On appeal, the Seventh Circuit affirmed the district court ’ s ruling. In affirming the district court ’ s decision, the Seventh Circuit succinctly stated that its analysis “begins and ends with standing.” Id. at 508. The Seventh Circuit stated that the plaintiff “has not adequately alleged standing to pursue any of his claims.” Id. (emphasis in original). In order to have standing to “sue in federal court, a plaintiff must plausibly allege (and later prove) that he has suffered an injury in fact that is concrete and particularized, actual or imminent, and traceable to the defendant ’ s conduct.” Id. The Seventh Circuit found that the plaintiff failed to meet this standard as his allegations lacked “plausibility, concreteness, or imminence (or some combination of the three).” Id. The Seventh Circuit also determined that the plaintiff ’ s complaint failed to establish concreteness and imminence because of the lack of a de facto injury. The Seventh Circuit looked at the plaintiff ’ s complaint from both a backward looking and forward looking perspective – which the plaintiff requested – and concluded that the plaintiff ’ s asserted injury did not establish standing to sue. The plaintiff did not allege that Google has or will likely use his patient records to discern his identity. The agreement between the defendants forbade Google from identifying any individuals and the plaintiff did not allege that Google has or will breach the terms of that agreement. Therefore, the Seventh Circuit explained that the plaintiff did not allege any concrete or imminent harm arising from the alleged risk of future re- identification. The plaintiff also argued that the University of Chicago insufficiently anonymized his records. The Seventh Circuit ruled that although the plaintiff asserted various deficiencies in the typical de- identification process, he could not link that typical process to the University of Chicago ’ s de-identification of his records. Moreover, even if his records were insufficiently anonymized, there was no indication that Google has ever or will ever take any steps to identify the plaintiff. The Seventh Circuit concluded that the plaintiff ’ s breach of contract claims were also implausible because he expressly agreed that his medical information “may be used and shared for research” and “that he was not entitled to compensation for the use of his medical information.” Id. at 517 (emphasis in original). For these reasons, the Seventh Circuit affirmed the district court ’ s ruling dismissing the plaintiff ’ s claims. 8. Other Notable Privacy Class Action Rulings Businesses that operate in multiple states should also take notice of several significant rulings made in cases brought under less discussed privacy laws. Despite the lack of attention that some of these other laws may receive, the potential damages can be catastrophic if corporations are not in compliance. For example, in the proceeding entitled In Re Google, Inc. Cookie Placement Consumer Privacy Litigation , 2023 U.S. Dist. LEXIS 117696 (D. Del. July 10, 2023), the defendants were able to ward of this class action alleging that the defendant by-passed privacy settings on popular web browsers to track users with cookies, despite privacy settings that should have prevented this tracking. The Third Circuit partially reversed and remanded the district court ’ s ruling granting the defendant ’ s motion to dismiss, which had allowed some state law claims to proceed. In 2016, the parties negotiated a $5.5 million settlement, primarily for cy pres distribution to organizations focusing on browser security awareness and research. The district court granted settlement approval, but the Third Circuit vacated and remanded the approval order based on concerns about the broad release of monetary claims and the selection of cy pres recipients. After remand, the parties’ revised settlement maintained the same terms but introduced a neutral third party to select cy pres recipients and sought certification under both Rule 23(b)(2) and Rule 23(b)(3). The district court addressed the certification of the settlement class under Rule 23(a) and found that the numerosity, commonality, typicality, and adequacy of representation requirements were met. The district court, however, determined that the class was not ascertainable because the members of the class could not be identified. The district court ruled that as the settlement agreement proposed that all class members be stripped of their claims without ever being able to identify the owners of those claims, and without satisfying the feasibility prong of ascertainability, “potential class members could not identify themselves for purposes of opting out of the class,” nor could the district court “ensure that a defendant ’ s rights are protected by the class action mechanism.” Id. at *23. As a result, the court denied the motion for final class certification and approval of the class action settlement. In the case captioned In Re BPS Direct, LLC And Cabela’s Wiretapping Litigation , 2023 U.S. Dist. LEXIS
27
© Duane Morris LLP 2024
Duane Morris Privacy Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online