On January 31, 2019, Senator Mike Azinger introduced Senate Bill 495 to the West Virginia Legislature (referred to the Judiciary Committee). The Bill proposes amendments to the West Virginia Consumer Credit and Protection Act (“WVCCPA”), W. Va. Code § 46A-5-101, which are intended to “bring the Act in conformity with the federal Fair Debt Collection Practices Act.”

A key change proposed by Senate Bill 495 is to limit the cap on damages from violations arising under the WVCCPA to $1,000 per civil action. The current rule provides a cap on damages of $1,000 per violation.

In the context of class action lawsuits, Senate Bill 495 also proposes to limit the recovery of class members to $500,000 or one percent of the net worth of the creditor. The current rule provides a cap on damages in class actions to the greater of $175,000 per member or the total alleged outstanding indebtedness.

We will continue to monitor and report on developments in this legislation.

 

On January 25, the Illinois Supreme Court sided with consumers in issuing a unanimous decision that a Six Flags season pass holder could bring a claim under Illinois’ Biometric Information Privacy Act (the “BIPA”) based on the amusement park’s collection of customer fingerprints—even absent allegations of real-world injury.  This opinion provides a boost to the state’s unique privacy law and the hundreds of pending cases involving allegations under the law.  A copy of the full opinion can be found here.

Plaintiff Stacy Rosenbach filed her complaint against Six Flags, alleging that the park had violated the BIPA.  Specifically, she alleged that the park’s fingerprinting process for issuing repeat-entry passes to its park violated the BIPA because neither she nor her minor son (1) were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected; (2) signed any written release regarding taking of the fingerprint; or (3) consented in writing to the “collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from,” her son’s fingerprint or associated biometric identifiers or information.  Rosenbach further alleged that Six Flags had not publicly disclosed what it had done with the information or how long it would be kept and that it did not have any written policy available to the public disclosing its retention schedule or any guidelines for retaining or permanently destroying biometric identifiers and biometric information.  She alleged that she never would have purchased a pass had she known the full extent of the company’s conduct.

The intermediate appellate court held that Rosenbach was not aggrieved within the meaning of the BIPA and could not pursue either damages or injunctive relief based on the allegations in the complaint.  The Court held that she was required to allege additional injury or adverse effect, which need not be pecuniary, but which must be more than a “technical violation of the Act.”

The Illinois high court reversed, holding that Rosenbach could be considered an “aggrieved person” based solely on the premise that her son’s fingerprint was taken without consent.  Specifically, the Supreme Court held that the Illinois legislature did not intend for consumers to have to claim that their data was separately stolen or misused to have standing under the BIPA.  The Court held that to require individuals to wait until they “sustained some compensable injury beyond violation of their statutory rights before they may seek recourse . . . would be completely antithetical to the act’s preventative and deterrent purposes.”  The Court also explained that when a private entity fails to adhere to the statutory procedures, “‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air,’” citing a recent ruling from a Federal District Court in California involving similar claims against Facebook relating to the collection and storage of user’s facial scans.  The Court dismissed arguments relating to the difficulty of compliance, holding that “whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

The decision will provide support for a flood of recent lawsuits filed under the BIPA, which requires that companies that capture individuals’ biometric information, such as a fingerprint, voice sample, or retina scan, obtain written consent and disclose how they use, store, and destroy that data.  The BIPA is the nation’s only biometric privacy law with a private right of action, and hundreds of pending lawsuits allege that supermarkets, hotels, and other businesses have violated the law, including in the context of requiring employees to use fingerprint-based timekeeping systems.

Troutman Sanders will continue to monitor how state and federal courts analyze consumer data privacy issues such as this, including any developments under the BIPA.

On January 28, Thomas W. Thrash, Jr., the Chief Judge of the United States District Court for the Northern District of Georgia, issued four decisions on motions to dismiss in cases arising out of the Equifax data breach. Below are a few noteworthy takeaways. 

