The United States District Court for the Northern District of California denied certification of a class under the Video Privacy Protection Act (“VPPA”) on June 16, 2014 (get hulu class cert decision here). In re Hulu Privacy Litig., No. C 11-03764 LB, slip op. (N.D. Cal. June 16, 2014). The VPPA prohibits video tape service providers from disclosing personally identifiable information (“PII”) to a third party, and permits statutory damages of $2,500 (or actual damages if not less than the statutory amount). The court denied certification without prejudice, but the court’s reason for denying certification is important: the class could not be ascertained because each individual would have had to have taken certain steps for his or her information to have been disclosed, and this also meant that issues common to the class could not predominate under Rule 23(b)(3). Rather, individualized issues would predominate.
The crux of this class action determination, as is true of many data privacy cases, was: who was injured? If injured parties cannot be readily determined, or if that inquiry requires individualized determinations, the class cannot be certified. Here, as the court held: “class members are those who actually had their PII transmitted to Facebook. that inquiry turns on whether the c-user cookie was sent to Facebook, which depends on a number of variables (including whether the user remained logged into Facebook, cleared cookies, or used ad-blocking software). Thus, not only could class members not be readily ascertained, but “substantial issues about reamaining logged into Facebook and clearing and blocking cookies mean that the court cannot conclude on this record that the common issues predominate over the individual ones.”
The court also took time to address the constitutional importance of permitting classes to be certified that potentially contain class members who are not injured — it would be a due process violation to permit not insignificant damages to be awarded to class members who did not suffer actual harm.
Data privacy class actions are prone to issues stemming from the lack of injury. At the outset of a case, lack of injury can permit a defendant to get a case dismissed for lack of standing. And as the Hulu case demonstrates, even if there is some injury, if class members with injury cannot be readily identified, class certification is not appropriate.