In most consumer fraud and other class actions, the decisive point in the litigation is often the class certification battle, where the stakes are high as the costs to a company in terms of money and reputation are on the line. Before ever getting to the class certification stage, defendants typically try to knock the claims of the named plaintiffs out on standing grounds or for failure to state claim. Data breach class actions are no different, except that most data breach class actions have never reached the class certification stage because defendants have been extraordinarily successful in getting cases dismissed from the start on standing grounds. Significantly, in Gaos v. Google Inc., Case No.: 5:10-CV-4809 EJD, a recent decision from the United States District Court for the Northern District of California, the court dismissed the named plaintiff’s common law claims for failing to allege an Article III “injury in fact,” but allowed her claims under the Stored Communications Act (“SCA”) to survive, holding that “a violation of the SCA itself is injury sufficient to allege an SCA claim.”
In Gaos, the named plaintiff alleged that Google “intentionally included the search terms in the URL of the search results page…As a result…, when a user of Defendant’s search service clicks on a link from Defendant’s search results page, the owner of the website that the user clicks on will receive the user’s search terms…” The First Amended Complaint further alleged that the user’s identity could then be discerned through the process of “reidentification,” whereby the terms of the searches can be linked with the user through the user’s IP address, for example, which may be released with the clicked link. Plaintiff thus alleged that she had “suffered actual harm in the form of Google’s unauthorized and unlawful dissemination of Plaintiff’s search queries, which contained sensitive personal information, to third parties.”
Plaintiff sued on a host of common law claims, including fraud claims, and under the SCA. As to the common law claims, the court held that the named plaintiff failed to adequately plead Article III standing, as she failed to identify how she had been injured as a result of the alleged dissemination of her personal information. However, as to the SCA, the court held that “the SCA provides a right to judicial relief based only on a violation of the statute without additional injury.” The court further found that Gaos had alleged a particularized injury under the SCA because she had alleged that her search information was transmitted by Google to third parties.
Does the court’s holding mean that data breach cases brought under the SCA or similar statutes will reach the class certification stage? Not necessarily. As in any case, standing alone is not sufficient for a plaintiff to proceed – the plaintiff must also state a claim. Here, while Google had not challenged Gaos’ ability to state a claim under the SCA, the court noted that in the Facebook litigation, the plaintiffs were held to have Article III standing under the Wiretap Act, but failed to state a claim under that Act. It thus remains to be seen whether claims under the SCA will become ripe for the class certification battle in this and other cases.