Factual Background

From mid-May through the end of July 2017, hackers stole personally-identifiable information of nearly 148 million American consumers by exploiting a vulnerability in certain software used by Equifax (the “Data Breach”). Litigation arising out of the Data Breach was consolidated into a Multidistrict Litigation (“MDL”) styled as In Re Equifax, Inc., Customer Data Security Breach Litigation, 1:17-md-2800-TWT.

Chief Judge Thrash issued decisions on motions to dismiss in the MDL regarding (1) the Consumer Cases, (2) the Financial Institution Cases, and (3) the Small Business Cases. Chief Judge Thrash is also presiding over a consolidated federal securities fraud class action lawsuit arising out of the Data Breach and issued an order on a motion to dismiss in that case on the same day. Each of the Court’s decisions are discussed in turn below.

The Consumer Cases

In the Consumer Cases, the plaintiffs (“Plaintiffs”) brought a variety of claims, purporting to represent a class of individuals who were allegedly injured by the Data Breach. The Court first held that Plaintiffs could not assert claims under the Fair Credit Reporting Act because Equifax did not “furnish” any “consumer report” within the meaning of the FCRA. Rather, hackers stole information about Plaintiffs which did not fall within the definition of data subject to the FCRA.

However, the Court held Plaintiffs could assert tort claims for negligence and negligence per se under Georgia common law, which applies to the case due to choice-of-law principles. The Court held Equifax had an independent duty to protect the consumers’ information because it knew of a foreseeable risk to its security systems and allegedly did not follow reasonable procedures to secure the information. Plaintiffs sufficiently alleged actual injury, as some Plaintiffs had suffered identity theft, and had sufficiently alleged concrete potential injury in the form of an increased risk of harm. The criminal nature of the hackers’ behavior did not cut off Equifax’s potential liability because a jury could conclude such conduct is reasonably foreseeable in light of the many other data breaches that have occurred.

The Court further held Plaintiffs failed to assert claims for breach of contract because Equifax’s Privacy Policy prohibited damages, and Plaintiffs could not assert an implied contract due to the valid merger clause in Equifax’s Terms of Use. The Court also reached Plaintiff’s unjust enrichment claim given the lack of a contractual relationship and absence of any allegation that Plaintiff had provided anything of value to Equifax.

Plaintiffs’ claims under various Georgia statutes—the Georgia Fair Business Practices Act (“GFBPA”), the Georgia Uniform Deceptive Trade Practices Act (“GUDTPA”), and Georgia’s statute regarding notification after a personal information data breach—all failed. Under current Georgia law, the GFBPA and GUDTPA do not apply to data breaches, and Georgia’s law regarding notification after a data breach is not privately enforceable. Plaintiffs also asserted claims under other states’ Uniform Deceptive Trade Practices Act laws and other states’ data breach notification laws, some of which survived the motion to dismiss. Finally, Plaintiffs’ claim for attorneys’ fees under Georgia law was allowed to proceed because the Plaintiffs’ made sufficient allegations of “bad faith.”

The Financial Institution Cases

In the Financial Institution Cases, various banks, credit unions, and associations sought to remedy the financial losses they allegedly suffered and continue to suffer as a result of the Data Breach. The claims asserted by these Plaintiffs include negligence, negligence per se, negligent misrepresentation, and claims under various state business practices statutes.

Equifax moved to dismiss Plaintiffs’ claims, arguing, among other things: (1) Plaintiffs lack standing and fail to allege any cognizable injuries; (2) Plaintiffs fail to establish a duty or causation as required to proceed with their negligence-based claims; (3) Plaintiffs’ negligence per se claim fails because the statutes relied upon do not set out any specific statutory duty to protect personally identifiable information; and (4) Plaintiffs failed to plead their negligent misrepresentation claim with the required specificity as required under Rule 9(b).

