The US Court of Appeals for the Third Circuit has allowed a class action to proceed against Google relating to the company’s practice of side-stepping “cookie-blockers” on Internet Explorer and Safari’s browsers to track users’ internet activities without their consent. The class action brought a pot pourri of claims against Google. A Court upheld the dismissal of a number of claims, but re-opened the way for the plaintiffs to pursue claims of privacy violation under the California Constitution and California tort law.
The Court ruled that, if the plaintiffs’ factual pleadings are ultimately substantiated, it could be open to a reasonable jury to conclude that there was a “serious invasion of privacy” on the basis that Google deliberately overrode the “cookie-blockers” on Internet Explorer and Safari’s browsers and, at the same time, it held itself out as respecting the “cookie-blockers”. As part of this finding, the Court noted that “Google’s alleged conduct was broad, touching untold millions of internet users; it was surreptitious, surfacing only because of the independent research of Mayer and the Wall Street Journal; and it was of indefinite duration …“.
Link (US Court of Appeals, Third Circuit): In re: Google Cookie Placement Consumer Privacy Litigation
Sony Pictures has reached a settlement with former employees whose personal information (including financial and medical data) was posted online last year after a data breach. The settlement agreement was announced just days before a court hearing scheduled for 14 September 2015 to decide whether the case would achieve class-action status. The lawsuit alleged that Sony failed to protect employee’s data, especially in light of previous breaches of the company’s servers.
Link (WSJ): Sony Pictures settles with former employees in data breach lawsuit
Over at the Technology and Marketing Law Blog, Eric Goldman has a useful summary of Remijas v. Neiman Marcus Group, LLC, No. 14 C1735 (7th Cir. July 20, 2015). The US Seventh Circuit has held that plaintiffs whose credit card details were compromised in a 2013 data breach at Neiman Marcus have standing to sue based on the risk of future harm arising from the misuse of their credit card details.
Claimants’ entitlement to bring data breach class actions is currently a hot topic in the US. In a March 2015 US District Court decision, the Judge held that the plaintiffs did not have standing to sue because they weren’t able to demonstrate “actual misuse of the hacked data or specifically allege how such misuse is certainly impending”. In other words, the privacy breach is not in and of itself sufficient to prove standing. Similarly, in New Zealand, the Privacy Act expressly states its privacy principles generally “do not confer any legal right enforceable in a court of law”.
Source: Storm v Paytime Harrisburg, Inc.
Linkedin has agreed to pay US$1.25 million and to implement industry-standard data security protocols to settle a user privacy class action suit. In 2012, Linkedin was hacked and the passwords for nearly 6.5 million users were stolen. Each claimant is likely to receive up to $50 from the $1.25 million settlement fund.
Meanwhile Target has agreed to US$10 million to settle its 2013 data breach, which exposed the credit card and personal information of up to 110 million customers. Affected customers will be eligible to receive damages of up to $10,000 each and can claim for time spent dealing with the consequences of the breach, although recovery is limited to $10 an hour for up to two hours. Target will also implement measures to better safeguard consumer data. In the 2014 financial year, Target’s gross expenses arising from the breach topped US$191 million.
Source: Bloomberg and Reuters