This case arises from a data security breach in which hackers stole usernames and passwords from LinkedIn. In other cases, plaintiffs have attempted to establish injury by alleging that the theft of login information increased the likelihood of identity theft. Rather than use this nebulous theory, the lead plaintiff in In re LinkedIn is claiming that her injury stemmed from payment for LinkedIn premium service in reliance on LinkedIn’s statement that her information “will be protected with industry standard protocols and technology.” Specifically, the lead plaintiff alleges that had she known that LinkedIn allegedly did not use industry-standard protocols, she would have tried to negotiate a discount for the service or not have purchased it at all, and thus she suffered injury. Put differently, the lead plaintiff claims an injury analogous to one who paid a premium price for a product based on misrepresentations on that product’s packaging.
Trying to defeat this claim pre-class certification or discovery, LinkedIn countered that packaging and labeling differ significantly from a privacy statement. Additionally, LinkedIn argued that the consumer suffered no injury because brands have inherent value independent from how a particular product functions. The Court rejected these distinctions, noting that California defines “advertising” broadly. Thus, it held that setting different standing requirements for labeling and advertising compared to alleged misrepresentations in website privacy statements would contravene California’s broad consumer remedies. Accordingly, the case will now move forward to discovery.