Ultimately, Equifax’s motion was granted in part and denied in part. With respect to standing, the Court found the Plaintiffs in this case can be categorized into two groups.  The first group was made of the “Financial Institution” Plaintiffs, who allegedly spent time and money: (1) responding to the compromise of the credit reporting system and personal information they rely upon for their business; (2) assessing the impact of the Data Breach as required by applicable law; and (3) mitigating the alleged “substantial risk” of future fraudulent activity. The second group of Plaintiffs, the “Financial Institution Card Issuers,” assert the same allegations plus a fourth – they allege they issued payment cards compromised in the Data Breach and have spent time and money reissuing payment cards or reimbursing customers.

After dividing Plaintiffs into these two categories, the Court found Plaintiffs adequately pled standing as to the Financial Institution Card Issuers but failed to adequately plead standing with respect to the Financial Institution Plaintiffs. In support of this conclusion, the Court found that reissuing payment cards and reimbursing customers for fraudulent charges, as alleged only by the Financial Institution Card Issuers, “are not speculative and are not threatened future injuries, but are actual, current, monetary damages.” Because the same type of concrete and particularized injury had not been alleged by the Financial Institution Plaintiffs, and because their alleged injuries were not actual or imminent, their case was dismissed.

The Court also dismissed the case with respect to the “Association Plaintiffs” who sought to bring claims on behalf of their financial institution members who had allegedly suffered injury as a result of the Data Breach because the Association Plaintiffs did not identify the specific members who have standing.

After addressing standing, the remainder of the Court’s opinion and order applied only to the surviving claims of the Financial Institution Card Issuers. With respect to the negligence claim, the Court concluded Equifax owed the Financial Institution Card Issuers a duty of care to safeguard the information in its custody, namely arising from the allegations that Equifax knew of a foreseeable risk to Equifax’s data security systems but failed to implement reasonable security measures. The Court also dismissed the negligence per se claim to the extent it was predicated upon the Gramm-Leach-Bliley-Act (“GLBA”) alone, which the Court ruled does not provide a specific standard of conduct that is sufficient to give rise to a legal duty under Georgia law. To the extent the negligence per se claim was predicated on the Safeguards Rule of the GLBA, however, which does provide an ascertainable standard of conduct, the Court permitted the claim to continue. The Court also agreed with Plaintiffs that Section 5 of the FTC Act can provide a statutory duty for a negligence per se claim under Georgia law and therefore, Equifax’s Motion to Dismiss with respect to the negligence per se claim was largely denied.

In addressing Equifax’s argument that Plaintiffs failed to sufficiently plead a claim for negligent misrepresentation, the Court, following the Georgia District Court’s precedent, found that Rule 9(b) does not apply to claims of negligent misrepresentation, but that even if Rule 9(b) were to apply, Plaintiffs’ allegations would likely suffice. Indeed, the Court found “Plaintiffs have alleged the specific misrepresentations that the Defendants made, which Defendants made them, how such representations were false, and why the Defendants knew or should have known that those statements were false.” Such allegations, the Court concluded, are sufficient.

Finally, the Court also reviewed the claims brought under the Georgia Fair Business Practices Act, foreign state fraud and consumer protection statutes, claims relating to payment card data, and Plaintiffs’ “ancillary claims.” The Court dismissed the GFBPA claim, finding the Act does not require the safeguarding of personally identifiable information but allowed a majority of the other claims to continue.

The Small Business Cases

A group of ten small businesses sought to bring claims on behalf of a class of small businesses that allegedly relied upon the personal creditworthiness of their owners to obtain and maintain credit (the “Small Business Plaintiffs”). The Small Business Plaintiffs contended their owners’ personal information might have been involved in the Data Breach, and alleged they were harmed by having to take measures to combat the risk of identity theft and by expending time and effort to monitor the credit of their owners.

