Non-Yahoo Mail users who sent emails to and/or received emails from Yahoo Mail users have claimed that Yahoo intercepted and analysed their emails and attachments with the goal of using the data to create 'targeted advertising' for its 275 million mail subscribers. They allege that Yahoo provides no mechanism for non-Yahoo Mail users to opt out of Yahoo's scanning practices.
Yahoo argued in its defence that some of the claimants continued to email Yahoo Mail users even once they were aware of Yahoo's activities and in doing so consented to Yahoo accessing their emails. The company also argued that the alleged injuries were too disparate to justify class certification.
However, US District Judge Lucy Koh ruled that (1) nationwide, people who sent emails to or received emails from Yahoo Mail users from 2 October 2011 can sue the company as a group under the Stored Communications Act and (2) Californian holders of non-Yahoo accounts in California since 2 October 2012 may also sue as a group for privacy infringement under California’s Invasion of Privacy Act.
As a result of the judge’s decision, there is estimated to be over one million members in the privacy lawsuit. They are seeking damages, an order that everyone with whom Yahoo has shared or sold information or data collected from non-subscribers' emails be identified and an injunction banning Yahoo from spying on emails.
The decision means it will be easier for the group to receive larger damages and more wide ranging pay-outs at a lower cost.
In addition, if an injunction is granted, this will have a significant effect on Yahoo’s revenue. It has been reported that in 2014, nearly 80% of Yahoo's revenue came from its search and display advertising.
The judge distinguished her decision from an earlier decision she made in 2014 involving Gmail. In the latter case, she refused to grant class-action status on behalf of Gmail and non-Gmail users because it was too difficult to determine which users had agreed to Google's scanning practices.
Although this is a US case, the sheer size of the class bringing this action will ensure a high profile result world-wide.
Even though the case will be decided under legislation which is not directly analogous to UK data protection law, the case will draw attention to the broader spirit of the legislation, ie having a right to privacy and the ability to control what happens to information you provide.
It would be prudent for businesses to review their policies for receiving such information and consider putting in place the ability to collect consents from individuals prior to any processing of such individuals’ personal data taking place.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.