By David M. Governo and Corey M. Dennis, CIPP/US

Privacy and data breach class actions are on the rise. In fact, just last month, three class actions were filed against MAPCO Express, a southern convenience store chain, based on a hacking incident involving the compromise of its customers’ credit and debit card information. Plaintiffs in such class actions typically claim that the defendant—whether a retailer, hospital, health insurer, payment card processor or other company handling their personal information—failed to adequately protect that information, used that information for unauthorized purposes, e.g., online “tracking” or behavioral advertising, or otherwise violated their privacy rights under state or federal statutes or common law.

In class-action lawsuits—including privacy and data breach class actions—plaintiffs are often unable to overcome the class-certification hurdle, which generally results in the failure of the case. For example, class certification was denied in a recent data breach class action in which the plaintiffs claimed that, following an incident in which millions of customers’ debit and credit card data was stolen from a grocery chain, they incurred mitigation damages, including fees for new credit/debit cards, identity theft insurance and credit monitoring. The court found that the plaintiffs met the class certification requirements under Fed. R. Civ. P. 23(a), i.e., numerosity, commonality, typicality and adequacy of representation—but failed to meet the predominance requirement of Fed. R. Civ. P. 23(b), which requires a showing that questions of law or fact common to class members predominate over questions affecting only individual members. Other obstacles for plaintiffs in such cases include establishing standing, injury and causation.

Impact of the U.S. Supreme Court’s Decision in Comcast

Earlier this year, the U.S. Supreme Court reversed class certification in Comcast Corp. v. Behrend, 133 S. Ct. 1426 (2013), an antitrust class action brought by cable television subscribers concluding that the plaintiffs failed to meet Fed. R. Civ. P. 23(b)’s predominance requirement. Although the plaintiffs proposed four theories of antitrust impact, the court only accepted the “overbuilder theory,” i.e., that Comcast’s activities reduced competition from companies building cable networks in the market area. The damages model offered by the plaintiff’s expert calculated damages for the entire class at $875,576,662 but did not isolate damages resulting from any particular theory. As a result, the court held that the plaintiffs’ proffered damages methodology was inconsistent with their theory of antitrust liability and inadequate to establish damages on a classwide basis, emphasizing that a “rigorous analysis” of the plaintiff’s damages model must be conducted.

The Comcast decision has established stricter class-certification standards, making certification more challenging going forward; as noted recently in Forrand v. Federal Express Corp., a plaintiff must now proffer a damages methodology “that can be applied classwide and that ties the plaintiff’s legal theory to the impact of the defendant’s allegedly illegal conduct.” However, some decisions have cast doubt on the case’s impact on the broader class-action landscape, particularly in cases involving less complex damages calculations or certification only as to liability classes. For example, In re Whirlpool Corp. Front-Loading Washer Products Liab. Litig. affirmed a liability class certification in product liability case, reasoning that Comcast only applies in cases involving liability and damages certification; Manno v. Healthcare Revenue Recovery Grp., LLC, certified a Telephone Consumer Protection Act (TCPA) class action and disagreed that Comcast “treads any new ground in class action law,” and Martins v. 3PD, Inc., certified a wage act class-action where damages calculation issues were neither “particularly complicated nor overwhelmingly numerous.”

ComScore—Largest Internet Privacy Class Action

More recently, a class was certified in Harris v. comScore, Inc.,  a privacy class action in which the plaintiffs claim that comScore, an online data research company, unlawfully collected data about their activities on the Internet, analyzed that data and sold it to third parties. The plaintiffs seek statutory damages for violations of several federal privacy statutes: the Stored Communications Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.

The comScore court concluded that a class action was the most efficient method for resolving the common issues and that “individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.” The court also reasoned that the U.S. Supreme Court’s “assumption, uncontested by the parties” in Comcast, that Fed. R. Civ. P. 23(b)(3) requires a classwide damages calculation methodology in antitrust cases, “even assuming it is applicable to privacy class actions in some way, is merely dicta and does not bind this court.” Last month, the U.S. Court of Appeals for the Seventh Circuit denied comScore’s appeal of the class-certification ruling, allowing the case to proceed. The comScore class is likely to include millions of individuals, making it one of the largest class actions ever certified.

The emerging trend of privacy and data breach class actions has not been limited to the U.S.; in fact, several such class actions were recently filed in Canada. In June, the Quebec Superior Court granted authorization for a class action in which the plaintiffs claim that Apple violated their privacy rights by transmitting or allowing iPhone and iPad devices to transmit private data to advertisers.

The potential liability resulting from privacy and data breach class actions is so substantial that privacy may be the “next frontier in consumer class actions.” With so much at stake, class certification will undoubtedly be not only an important issue but also a critical battleground in future cases.

David M. Governo is the founding partner of Governo Law Firm, LLC, in Boston, MA. For over three decades, he has defended companies in complex litigation and counseled companies on a range of risk management and compliance issues. He has attained Martindale-Hubbell’s highest “AV” rating, is an active member of the Federation of Defense and Corporate Counsel and has been voted a New England Super Lawyer for many years.

Corey M. Dennis, CIPP/US, is an associate at Governo Law Firm, LLC, where he defends companies in complex litigation and counsels companies on compliance with privacy and data security laws. He has written and spoken extensively on a variety of subjects, including privacy and data security law, social media, employment law, product liability and civil litigation.

Read more by David Governo and Corey Dennis:
Data breach litigation on the rise—Eleventh Circuit allows data breach putative class-action to proceed
Businesses nationwide continue to grapple with Massachusetts data privacy laws
FTC ramping up data privacy enforcement actions; Google fined $22.5 million


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»