Stand Up, Sit Down, Stand Up: Ninth Circuit Revives Spokeo No-injury Suit

by Eversheds Sutherland (US) LLP
Contact

Eversheds Sutherland (US) LLP

In a decision surely welcomed by the plaintiffs’ bar, the US Court of Appeals for the Ninth Circuit held, on August 15, 2017, that a putative class action plaintiff has Article III standing as long as the plaintiff alleges just slightly more than a mere statutory violation. The case, Robins v. Spokeo, was on remand from the United States Supreme Court following that Court’s well-known May 2016 Spokeo v. Robins decision, which held that allegations of a statutory violation of the Fair Credit Reporting Act (FCRA), without more, did not confer standing. A three-judge panel of the Ninth Circuit has now ruled that, as a matter of statutory interpretation, the FCRA procedures at issue were crafted to protect consumers’ “concrete” interest in accurate credit reporting about themselves, and that the plaintiff’s allegations of inaccurate credit reports could be deemed “a real harm” sufficient to confer standing. 

While in one sense, the Ninth Circuit’s decision specifically involves the FCRA, it represents the latest in a string of post-Spokeo decisions analyzing just how little a plaintiff needs to plead to survive a motion to dismiss on standing grounds. This trend is applicable to numerous genres of litigation, but is of particular relevance for defendants both in data breach cases and under the Telephone Consumer Protection Act (TCPA).

Spokeo v. Robins – Part One

Spokeo, Inc. runs a “people search engine” that provides subscribers to its service, including employers, with access to information on individuals in its database (including alleged FCRA consumer reports). The plaintiff alleged that Spokeo, in violation of the FCRA, kept inaccurate information about him in its database concerning his age, education, marital status and employment status, all of which harmed his employment prospects (for example, by making him appear overqualified). Initially, the district court dismissed the complaint on the basis that a mere statutory violation of the FCRA, without any additional injury, was not sufficient for Article III standing.

The Ninth Circuit reversed, however, holding that the plaintiff’s allegations were sufficiently concrete and particularized to confer Article III standing. After granting certiorari, the Supreme Court vacated the opinion and held the Ninth Circuit’s standing analysis to be incomplete. The Court did not disagree with the Circuit Court’s particularized analysis, but found that the Ninth Circuit had not sufficiently analyzed whether the plaintiff’s injury was concrete. An injury-in-fact, according to the Supreme Court, must not only be particularized, i.e., affecting the plaintiff in a personal and individual way, but it also must be concrete. For the Court, although Congress had enacted the FCRA at least in part to curb the dissemination of false information by adopting procedures designed to decrease that risk, if the plaintiff had not suffered any “concrete” injury as a result of the dissemination of false information, the plaintiff could not recover under the FCRA. Importantly, the Supreme Court also noted that injuries do not have to be tangible to be concrete (for example, unduly impeding someone’s First Amendment rights would be a concrete harm while nonetheless intangible). This distinction would later be seized upon by lower courts applying Spokeo

Spokeo – Part Two

In its decision on remand, the Ninth Circuit heeded the Supreme Court’s instructions and determined that the plaintiff’s alleged injury was sufficiently concrete under the FCRA to confer Article III standing. Specifically, the court analyzed the congressional history and historical practice to determine that Congress created the FCRA to ensure that consumers are protected against the dissemination of inaccurate information in consumer reports and this “dissemination of false information in consumer reports can itself constitute a concrete harm.” With that, the Ninth Circuit then found that although some FCRA violations may not cause injury-in-fact on their own, others can and in this case do satisfy the test. 

Other Decisions Applying Spokeo

TCPA Context

Thus far, although courts applying the Supreme Court’s holding in Spokeo have yet to reach a full consensus, the majority of courts have held that it does not take much for plaintiffs to satisfy Article III standing.

