Spokeo Should Not Fall on Deaf Ears in Privacy Class Actions

by Pierce Atwood LLP
Contact

On the May morning that the Supreme Court handed down its ruling in Spokeo, Inc. v. Robins, I was among those who read the case as a bellwether. The Spokeo appeal addressed a long-festering issue about whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm (and therefore cannot otherwise invoke federal jurisdiction) by authorizing a private right of action based on a bare violation of a federal statute.  Spokeo is a Fair Credit Reporting Act (FCRA) case, but its standing issue infects many other statutory privacy cases. FCRA is part of a growing regime of statutes creating per-violation monetary penalties for consumers to pursue whenever a business strays from the particular statute’s procedural requirements. The Telephone Consumer Protection Act (TCPA), the Fair Debt Collection Practices Act (FDCPA), and the Fair and Accurate Credit Transactions Act (FACTA) are examples of the federal regime, while California’s Invasion of Privacy Act (CIPA) and Song-Beverly Act are two state statutes in this arena.

Spokeo held that FCRA plaintiffs do not achieve Article III standing simply by pleading that defendant violated a statute while processing the plaintiff’s transaction.  Plaintiffs must also allege that the statutory violation resulted in a concrete injury – even when the law provides statutory, per-violation damages.  On first reading, this seemed like a significant development. Over the course of many years defending TCPA, FCRA, CIPA, and FDCPA class actions, I rarely encountered a plaintiff who even claimed to suffer a concrete injury. Class action lawyers seemed reluctant to plead additional injuries for fear it might render their plaintiff atypical at class certification. And it was hardly necessary to plead more.  Whenever statutory penalties were in play, most courts held that if a procedural violation triggered the fine, Article III standing was automatic.

Spokeo seemingly tolls the end of that dreadful dynamic. But in the same breath it also observes that a bare statutory violation might establish Article III standing if by passage of the statute, Congress intended to elevate an intangible harm to a concrete level.  Spokeo suggests two ways of recognizing whether a sufficiently concrete interest was established by Congress in a given case. The first way is to ask whether the intangible injury resulting from a statutory violation bears a “close relationship” to harm traditionally recognized in English or American common law courts. Spokeo, 136 S.Ct. at 1549.  If the answer is “yes,” Article III standing is established because the alleged injury was already cognizable at common law before the legislative act.

The second method of testing Article III standing for intangible harms seems much more difficult:  assessing the legislature’s judgment in “elevat[ing] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id.  The Spokeo Court concluded that even when Congress purports to raise intangible harms to the level of actionable, concrete injury – that effort may fall short sometimes!  “Congress is well positioned to identify intangible harms that meet minimum Article III requirements,” the Supreme Court observed, but its “role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.”  Id. at 1549 [emphasis added]. Plaintiffs “cannot satisfy the demands of Article III by alleging a bare procedural violation,” and even though FCRA provides per-violation statutory damages, “[a] violation of one of the FCRA’s procedural requirements may result in no harm.”  Id. at 1550.

Six months later, courts are divided about what Spokeo means and how to distinguish between sufficiently-concrete and barely-procedural harms in privacy cases. I won’t attempt a survey of Spokeo’s early progeny, but many courts now dismiss statutory privacy claims where no concrete injury beyond a procedural statute violation is alleged. See e.g. Braitbert v. Charter Communications, Inc., (8th Cir. Sept. 8, 2016) (dismissing complaint that failed to allege concrete injury resulting from violation of statutory duty to destroy plaintiff’s personally identifiable information). But other courts respond to Spokeo’s guidance by simply emphasizing the legislative creation of a procedural right, coupled with a cause of action to recover statutory damages when the procedural duty is breached. Burke v. Federal Nat’l Mortgage Assoc. (E.D. Va. Aug. 9, 2016) (because FCRA is “clear in its prohibition” against obtaining consumer reports for unauthorized purposes, which is geared to protecting consumer privacy, plaintiff suffered concrete injury when Fannie Mae accessed her credit report without authorization). Courts are also struggling to determine whether the plaintiff’s intangible injuries are “traceable” to the procedural violations alleged.

In recent TCPA, FCRA, CIPA, and other statutory privacy class actions, plaintiff lawyers argue that Spokeo empowers their cases because American courts have long recognized intrusion of seclusion and other privacy claims at common law. This simplistic argument distorts the history of privacy jurisprudence and injuries recognized at common law.  As my colleague Peter Guffin more accurately recounts in a recent blog post in privacy law basics, privacy is a fairly recent 20th century legal construct. Courts have struggled to define privacy ever since Brandeis and Warren published their famous article The Right to Privacy, from which most scholars trace all modern privacy jurisprudence.[1]  In their 1890 article, Brandeis and Warren were railing against the intrusive threat of newspaper and photography practices, acknowledging from the outset that the emerging privacy rights were (and remain) pitted against competing principles like freedom of speech. Even as the “right to be left alone” gained traction after the turn of the last century, unless an intrusion upon seclusion rose to the level of a nuisance or an invasion of private/domestic life (i.e., confidentiality) with a subsequent publication, the common law generally did not recognize standing to recover for intangible harms like hurt feelings or the fear of future harm. To this day, significant contours of privacy – identifying what is “private,” who owes a duty to protect another’s privacy and under what circumstances, and what constitutes a cognizable injury when those interests are invaded – seem far from established at common law.

Comparing statutory claims like TCPA and FCRA to traditional privacy jurisprudence does not satisfy Spokeo.  Far from relying on traditional legal principles defining an intrusion upon seclusion, today’s privacy class actions are more apt to exploit uncertainties about how to treat advances and anomalies in internet and database technology – social media, internet-based behavioral advertising, data collection and uses, data breaches, and telephone dialing systems providing the “usual suspects” in these cases.  Another favored plaintiff approach is to draw subtle comparisons between how a defendant handles consumer information and what its privacy policy discloses to consumers. Cases like these often involve no privacy intrusions previously recognized at common law. If a privacy invasion arises from the mere receipt of a telephone call or text message, or by having a customer service call monitored by a supervisor at the same company, it does so purely by creature of statute and without meeting the traditional elements for an intrusion upon seclusion. Most importantly for a Spokeo analysis, these statutory cases involve none of the harms traditionally associated with common law privacy claims.

Privacy law has important work to do, but a long way yet to go. For the most part, today’s privacy class actions grasp at brass rings while advancing no significant privacy interests.  Spokeo aimed to mitigate that dynamic by demanding a vigorous inquiry into whether statutory privacy plaintiffs have suffered sufficiently concrete injuries. It is not yet clear whether Spokeo will be treated as a meaningful standing test, or just another picayune issue in a moribund privacy jurisprudence that is already overwhelmed with procedural niceties instead of substantive values and analysis.

 

 

 

[1]               Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard L. Rev. 193 (1890).  This seminal work recognized a person’s right to control (1) publication of one’s thoughts and feelings, at 198, 205; (2) publication of information about one’s private life, at 201; (3) publication of images of one’s self, at 211; and (4) facts about oneself that are not immediately obvious or confidential, at 215.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pierce Atwood LLP | Attorney Advertising

Written by:

Pierce Atwood LLP
Contact
more
less

Pierce Atwood LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.