Supreme Court's Spokeo Decision Fails to Give "Concrete" Answers in Privacy Litigation

concrete_zheckArticle III standing has often been a difficult hurdle for plaintiffs in privacy litigation to clear (check out my prior blogs on Android Litigation and Remijas v. Neiman Marcus for more analysis).  Last week, the United States Supreme Court made standing even more difficult for plaintiffs in its Spokeo Inc. v. Robins (No. 13-1339) decision.  In Spokeo, a 6-2 majority, led by Justice Alito, found that plaintiffs seeking redress for statutory violations must show a “concrete injury” as opposed to a purely procedural violation.  In other words, to survive a motion to dismiss, a plaintiff cannot just allege that the defendant violated the statute and that alone caused injury without evidence of some effect or real risk of future harm.  But is this ruling as "concrete" as privacy litigants would like?

Background

Ever since the Supreme Court granted certiorari last fall, Spokeo has been a closely-watched case due to its potential for far-reaching implications for plaintiffs seeking to enforce purely statutory rights.  Although Spokeo, stemmed from alleged violations of the Fair Credit Reporting Act (FCRA), the Court’s decision could impact claims under the Telephone Consumer Protection Act (TCPA), Truth in Lending Act (TILA), Fair Debt Collection Practices Act (FDCPA), Employee Retirement Income Security Act (ERISA), and the Lanham Act, because each of these statutes provide similar language guaranteeing statutory rights.  With respect to class action litigation, the Court’s ruling could substantially limit claims alleging a purely technical violation of a statute absent actual harm or material risk of harm.

In Spokeo, plaintiff Thomas Robins filed a putative class action and alleged that Spokeo, Inc.’s, website aggregated information about him (by mining data across public records, white pages, social media accounts, and Internet search engine results), and published allegedly false information about his employment history and credit worthiness.  Specifically, Robins alleged that Spokeo reported he was in his fifties, had children, held a job, was relatively wealthy, and held a graduate degree.  Robins argued that the inaccurate portrait Spokeo painted of him would hinder his job search, and that he “suffered actual harm in the form of anxiety, stress, concern and/or worry about his diminished employment prospects."  But Robins did not seek actual damages; instead, he alleged that Spokeo had willfully violated the FCRA and sought a judgment “awarding himself and the Class the maximum statutory damages available under [the FCRA’s willfulness provision].”

Spokeo moved to dismiss because the possibility, without any evidence, of an unknown prospective employer searching the website, reviewing allegedly inaccurate information, and declining to hire Robins as a result of that information was far too speculative to constitute an injury-in-fact. The District Court agreed and dismissed the Complaint finding that “[m]ere violation of the Fair Credit Reporting Act does not confer Article III standing… where no injury in fact is properly pled.”  But the Ninth Circuit reversed, holding that “when, as here, the statutory cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages.”  The Ninth Circuit determined that because Plaintiff alleged that Spokeo violated his rights under the FCRA, he had alleged a sufficient injury-in-fact for Article III standing purposes.

The Ruling

The Supreme Court overruled the Ninth Circuit, and rejected the notion that Congress can confer standing to a litigant by statute. The Court held that a plaintiff does not “automatically [satisfy] the injury-in fact requirement [of Article III] whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.”  Without any tangible damage resulting from a procedural statutory violation (for example, evidence that a prospective employer did rely upon Spokeo’s profile of Robins to deny an employment opportunity), a person must face at least “the risk of real harm” to satisfy the concreteness requirement; a “bare procedural violation” is not sufficient.

But Spokeo and similarly-situated defendants are not completely out of the woods. The Court held that a concrete injury can include both easy to recognize tangible injuries as well as intangible injuries.  The Court explained that when considering an intangible injury, “both history and the judgment of Congress play important roles.”  Therefore, Congress may identify intangible harms that meet Article III’s requirements for standing.  With respect to the FCRA, Congress “plainly sought to curb the dissemination of false information by adopting procedures designed to decrease that risk [but] Robins cannot satisfy the demands of Article III by alleging a bare procedural violation.”  To clarify this point, the Court provided an example:  Concrete harm would likely be absent simply because an entity disseminated an incorrect zip code with nothing more.  Yes this a procedural violation of the law?  Yes.  But is there concrete harm?  Probably not.

Acknowledging that some intangible harms can be concrete, the Court failed to answer the underlying factual question of whether Robins suffered a concrete injury himself. Instead, the Court remanded that question to the Ninth Circuit and instructed the lower court to examine Robins’ allegations in light of the Court’s analysis of concrete injuries being necessary for Article III standing.

Going Forward

Ultimately, defendants named in claims for purely statutory violations under the FCRA, TCPA, FDCPA, TILA, and other similar statutes should be encouraged by the Spokeo decision:  “bare procedural violations” of these statutes lack the necessary Article III standing to survive dismissal. However, lower courts now must wrestle with the distinction between procedural violations and violations “that cause harm or present a material risk of harm.”

In the meantime, Defendants should employ Spokeo in motions to dismiss as a means to attack the sufficiency of allegations. Allegations of harm, if any, must now describe more than just procedural statutory violations. In other words, allegations that mimic or quote the statutory language and contend that a plaintiff’s statutory rights were violation is likely no longer sufficient.  When seeking summary judgment, defendants should use evidence obtained in discovery to prove that the plaintiff suffered nothing more than a purely procedural violation of a statute without any tangible harm.

"I would agree this is no silver bullet for companies seeking reassurances in their data breach-related liabilities," adds FI&C's Scot Ganow. "I think this case and others only make the point clearer that plaintiffs' counsel are more motivated and creative than ever to seek redress through a variety of statutes at the state and federal level.  Slowly, plaintiffs' counsel are pulling the bricks out of the wall that some believe the standing defense to be.  I think courts, like the citizenry they represent, are growing weary of the volume with which data breaches occur and the associated impact on people's lives.  Therefore, I think we will see courts continue to grow sympathetic to plaintiffs' concerns over data security, including identity theft.  I think this case is all the more reason for companies to continue to fortify their defenses and invest in sound data governance programs."

Spokeo is not the silver bullet that civil defendants across the nation had hoped. But, this Supreme Court precedent provides defendants with valuable ammunition to combat statutory causes of action under the FCRA, TCPA, and similar statutes.  Bottom line:  privacy litigants are still seeking guidance that is a little more concrete.

About The Author

Zach Heck |