2015). Plaintiffs are non-Yahoo Mail subscribers who sent emails to Yahoo Mail subscribers from non-Yahoo email accounts and allege that Yahoo routinely copies and extracts key words from emails and stores this information for later use. Plaintiffs allege that Yahoo’s practices violate § 2702(a)(1) of the SCA, which prohibits, among other items, divulging the contents of a communication without consent and § 631 of CIPA, which prohibits the recording or reading of any type of communication without the prior consent of all parties.

In light of the court’s prior decision in In re Google Inc. Gmail Litigation, No. 13-MD-2430-LHK (N.D. Cal. Mar. 18, 2014) which dealt with a very similar set of facts, the plaintiffs seek injunctive relief under Federal Rule of Civil Procedure 23(b)(2) instead of seeking class-wide damages under Rule 23(b)(3), which among other things, requires a showing of the predominance of common questions of law and fact and ascertainability of the members of the class. The injunctive relief sought would require Yahoo to cease scanning the emails of non-Yahoo Mail subscribers without consent, permanently delete all data Yahoo has collected and stored from non-Yahoo Mail subscribers without consent, and identify all individuals and entities with which Yahoo has shared or sold information or data collected from non-Yahoo Mail subscribers’ emails.

In finding that the plaintiffs satisfy all four requirements under Rule 23(a), the court stated that the numerosity requirement under Rule 23(a)(1) is satisfied because the estimation of potentially hundreds of thousands of class members is not disputed by plaintiffs and Yahoo. The court stated that Rule 23(a)(2)’s commonality element requires just a single common question and does not require that all issues be common. The court also identified common questions to the case, such as when and whether Yahoo intercepts emails and whether the contents are disclosed to third parties. With regard to typicality, the court held that Rule 23(a)(3) requires only that the plaintiffs’ claims are “reasonably co-extensive,” not “substantially identical” with the proposed class members’ claims. Plaintiffs and the proposed class members are subject to the same interception and scanning practices by Yahoo and the court held this was sufficient to satisfy the typicality requirement. The court also found the plaintiffs to be adequate class representatives pursuant to Rule 23(a)(4), and the plaintiffs’ strategic decision to only pursue certification of an injunctive relief class under Rule 23(b)(2) did not affect the plaintiffs’ adequacy to serve as class representatives. Here, the court also pointed out that certification of a Rule 23(b)(2) class does not preclude subsequent individual damages claims by class members.

The District Court held that the ascertainability requirement, an implied preliminary element of class certification, does not apply to Rule 23(b)(2) actions, due to the differences in nature and focus between Rule 23(b)(2) and Rule 23(b)(3) class actions. Rule 23(b)(3) classes require the opportunity to opt out by potential class members and individual notice, which places heightened importance on the clear identification of each potential class member. In contrast, because Rule 23(b)(2) classes are focused on injunctive or declaratory relief that can be granted to all members of the class (or to none of them), the identification of individual class members are less critical than in a Rule 23(b)(3) action.

The court also held that the proposed class satisfies the requirements of Rule 23(b)(2) by seeking uniform relief from the same interception and scanning processes applied to all emails sent to and from Yahoo Mail subscribers, which, the court also held, was a “pattern or practice that is generally applicable to the class as a whole.” Even if some class members are not injured by the challenged practice or do not want the requested relief, the certification of a class would be appropriate nonetheless, in the Court’s view, because unlike a (b)(3) class, the focus in a (b)(2) class is not on the claims of individual class members, but on whether the defendant engaged in a “common policy.”

In granting a California-only subclass as to plaintiffs’ CIPA claim, the court declined to certify a nationwide class under CIPA, and as a result, claims by nonresidents of California who are part of the class action would be governed by the wiretapping laws of the state where the class members reside. In administering the three-step government interest test, the court found that (i) there are material differences between CIPA and the wiretapping statutes of the other forty-nine states; (ii) the other forty-nine states have an interest in applying their own wiretapping laws; and (iii) the other forty nine states’ interests would be more impaired by the application of California law than would California’s interests by the application of other states’ wiretapping laws.

Michael R. McDonald, a Director in the Gibbons Business & Commercial Litigation Department, authored this post.
Print