On January 16, 2020, a federal judge held that Michigan's Personal Privacy Protection Act applies to nonresidents who are located outside the state. The decision, Lin v. Crain Communications, No. 19-11889 (E.D. Mich. January 16, 2020), has important implications for the extraterritorial application of state privacy laws and more generally signifies that compliance with these laws cannot always be achieved by simply looking to the residency of data subjects.
Gary Lin, a resident of Virginia, sued Crain Communications under the Michigan Personal Privacy Protection Act, M.C.L. § 445.1712 ("PPPA") for allegedly disclosing information about Lin's magazine subscriptions to various data mining companies. Crain moved to dismiss the lawsuit, arguing that Lin, as a resident of Virginia, lacked standing under the PPPA. The court disagreed, noting that, because the PPPA's definition of a "customer" was not limited solely to Michigan residents, "the PPPA does not impose a residency requirement for customers to have protections under the statute." The court further pointed to the fact that Lin's allegations related to conduct that had supposedly occurred within Michigan, and therefore Lin could properly invoke the PPPA's protections.
The decision in Lin is the most recent example of a court finding that a state's data privacy law protects nonstate residents. Previously, in Monroy v. Shutterfly, No. 16 C 10984 (N.D. Ill. September 15, 2017), a federal court similarly found that a resident of Florida could bring an action under the Illinois Biometric Information Protection Act against an out-of-state defendant based on conduct that had occurred in Illinois.
The Lin decision further evidences a willingness of courts to broadly interpret state privacy protections in some contexts, which adds further complexity to the challenge of complying with state privacy laws. Jones Day will continue to closely monitor the impact of this development on future litigation as courts continue to address these types of issues.