A federal court has certified a class of Arkansas drivers alleging that the defendant purchased their personal information from a database maintained by the state, in violation of the Driver’s Privacy Protection Act (DPPA). See Haney v. Recall Center, No. 10-cv-04003 (W.D. Ark. May 9, 2012) (order on motion to certify class) (available here). Particularly significant is the size of the certified class, estimated to be two million members. Order at 5. This decision runs contrary to widespread speculation that classes with millions of members would be difficult (if not impossible) to certify post-Wal-Mart v. Dukes.
Haney stands to be a notable case not only due to its sheer size and potentially monumental damages (plaintiffs are seeking $2500 for each violation), but also because the underlying privacy issues have considerable resonance with the mass public, as technology increasingly puts private information at risk. Further, in redefining the class to comport with the applicable statute of limitations, the court underscored that courts should use their discretion to do so rather than denying class certification on an easily remedied ground. See id. at 2-3. The Haney certification order also reasserted the division between consideration of class certification criteria and the underlying merits. Id. at 3, quoting Eisen v. Carlisle & Jacquelin, 417 U.S. 156, 178 (1974) (“In determining whether to certify a class action, ‘the question is not whether the plaintiff or plaintiffs have stated a cause of action or will prevail on the merits, but rather whether the requirements of Rule 23 are met.’”).
As to the often-decisive Rule 23 “commonality” requirement, the defendant argued that each transaction in which private data was obtained would require an intrinsically individualized inquiry, in particular as to the affirmative defense that information was acquired for a permissible purpose. See id. at 6. The defendant also argued that the DPPA requires that a violation cause actual injury, which would likewise require individual analysis. Id. The court rejected both of defendant’s arguments, finding that the DPPA does not require proof of actual damages, and that, although individual answers to questions regarding the data transactions might vary as to each class member, “Rule 23(a) requires common questions, not common answers.” Id. at 6-7.