Equifax moved to dismiss the Small Business Plaintiffs’ claims, arguing: (1) the businesses lacked Article III standing to assert claims for alleged injuries arising out of the alleged breach of their owners’ personal information, and (2) the economic loss doctrine precluded the Small Business Plaintiffs from asserting tort claims. The Court agreed with both of Equifax’s arguments and dismissed the claims.

The Court noted that each of the Small Business Plaintiffs are distinct legal entities from their individual owners. While the owners could seek recovery of their damages in the Consumer Cases, the Small Business Plaintiffs were “not entitled to a second recovery” for the alleged injuries to the owners as small business owners. The Court further held the Small Business Plaintiffs’ alleged injuries were too speculative because Small Business Plaintiffs would have to prove: (a) their owners’ data was compromised and obtained by some criminals; (b) the owners’ credit was directly impacted by the criminals’ misuse of the information; (c) the Small Business Plaintiffs thereafter attempted to rely on the owner’s credit for their own “creditworthiness and continued operations”; and (d) the Small Business Plaintiffs’ “creditworthiness [or] continued operations” were harmed as a direct result of the owner’s damaged credit.

The Small Business Plaintiffs also failed to allege a substantial risk of harm that was sufficient to confer standing. Because of the long, attenuated chain of events that would have to occur before the Small Business Plaintiffs might suffer an injury because of the Data Breach, they did not face an “imminent injury” and their allegations about the alleged costs they incurred were “nothing more than the exercise of ordinary due diligence in monitoring their creditworthiness.”

Finally, the Court held that the economic loss doctrine barred the Small Business Plaintiffs’ tort claims. The doctrine prevents a plaintiff from recovering economic losses associated with injury or damage to another person. Because the Small Business Plaintiffs were distinct legal entities from their owners, the businesses could not recover for alleged injuries to the owners. Equifax did not breach an independent legal duty to the Small Business Plaintiffs, the Court held, because Equifax’s duty to safeguard the information of the individuals was owed to them personally. Accordingly, the Court dismissed the Small Business Cases in their entirety.

The Securities Case

A separate case—In Re Equifax, Inc. Securities Litigation, 17-cv-3463-TWT—is also pending before Chief Judge Thrash, who issued an order on Defendants’ motion to dismiss on the same day as the other orders discussed above. In this case, the lead plaintiff (“Plaintiff”) has brought claims on behalf of a putative class of investors that purchased securities of Equifax from February 25, 2016 through September 15, 2017. Plaintiff asserted claims under sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against Equifax and four individuals who were corporate officers at Equifax during the putative class period. [Disclosure: Troutman Sanders LLP represents one of the individual Defendants in this litigation, former Chief Executive Officer Richard F. Smith.]

Plaintiff alleged Defendants made false or misleading statements and/or omissions about the sensitive information in Equifax’s custody, the vulnerability of Equifax’s internal systems, and Equifax’s compliance with cybersecurity regulations and best practices. As a result, Plaintiff and the other putative class members allegedly suffered a loss in the value of their investments when the Data Breach was revealed.

The Court dismissed the claims against three of the individual Defendants but allowed the claims against Equifax and its former CEO to proceed to discovery. Additionally, the Court limited the scope of allegedly false or misleading statements that could be actionable, holding: (1) “Defendants were under no duty to disclose the existence of the Data Breach before they knew it had occurred”; (2) the mere “occurrence of the Data Breach did not itself make [certain] prior statements false or misleading”; (3) Defendants’ warnings that “Equifax could be vulnerable to a data breach” were not misleading; and (4) Defendants’ representations about certain internal controls in place at Equifax were not false or misleading.

Troutman Sanders will continue to monitor these cases for further developments.

2018 was a busy year in the consumer financial services world. As we navigate the continuing heavy volume of regulatory change and forthcoming developments from the Trump administration, Troutman Sanders is uniquely positioned to help its clients successfully resolve problems and stay ahead of the compliance curve.  

