In what may be a glimpse into the next frontier in class action litigation, two federal courts recently disposed of putative class actions alleging violations of state privacy laws involving genetic and biometric data.
In a rare defense victory in a circuit favored by the plaintiff’s bar, a Ninth Circuit panel affirmed a decision by the United States District Court for the District of Alaska denying plaintiff’s motion for certification of claims under Alaska’s Genetic Privacy Act. Plaintiffs in that case alleged that defendant, a company that sells DNA testing kits, disclosed customers’ DNA results without their consent. The plaintiff brought the putative class action lawsuit on behalf of nearly 1,000 residents of the state. The Ninth Circuit panel agreed with the district court that plaintiff failed to meet the predominance requirement of Rule 23(b)(3), as common questions did not predominate over individual issues. In particular, the court found that individualized issues predominated with regard to disclosure, consent, and damages. Because customers were involved in various of the defendant’s “projects,” they signed different releases and had chosen different privacy settings. Whether customers had consented to disclosure of their information, and whether such information had actually been disclosed, differed based on these privacy terms. Furthermore, the court noted that although variations in class member damages alone were not sufficient to preclude certification, these differences supported the district court’s holding. Additionally, the court held that the lower court did not abuse its discretion in finding plaintiff also failed to prove superiority under the circumstances, as it would be difficult to adjudicate a class action with so many individualized issues and only limited resources would be saved in doing so. Thus, the Ninth Circuit panel agreed that individual litigation was more appropriate than a class action.
In addition, an Illinois federal district court dismissed putative class claims by airline employees for violation of the Illinois Biometric Information Privacy Act (“BIPA”) based on their employer’s alleged use of a biometric timekeeping system. The court reasoned that such claims were preempted by the Railway Labor Act (“RLA”), which applies to collective bargaining agreements in the airline and railroad industries. Specifically, plaintiffs alleged that the defendant airline violated their privacy rights by requiring them to scan their fingers to sign in and out at work without providing an appropriate notice or obtaining their consent. Plaintiffs sought an injunction requiring the airline to destroy their biometric data and cease its unlawful conduct as well as monetary damages. Defendant airline moved to dismiss for failure to state a claim, arguing plaintiffs had not alleged a sufficient injury under BIPA, and for improper venue, asserting the claims were preempted by the RLA. With regard to the former, the court held that plaintiffs had alleged a concrete injury based on their claim that that defendant airline shared employees’ biometric data with third party vendors without employees’ knowledge or consent. However, the court agreed that the RLA preempted plaintiffs’ claims because those claims required an interpretation of the relevant collective bargaining agreements, and were therefore subject to mandatory arbitration under the RLA. The court therefore dismissed the complaint for improper venue.