First District sees rise in class action lawsuits over data protection

In 2023, we discussed the rise of class action lawsuits related to privacy and cybersecurity. As expected, this trend has continued throughout 2024 as plaintiffs continue to test new theories of liability and the limits of constitutional standing. In privacy class actions in the federal courts of the First Circuit, plaintiffs have asserted claims under state tort and contract law, as well as privacy-specific statutes, in their attack on companies’ electronic data collection practices. These claims can be divided into two distinct categories: the first is based on electronic privacy breaches, in which an unauthorized party accesses private information; and the second is based on a theory of digital surveillance, in which a user’s online activities are collected and shared with third parties, allegedly without the user’s consent. In the first half of 2024, four motions to dismiss four such class actions were decided—three in the federal district court of Massachusetts and one on appeal in the First Circuit. In each of the three cases before the District of Massachusetts, the court denied motions to dismiss the class action lawsuits on privacy grounds.

Data theft lawsuits survive dismissal despite ‘paltry’ violations

The District Court of Massachusetts recently heard a motion to dismiss the lawsuits in Weekes v. Cohen Cleary, PCconcerning a law firm’s data security practices. Following an electronic data breach that exposed personal client information to hackers, a representative plaintiff brought negligence and contract-based claims for monetary damages and injunctive relief. The court allowed the negligence claim for damages against the firm to proceed, but dismissed the plaintiffs’ contract-based claims and motion for injunctive relief. In discussing the plaintiffs’ entitlement to seek monetary damages, the court expressed skepticism about “flimsy” allegations that a misuse of personally identifiable information (PII) had actually occurred, but ruled that the lawsuit presented sufficient facts to withstand the motion to dismiss. The analysis relied heavily on the First Circuit’s decision last year in Webb v. Injured Workers Pharmacy, LLC.in which the Court found that the alleged actual misuse of the data obtained in the breach constituted cognizable harm, but also concluded that exposure to a significant risk of future misuse of highly sensitive information and the expenditure of productive time to manage that risk may give rise to standing under Article III. In a previous post, we discussed the potential for Webb requiring plaintiffs to assert claims based on alleged exposure to future abuse and alleged mitigation costs based on vague conclusions, and Weeks Decision confirms this prediction.

VPPA and wiretapping allegations in the context of digital privacy

The remaining three cases involve alleged nonconsensual disclosure of consumers’ personal information to third parties, with plaintiffs relying on novel claims under the federal video privacy laws and state telephone wiretapping laws. These laws were enacted before the digital age but have recently been repurposed by plaintiffs in new contexts to assert new theories of privacy liability in class actions that were not originally contemplated by those laws. For a more comprehensive discussion of the privacy claims commonly asserted by plaintiffs, see our previous note on this topic.

The District Court of Massachusetts recently considered a motion to dismiss such a case in Saunders v. Hearst Television, Inc.where consumers sued the owner of several mobile messaging applications (apps) under the Video Privacy Protection Act (VPPA) for allegedly sharing its users’ personal information and a recording of all the videos they viewed through the app with third parties without their consent. While some defendants have successfully dismissed VPPA claims because they did not meet the statutory definition of a “video recording service provider,” Saunders The court ruled that Hearst’s claim that it was not a videocassette service provider was an “overly narrow interpretation of the VPPA” because, although the VPPA “was originally passed in the era of video rental stores, it was amended by Congress in 2012” to include “on-demand cable services and Internet streaming.” For this and other reasons, the court denied Hearst’s motion to dismiss in its entirety.

Massachusetts federal courts have also grappled with the application of state wiretapping laws to new digital contexts, while the state’s highest court is considering the same question. Doe v. Tenet Healthcare Corporationplaintiffs sued a healthcare company for allegedly tracking users’ PII and/or protected health information without their consent and allegedly sharing that data with third parties. The plaintiffs’ claims range from government negligence and contract law to state consumer protection and privacy law. The District of Massachusetts denied the defendants’ motion to dismiss most of the asserted claims. Of note is the court’s commentary on whether analytics software that records users’ website activity constitutes wiretapping under Massachusetts wiretapping law. The District of Massachusetts noted that this very issue is currently before the Massachusetts Supreme Court (SJC) in Vita v. New England Baptist HospitalNo. SJC-13542, and postponed decision on the matter until after the SJC’s impending decision. And while the First Circuit had the opportunity to examine the potential applicability of Massachusetts wiretapping laws to website technology in Rosenthal v. Bloomingdales.com, LLCIt dismissed the action on procedural grounds and it is now up to the Supreme Court to decide on this issue first.

What you need to look out for in pending class action lawsuits on data protection

The resolution of Career will govern the course of wiretapping lawsuits based on website activity and determine how the Commonwealth’s wiretapping law, enacted before the advent of the Internet, applies in the digital landscape. Potential future rulings on summary judgment and class action certifications in the three privacy class actions permitted to proceed beyond the plea stage in the District of Massachusetts –Cohen Cleary, Hearst Television, Inc. and Tenet Healthcare Corporation– will also have the potential to shape data protection litigation in the First Circuit in the years to come.

* * *

Many thanks to the company’s summer intern, Jennifer Henning, for contributing to this article.