In this report, we share developments on consumer class actions, background screening, bankruptcy, FCRA, FDCPA, payment processing and cards, mortgage, auto finance, the consumer finance regulatory landscape, cybersecurity and privacy, and TCPA. 

We hope you find this helpful as you navigate the evolving consumer financial services landscape.

Access full report here.

 

In a recent decision, the United States District Court for the Northern District of Illinois granted a debt collector’s motion to dismiss a debtor’s breach of contract claim in a putative class action, leaving for adjudication the debtor’s claims under the Fair Debt Collection Practices Act (“FDCPA”).  The case is Burdette-Miller v. Williams & Fudge, Inc., No. 1:18-cv-02187 (N.D. Ill. Jan. 15, 2019). 

The plaintiff, Crystal Burdette-Miller, is a former student of Lewis University, which contracted with Williams & Fudge, Inc. (“WFI”) to collect education-related loans from current and former students.  WFI began contacting Burdette-Miller in August of 2014 to collect a $7,345.33 debt owed to Lewis University.  After she refused to pay, WFI filed a collection action against Burdette-Miller in January of 2016.  A statement attached to the collection complaint stated that WFI was seeking to collect $5,509.00 in tuition and $1,836.33 (33% of the tuition balance) as a collection fee.  Burdette-Miller filed a motion to dismiss the complaint; however, the court struck WFI’s request for the 33% fee as an “unenforceable penalty.” 

Two years later, Lewis University disclosed for the first time that the tuition agreement attached to the collection complaint was not the one to which Burdette-Miller agreed.  Instead, her actual tuition agreement with Lewis University did not authorize a 33% collection fee.  Shortly thereafter, Burdette-Lewis filed a putative class action against WFI, complaining that it imposed exorbitant collection fees and engaged in other unlawful collection activities.  Her complaint contains claims for breach of contract, violations of the FDCPA and Illinois Consumer Fraud and Deceptive Business Practices Act, wrongful wage garnishment, and declaratory judgment.  WFI moved to dismiss the complaint. 

In adjudicating WFI’s motion to dismiss, the Court first considered WFI’s argument that Burdette-Miller lacks standing to challenge the collection contract between Lewis University and WFI.  The Court ultimately held that she lacked standing to challenge the contract because she was only an incidental beneficiary to the collection contract.  The Court based its holding on the fact that the contract lacked any express language indicating an intent to benefit Burdette-Miller or student debtors like her and that, although the contract required WFI to abide by state and federal consumer-protection laws, such provisions were intended to benefit WFI and Lewis University.  Any benefit to Burdette-Miller was incidental.  

After dismissing Burdette-Miller’s breach of contract claims, the Court evaluated WFI’s argument that her FDCPA claim is barred by the one-year statute of limitations.  WFI argued that Burdette-Miller’s FDCPA claim was barred because the last act of which she complained occurred in March of 2016 and her allegation that WFI “continued making calls” and sending her correspondence beyond this date was too generalized to extend the period of wrongful conduct.  The Court, however, disagreed because Burdette-Miller did not learn until April of 2018 that WFI had sued her on the wrong contract and lacked any contractual basis to demand a 33% collection fee.   

Troutman Sanders will continue to monitor and report on developments in this area of the law.

Since the Spokeo, Inc. v. Robins decision in 2016, many defendants have worried that a valid standing argument could have the actual impact of leading to more cases being litigated in state court rather than outright dismissals on the merits.  

This month’s ruling in Ratliff v. LTI Trucking Services, Inc. proved to be exactly the kind of holding defendants worried about after SpokeoPlaintiff Jerome Ratliff, Jr. brought a Fair Credit Reporting Act (15 U.S.C. § 1681) suit in an Illinois federal court.  The suit involved a putative class action alleging that LTI Trucking Services violated procedural requirements of the FCRA by failing to provide notices required under § 1681(b)(3)(B) considering negative information disclosed on Ratliff’s background check.  That court cited Spokeo’s concrete injury requirements for standing and dismissed the matter outright for lack of subject matter jurisdiction.   

