Duane Morris Privacy Class Action Review – 2024

1197, 1207 (Ill. 2019)). With that opinion, the GIPA floodgates are now open and courts are starting to rule on this 20th century statute for the first time, which includes the first GIPA case to ever be certified as a class action. More specifically, in Melvin, et al. v. Sequencing, LLC, 344 F.R.D. 231 (N.D. Ill. 2023), the plaintiff filed a class action alleging that the defendant violated the rights of up to 1,550 people under the GIPA. The plaintiff sought to represent a class of Illinois consumers who sent their DNA to the defendant only for it to disclose it to unknown third party developers without first obtaining those consumers’ consent. The defendant stated that users send their DNA directly or upload the results of a DNA test taken by a third party, such as 23andMe or Ancestry.com, and it used that information to create a “DNA data file” containing “raw human DNA data” that can be used to assess the customers’ genetic code. Id. at 234. The customers can then purchase reports based on their own genetic code, most of which are available from third party developers. As soon as a customer purchases a report, their personal and genetic information is automatically transmitted to the corresponding third party developer. The plaintiff asserted that the defendant did not inform him that his genetic information would be shared and that he never consented to the disclosure of that information to anyone. The plaintiff filed a motion for class certification, and the court granted the motion, making this case the first GIPA case to be certified as a class action. In its attempt to defeat class certification, the defendant argued that the plaintiff was not an adequate class representative and that the plaintiff failed to establish the predominance and superiority requirements of Rule 23. The court concluded that the plaintiff satisfied the numerosity, commonality, typicality, and adequacy of counsel requirements of Rule 23. The defendant also contended that the plaintiff was not an adequate class representative because he had suffered no damages at all. The court rejected this “bald statement,” which was “unaccompanied by authority or reasoned argument.” Id. at 236. The court explained that the defendant offered “no basis to believe that the plaintiff would not be entitled to the same statutory damages he claims on behalf of the class and sub-class if he succeeds in establishing the defendant ’ s liability.” Id. The court also rejected the defendant ’ s argument to deny class certification based on the plaintiff ’ s failure to establish the predominance and superiority requirements of Rule 23. The court reasoned that “no absent class members have filed individual GIPA claims against” the defendant nor has it articulated a reason to believe that individual class members have an interest in pursuing and controlling separate GIPA actions. Id. Accordingly, the court granted the plaintiff ’ s motion for class certification. The emergence of GIPA class action litigation is a trend to watch going into 2024 and beyond. 6. Defendants Shut Out Claims Under Other Privacy Laws Not all claims brought under privacy laws have led to windfalls for the plaintiffs’ bar. In 2023, at least five separate class actions brought under the federal Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, were dismissed by district courts in motions to dismiss. For instance, in Salazar, et al. v. Paramount Global d/b/a 247Sports , 2023 U.S. Dist. LEXIS 123413 (M.D. Tenn. July 18, 2023), the plaintiff filed a putative class action against the defendant, an industry leader in content for college sports which delivers team-specific news through online methods, alleging a violation of the VPPA. Id. at 1. The plaintiff alleged that the defendant installed a Facebook tracking pixel, which allows Facebook to collect the data on digital subscribers to 247Sports.com who also have a Facebook account. Id. at 3-4. If a digital subscriber of 247Sports.com is logged-in to his or her Facebook account while watching video content on 247Sports.com, then 247Sports.com sends to Facebook (via the Facebook pixel) the video content name, its URL, and, most notably, the digital subscriber ’ s Facebook ID. Id. at 4. The plaintiff claimed that the defendant violated the VPPA when it installed the Facebook pixel, which caused the disclosure to Facebook of the plaintiff ’ s personally identifying information. The defendant moved to dismiss for lack of subject-matter jurisdiction under Rule 12(b)(1), and for failure to state a claims for relief under Rule 12(b)(6). The defendant argued that the plaintiff did not have standing because the plaintiff failed to adequately allege either a concrete injury-in-fact or the traceability of the injury to the defendant ’ s conduct (because the alleged disclosure of the plaintiff ’ s information to Facebook did not

22

© Duane Morris LLP 2024

Duane Morris Privacy Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online