Earlier last week we promised you a more detailed look at the U.S. Supreme Court’s decision to grant certiorari in Spokeo, Inc. v. Robins, and why the Court’s willingness to resolve questions on plaintiffs’ standing to assert informational privacy claims next term matters to businesses.
In essence, the question presented in Spokeo is whether a statutory violation, without more, satisfies the injury requirements for Article III standing purposes. Should the Court rule in Spokeo, Inc.’s favor when it hears the case next year, it could effectively close the door to class actions under a host of federal privacy statutes where the plaintiffs are unable to allege they suffered tangible harm. While this might be a setback for the plaintiffs’ bar, it could be a welcome reprieve for businesses that have been defending protracted and expensive privacy class actions.
Is a Statutory Violation an “Injury” for Article III Standing?
The plaintiff in Spokeo alleges that the company willfully violated the Fair Credit Reporting Act (FCRA) by publishing publicly available but factually inaccurate information about the plaintiff’s age, wealth, marital status, and education on Spokeo’s online search engine. The FCRA requires that consumer reporting agencies (CRAs) follow “reasonable procedures to assure maximum possible accuracy of” an individual’s information in a consumer report, and provides statutory damages provision for willful violations. Although Spokeo disputes claims that it is a CRA and that its search results are “consumer reports,” those issues were not addressed when the district court dismissed the case on standing grounds. Although the Ninth Circuit reversed on the standing issue, the appellate court also had no opportunity to decide the merits of whether Spokeo is a CRA or otherwise violated the FCRA, and will not likely be addressed (much less resolved) by the Supreme Court, either.
The plaintiff’s suit was initially dismissed by the district court for failing to plead an injury-in-fact, but the Ninth Circuit Court of Appeals later reversed and held that the FCRA created a statutory cause of action that did not require the plaintiff to demonstrate a cognizable harm.
In its petition for certiorari, Spokeo asked the Supreme Court to resolve whether Congress can constitutionally confer Article III standing on plaintiffs that do not suffer concrete and tangible harms, and therefore would otherwise not be able to invoke federal court jurisdiction, by authorizing a private right of action based on a statutory violation of federal law. The Solicitor General had advised the Court not to hear the case, arguing that Spokeo sought to “litigate the abstract question of whether a ‘bare violation of a federal statute’ satisfies Article III even when the plaintiff has ‘suffer[ed] no concrete harm’” instead of addressing the Ninth Circuit’s narrow holding that the plaintiff met Article III standing under the FCRA’s statutory damages provision.
Will the Court’s Decision on Standing Close the Door on Other Privacy Actions?
The Supreme Court’s grant of cert – and its implicit rejection of the Solicitor General’s position against considering Spokeo’s “abstract” standing question – may be a signal that the Court is willing to consider the notion that an injury demanded under Article III can exist solely through the invasion of a statutory right, and has implications far beyond the present case and the FCRA. Depending on how the Supreme Court resolves the standing question, the Court could effectively preclude plaintiffs whose personal information is exposed in the data breach or unauthorized disclosure scenarios, but who suffer no concrete harm as a result, from raising future privacy class actions under a host of federal privacy statutes, or at least assist with early dismissal of such suits. On the other hand, should the Supreme Court side with plaintiff, there is a legitimate concern that privacy class actions will take on the frequency and liability now associated with class actions brought pursuant to the Telephone Consumer Protection Act (TCPA).
The Court’s review of this question is particularly crucial in the online privacy context, as a number of statutes in this area afford plaintiffs statutory damages. As the joint amicus brief of Google, Facebook, and Yahoo! points out, suits have been brought under a number of federal statutes – such as the TCPA, the Video Privacy Protection Act (VPPA), and the Electronic Communications Privacy Act (ECPA) – by plaintiffs who are able to get their collective feet through the courthouse doors without identifying any cognizable harm flowing from the alleged statutory violations. As we’ve reported before in the VPPA context, federal district courts have ruled that a plaintiff does not need to suffer an actual injury to support a claim for a wrongful disclosure under the VPPA. This has generated putative class actions that, while ultimately dismissed at the district court level, are testing the limits of the statutory definitions that cannot be resolved on a motion to dismiss. In the VPPA context, it was issues such as determining whether “PII” was “knowingly” disclosure. If Plaintiffs can jump the harm threshold in FCRA cases like Spokeo, it will be issues such as determining whether an entity is a CRA or what constitutes a “consumer report” that may prolong litigation, including through costly appeals.
Additionally, given these privacy laws’ high statutory damages provisions – with some as high as $2,500 per violation with possible punitive damages for willful violations, costs and attorneys’ fees – it is no wonder that the plaintiffs’ bar has tried to litigate statutory damages claims even when their clients cannot point to any concrete injury. As the amount of data collected on consumers proliferates, the accuracy, reliability, and security of this data is subject to more risk, including unauthorized disclosures that often result in no actual harm to consumers. For companies that collect, maintain, and use this data, there is a very real fear that plaintiffs will exploit statutes with high statutory damages awards, hoping for a quick settlement to avoid a trial or protracted proceeding knowing the case cannot be knocked out on standing.
Should the Supreme Court agree with Spokeo that plaintiffs would need to point to some concrete harm to properly invoke a federal court’s jurisdiction under Article III when any statutory violation is alleged, it would likely subject many suits to dismissal at an early stage. However, the Supreme Court’s resolution of this issue is still many months away, so businesses must wait and see whether the Court will let “no harm” privacy suits like the plaintiff’s stand. While some litigants could also ask federal district or appellate courts to stay proceedings in “no harm” cases until after the Supreme Court rules, we have already seen instances where plaintiffs are getting creative with their “harm” allegations, and some courts are buying in – at least at the motion to dismiss stage.