Ratliff refiled in state court, and LTI removed the case to federal court.  Upon removal, LTI moved to dismiss the case for lack of subject matter jurisdiction, and Ratliff argued for the federal court to dismiss the case and remand to state court.   

The federal court agreed with Ratliff and elected to remand the matter for state court.  The net result was a defendant facing a class claim in state court rather than federal court, and likely a situation where the defendant is no better off, and perhaps in a worse position, than if Spokeo did not exist.

In American Family Mutual Insurance Company v. Vein Centers for Excellence, Inc. et al., the Court of Appeals for the Eighth Circuit upheld the Eastern District of Missouri’s ruling granting summary judgment in favor of American Family, finding that the insurer did not have to defend and indemnify its client Vein Centers, which had been accused of violating the Telephone Consumer Protection Act in a class action lawsuit.

In the underlying TCPA class action lawsuit, St. Louis Heart Center, Inc. alleged that Vein Centers violated the TCPA by sending fax advertisements. Vein Centers sought indemnification from its insurance carrier under the Businessowners Policy and Commercial Liability Umbrella Policy. Both policies included a provision that excluded the “Distribution of Material in Violation of Statutes.”

Thus, American Family argued that it did not have to cover Vein Centers for TCPA claims. The Court agreed with the District Court’s decision that American Family was entitled to the presumption that Vein Centers received notice of the policy exclusion because no evidence was offered that would indicate Vein Centers never received notice of the exclusion provisions. Missouri law recognizes the presumption that a letter duly mailed has been received by the addressee, and American Family triggered this presumption by offering deposition testimony that American Family mailed the applicable communications that included the policy exclusion provisions to Vein Centers.

Troutman Sanders has a nationwide defense practice representing many companies with insurance carriers. It is important that insurance policies be reviewed carefully to ensure coverage for consumer statutory violations.

 

The United States District Court for the Northern District of Illinois recently denied a plaintiff’s motion for class certification on a Fair Debt Collection Practices Act claim, ruling that he had failed to establish that he was an adequate class representative.  This decision illustrates that a plaintiff must meet all factors to certify a class action – even in cases dealing with standard debt collection letters.

Plaintiff Jose Luis Ocampo filed a putative FDCPA class action against GC Services Limited Partnership, alleging that the initial debt collection letter sent to him did not properly state the amount of debt owed, in violation of 15 U.S.C. § 1692g.  He also claimed that the letter contained false and misleading statements in violation of 15 U.S.C. § 1692e.  The putative class action complaint sought to include all residents of Illinois who received a similar letter from GC Services.

The Court, however, found that Ocampo was not an adequate class representative based on the record before it and, therefore, declined to certify a class.  Importantly, the Court found—and Ocampo’s deposition testimony showed—that Ocampo:

(i) did not appear to know what a class action is:

“Q: Do you know what a class action is?  A: Yeah.  Q: What is it?  A:  I’m not sure exactly, like everything and so … .  Q: Can you give me any description at all?  A: It’s to fix a problem.  Q: Anything else?  A: Sorry.”

(ii) did not know what a class representative is or the duties he owed to the class as a class representative:

“Q: Do you know what the phrase ‘class representative means?  A: No.  Q: Can you tell me what you believe your responsibilities are as a class representative?  A. No 

(iii) could not articulate why the complaint was filed:

“Q: Why did you file this lawsuit?  A: I’m not sure.”

(iv) did not understand the legal basis of his claim:

“Q: Do you know what the FDCPA is?  A: No.”

(v) testified that he was unwilling to bear financial burdens to proceed as a class representative: 

“Q: Are you willing to bear the financial burdens to proceed as the class representative in this lawsuit?  A: No.”