One notable area that has been impacted by Spokeo is TCPA litigation, in which plaintiffs generally allege injuries such as minimal time or expense associated with receiving an unwanted phone call, text or fax. For example, in Sartin v. EKF Diagnostics, Inc., the district court dismissed a putative class action where the plaintiff alleged that defendants unlawfully sent him a single fax in violation of the TCPA.1 In dismissing the complaint, the court held that the plaintiff “provides no factual material from which the Court can reasonably infer what specific injury, if any, the plaintiff sustained.” The plaintiff subsequently amended his complaint, adding allegations of lost time and ink from receiving the single fax. Based only on those de minimis allegations of injury, the court allowed the re-pled complaint to proceed.

A majority of TCPA decisions applying Spokeo have agreed with the second Sartin decision, denying motions to dismiss on standing grounds where the plaintiff alleges even a very minor (but apparently “concrete”) harm.2 One court went so far as to hold that under the TCPA, it is not necessary to allege the same kind of harm as under the FCRA to survive a motion to dismiss for lack of standing. In Aranda v. Caribbean Cruise Line, Inc., the court found that the TCPA differs from the FCRA because it “establishes substantive, not procedural, rights to be free from telemarketing calls consumers have not consented to receive.” The Aranda court seized on the fact that under Spokeo, an injury need not be “tangible” to be “concrete.” Because the harm alleged by the plaintiff was contemplated by the language of the TCPA, the statutory violation alone conferred standing.

Some courts have interpreted Spokeo in ways that thwart plaintiff actions. Recently, for example, the US District Court for the Northern District of Illinois denied class certification in a putative TCPA class action on the basis of evidence that certain members consented to the calls and thus did not suffer a concrete, tangible injury based on their receipt of calls.3 This case is also significant because it demonstrates that a plaintiff’s failure to plead an injury-in-fact to satisfy Article III standing can be challenged at any stage of litigation, not just on the pleadings.

FCRA Context

Similar to the Ninth Circuit’s holding in Spokeo, the Third Circuit held in In re Horizon Healthcare Servs. Inc. Data Breach Litig. that the alleged unauthorized dissemination of a plaintiff’s private information in violation of the FCRA was not a mere procedural violation of the FCRA, but was the very kind of injury the FCRA was designed to prevent.4 It therefore satisfied the concreteness prong of the standing test. In fact, the Ninth Circuit cited to this Third Circuit decision in its holding.

Data Breach Context

Post-Spokeo, courts have also considered standing in the context of class actions alleging failure to protect information from data theft. In many of these cases, plaintiffs have argued that the release of their personal information following a data breach puts them at an increased risk of identity theft, creating a “substantial risk of harm” that should be cognizable as a concrete injury under Article III. But courts have struggled to determine whether allegations of an increased risk of identity theft truly creates a “substantial risk of harm” to the data subject, or whether the possibility of identity theft in the future is merely speculative (and hence falling short of Article III standing).Courts continue to grapple with this issue, and have reached different conclusions based on the specific facts and circumstances alleged by plaintiffs in each case.5

What Happens Now?

It is highly likely that the number of FCRA, TCPA and data breach class actions will continue to rise, and given the trend which the Ninth Circuit’s recent Spokeo decision reflects, more will likely survive a standing analysis. That said, courts are not yet uniform in their interpretation of the Supreme Court’s Spokeo opinion, or Article III standing principles more generally. Until the Supreme Court revisits and clarifies its position on what constitutes an injury-in-fact, defendants in these and other categories of cases will be at the mercy of the specific allegations in their case and perhaps the venue of the litigation.
                            

1Sartin v. EKF Diagnostics, Inc., No. CV 16-1816, 2016 WL 3598297 (E.D. La. July 5, 2016).
  
2See Sartin v. EKF Diagnostics, Inc., No. CV 16-1816, 2016 WL 7450471 (E.D. La. Dec. 28, 2016).
  
3Legg v. PTZ Insurance Agency, LTD et al, No. 1:14-cv-10043, (N.D. Ill. Aug. 16, 2017).
  
4In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017).
  
5Compare, e.g., Attias v. Carefirst, Inc., No. 16-7108, 2017 WL 3254941 (D.C. Cir. Aug. 1, 2017) and
Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016) with Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP
Contact
more
less

Eversheds Sutherland (US) LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.