On the May morning that the Supreme Court handed down its ruling in Spokeo, Inc. v. Robins, I was among those who read the case as a bellwether. The Spokeo appeal addressed a long-festering issue about whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm (and therefore cannot otherwise invoke federal jurisdiction) by authorizing a private right of action based on a bare violation of a federal statute. Spokeo is a Fair Credit Reporting Act (FCRA) case, but its standing issue infects many other statutory privacy cases. FCRA is part of a growing regime of statutes creating per-violation monetary penalties for consumers to pursue whenever a business strays from the particular statute’s procedural requirements. The Telephone Consumer Protection Act (TCPA), the Fair Debt Collection Practices Act (FDCPA), and the Fair and Accurate Credit Transactions Act (FACTA) are examples of the federal regime, while California’s Invasion of Privacy Act (CIPA) and Song-Beverly Act are two state statutes in this arena.
Spokeo held that FCRA plaintiffs do not achieve Article III standing simply by pleading that defendant violated a statute while processing the plaintiff’s transaction. Plaintiffs must also allege that the statutory violation resulted in a concrete injury – even when the law provides statutory, per-violation damages. On first reading, this seemed like a significant development. Over the course of many years defending TCPA, FCRA, CIPA, and FDCPA class actions, I rarely encountered a plaintiff who even claimed to suffer a concrete injury. Class action lawyers seemed reluctant to plead additional injuries for fear it might render their plaintiff atypical at class certification. And it was hardly necessary to plead more. Whenever statutory penalties were in play, most courts held that if a procedural violation triggered the fine, Article III standing was automatic.
Spokeo seemingly tolls the end of that dreadful dynamic. But in the same breath it also observes that a bare statutory violation might establish Article III standing if by passage of the statute, Congress intended to elevate an intangible harm to a concrete level. Spokeo suggests two ways of recognizing whether a sufficiently concrete interest was established by Congress in a given case. The first way is to ask whether the intangible injury resulting from a statutory violation bears a “close relationship” to harm traditionally recognized in English or American common law courts. Spokeo, 136 S.Ct. at 1549. If the answer is “yes,” Article III standing is established because the alleged injury was already cognizable at common law before the legislative act.
The second method of testing Article III standing for intangible harms seems much more difficult: assessing the legislature’s judgment in “elevat[ing] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id. The Spokeo Court concluded that even when Congress purports to raise intangible harms to the level of actionable, concrete injury – that effort may fall short sometimes! “Congress is well positioned to identify intangible harms that meet minimum Article III requirements,” the Supreme Court observed, but its “role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Id. at 1549 [emphasis added]. Plaintiffs “cannot satisfy the demands of Article III by alleging a bare procedural violation,” and even though FCRA provides per-violation statutory damages, “[a] violation of one of the FCRA’s procedural requirements may result in no harm.” Id. at 1550.
Six months later, courts are divided about what Spokeo means and how to distinguish between sufficiently-concrete and barely-procedural harms in privacy cases. I won’t attempt a survey of Spokeo’s early progeny, but many courts now dismiss statutory privacy claims where no concrete injury beyond a procedural statute violation is alleged. See e.g. Braitbert v. Charter Communications, Inc., (8th Cir. Sept. 8, 2016) (dismissing complaint that failed to allege concrete injury resulting from violation of statutory duty to destroy plaintiff’s personally identifiable information). But other courts respond to Spokeo’s guidance by simply emphasizing the legislative creation of a procedural right, coupled with a cause of action to recover statutory damages when the procedural duty is breached. Burke v. Federal Nat’l Mortgage Assoc. (E.D. Va. Aug. 9, 2016) (because FCRA is “clear in its prohibition” against obtaining consumer reports for unauthorized purposes, which is geared to protecting consumer privacy, plaintiff suffered concrete injury when Fannie Mae accessed her credit report without authorization). Courts are also struggling to determine whether the plaintiff’s intangible injuries are “traceable” to the procedural violations alleged.
In recent TCPA, FCRA, CIPA, and other statutory privacy class actions, plaintiff lawyers argue that Spokeo empowers their cases because American courts have long recognized intrusion of seclusion and other privacy claims at common law. This simplistic argument distorts the history of privacy jurisprudence and injuries recognized at common law. As my colleague Peter Guffin more accurately recounts in a recent blog post in privacy law basics, privacy is a fairly recent 20th century legal construct. Courts have struggled to define privacy ever since Brandeis and Warren published their famous article The Right to Privacy, from which most scholars trace all modern privacy jurisprudence.[1] In their 1890 article, Brandeis and Warren were railing against the intrusive threat of newspaper and photography practices, acknowledging from the outset that the emerging privacy rights were (and remain) pitted against competing principles like freedom of speech. Even as the “right to be left alone” gained traction after the turn of the last century, unless an intrusion upon seclusion rose to the level of a nuisance or an invasion of private/domestic life (i.e., confidentiality) with a subsequent publication, the common law generally did not recognize standing to recover for intangible harms like hurt feelings or the fear of future harm. To this day, significant contours of privacy – identifying what is “private,” who owes a duty to protect another’s privacy and under what circumstances, and what constitutes a cognizable injury when those interests are invaded – seem far from established at common law.
Comparing statutory claims like TCPA and FCRA to traditional privacy jurisprudence does not satisfy Spokeo. Far from relying on traditional legal principles defining an intrusion upon seclusion, today’s privacy class actions are more apt to exploit uncertainties about how to treat advances and anomalies in internet and database technology – social media, internet-based behavioral advertising, data collection and uses, data breaches, and telephone dialing systems providing the “usual suspects” in these cases. Another favored plaintiff approach is to draw subtle comparisons between how a defendant handles consumer information and what its privacy policy discloses to consumers. Cases like these often involve no privacy intrusions previously recognized at common law. If a privacy invasion arises from the mere receipt of a telephone call or text message, or by having a customer service call monitored by a supervisor at the same company, it does so purely by creature of statute and without meeting the traditional elements for an intrusion upon seclusion. Most importantly for a Spokeo analysis, these statutory cases involve none of the harms traditionally associated with common law privacy claims.
Privacy law has important work to do, but a long way yet to go. For the most part, today’s privacy class actions grasp at brass rings while advancing no significant privacy interests. Spokeo aimed to mitigate that dynamic by demanding a vigorous inquiry into whether statutory privacy plaintiffs have suffered sufficiently concrete injuries. It is not yet clear whether Spokeo will be treated as a meaningful standing test, or just another picayune issue in a moribund privacy jurisprudence that is already overwhelmed with procedural niceties instead of substantive values and analysis.
[1] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard L. Rev. 193 (1890). This seminal work recognized a person’s right to control (1) publication of one’s thoughts and feelings, at 198, 205; (2) publication of information about one’s private life, at 201; (3) publication of images of one’s self, at 211; and (4) facts about oneself that are not immediately obvious or confidential, at 215.