The Court found that Ocampo had satisfied all of the other requirements to certify a class, but ultimately declined to certify the class on the basis that Ocampo was not an adequate class representative.  Nonetheless, the Court has allowed Ocampo to file supplemental briefing regarding the legality of substituting the named plaintiff to cure the adequacy defect.  Ocampo has until January 7 to brief the issue.

As we previously reported, last year the United States District Court for the Middle District of North Carolina trebled a jury verdict against DISH Network L.L.C. in a Telephone Consumer Protection Act class action, resulting in a $61 million damages award.  After months of post-trial motions (which were denied), the Court now recently ruled on class counsel’s request for attorneys’ fees, awarding $20.4 million.

Class counsel requested attorneys’ fees of 33.33% of the total judgment.  The Court found that a fee of $20,447,600, which is one-third of the approximately $61 million judgment, was reasonable.  According to the order, class counsel spent approximately 8,500 hours prosecuting the case and expended almost $500,000 of their own money.  The Court noted that “it takes skilled counsel to successfully manage an 18,000-plus member class action.  It takes a different set of highly developed skills to successfully achieve a jury verdict.”  The Court further noted that “Class Counsel achieved an excellent result on behalf of the class.”

A copy of the Court’s order can be found here.

We will continue to monitor the case for further developments.

In what could be seen as an early holiday present to those institutions often entangled in Telephone Consumer Protection Act litigation, a district court in the Eleventh Circuit not only denied certification in a TCPA wrong number class action, but also struck down common methods used by plaintiffs to ascertain class members.  Going further, the Court found that wrong number class actions are fatally plagued by individualized inquiries of consent where a defendant intends to call actual consenting customers, and topped everything off with due process considerations.

In Wilson v. Badcock Home Furniture, the Court began its analysis by finding fundamental problems with ascertainability, noting the difficulties in identifying individuals receiving a “wrong number” call.  Typically a defendant’s records will only show that a wrong number was dialed but nothing further regarding the individual that received the call.  Plaintiffs therefore generally propose using a reverse-number lookup and subpoenas to cell phone carriers for copies of call records.  This method, however, will not identify call recipients who are regular users under a family cell phone plan, and this is where the Court ruled the reverse-lookup method “truly fell apart” (noting that the class plaintiff would not have even been identified using this method) and found that there was “no way to definitively determine who actually answered the call from the defendant … .”

The Wilson defendant also identified multiple instances where more than one customer provided the same phone number.  As is commonly seen in TCPA litigation, the plaintiff proposed the “ask the subscriber” approach, but the Court rejected this method for three reasons.  First, the method “ignores the very purpose of ascertainment and will, in any event, require an individualized inquiry.”  Second, the “ask the subscriber” method could violate a defendant’s due process protections as penalties of up to $1,500 per call could incentivize individuals to improperly enter the class.  Finally, the Court ruled that this method would lead to nothing but inadmissible hearsay, finding that “a call recipient’s statement of ‘wrong number,’ as well as the simple act of Defendant listing a number as ‘wrong number’ may not be admissible as a matter of federal evidence as proof of the matter asserted, even if the number is labeled as ‘wrong’ in Defendant’s business records.  The unknown person answering on the phone was under no business duty to make that declaration, which is likely hearsay to prove the number was in fact wrong.”

Aside from the obvious ascertainability issues, the Court found predominating individualized issues of consent, noting that the defendant only calls numbers in its records thought to have belonged to actual consenting customers which raises possible defenses against many class members.  Again, the Court addressed due process concerns, finding that with the TCPA’s high statutory penalties, due process allows the defendant to inquire “whether the alleged wrong number belonged to a customer by consulting each individual file” and not leave the defendant at the mercy of the prospective class members.

The Wilson decision is significant and sets out a roadmap to defeat common methods used for class certification in wrong number TCPA cases. Importantly, the Court laid out arguments for defeating plaintiffs’ unreliable methods of identifying class members and stressed the importance of individualized inquiries of consent when a defendant simply attempts to call consenting phone numbers.