Supreme Court’s Spokeo Decision Erects Barriers for Privacy and Data Security Plaintiffs
On May 16, 2016, the United States Supreme Court in Spokeo, Inc. v. Robins confirmed that a “concrete” injury is required of all private parties seeking to assert claims in federal court, even those alleging violations of a federal statute for which Congress has provided a statutory damages remedy. Where no concrete injury has yet been suffered, a claimant must allege a sufficiently imminent “risk of real harm” in order to satisfy the concreteness requirement. Although the Spokeo case addressed a claim for willful violation of the Fair Credit Reporting Act (“FCRA”), the decision is likely to have broad implications in other contexts as well – particularly in the privacy and data security space, where plaintiffs frequently seek to recover statutory damages for purported violations of statutes such as the Telephone Consumer Protection Act, Video Privacy Protection Act, and Electronic Communications Privacy Act, as well as FCRA, often without alleging any actual or imminent harm.
A plaintiff seeking to invoke the jurisdiction of the federal courts must satisfy the standing requirements of Article III of the Constitution, which require that a plaintiff allege an “injury in fact.” As explained in prior Supreme Court decisions such as Lujan v. Defenders of Wildlife, a plaintiff must show an “invasion of a legally protected interest which is (a) concrete and particularized” and “(b) actual or imminent, not conjectural or hypothetical.”
To date, the courts have inconsistently applied this standard to cases in which the plaintiff asserts a private right action for violation of a federal statute for which statutory damages are available. Some courts, including the U.S. Courts of Appeals for the Sixth, Seventh, and Ninth Circuits, have held that the violation of the federal statute itself may suffice as the requisite “injury in fact,” reasoning that Congress’ creation of a private right of action to enforce the statutory provision implies the creation of a legally cognizable interest. Other courts, such as the Courts of Appeals for the Second, Third and Fourth Circuits, have held that Congress cannot confer standing merely by creating a statutory right of action, and have required plaintiffs to allege actual concrete harm in order to pass through the courthouse doors.
The resolution of these conflicts in yesterday’s decision began in July 2010 when Thomas Robins filed a lawsuit against Spokeo, the operator of a self-described “people search engine” website that compiles and sells information about individuals. Robins alleged that the company generated and disseminated a profile about him that falsely identified him as married with children, in his 50’s, employed, relatively affluent, and holding a graduate degree, none of which, he claims, was true. The Central District of California initially denied Spokeo’s motion to dismiss on grounds that the “marketing of inaccurate consumer reporting information” could suffice as injury in fact for purposes of Article III, but later reconsidered that ruling and dismissed the complaint because Robins had failed to show that he suffered any actual harm as a result of the allegedly inaccurate information. The Ninth Circuit reversed, holding that Congress is empowered to create legally cognizable injuries where the defendant is alleged to have violated the plaintiff’s statutory right as an individual and the right at issue protects against individual, rather than collective, harm, both of which were satisfied with respect to the FCRA statute. Accordingly, the Ninth Circuit found that Robins’ allegations that Spokeo committed a willful violation of the FCRA were sufficient to confer Article III standing.
In a 6-2 decision by Justice Alito, the Court vacated the Ninth Circuit’s decision on grounds that the opinion addressed only whether Robins had alleged an injury-in-fact that was “particularized” to him, ignoring Article III’s independent requirement that the injury-in-fact must also be “concrete.” The Court clarified that standing will not lie merely because “a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right,” including where, for example, a plaintiff relies upon allegations of a “bare procedural violation, divorced from any concrete harm.” Moreover, the Court suggested that a “risk of real harm” will suffice for purposes of standing only where the plaintiff has alleged facts sufficient to satisfy the rigorous standard set forth in the Court’s 2013 decision in Clapper v. Amnesty International USA, which refused to endorse standing theories resting on speculative chains of possibilities or speculation about the decisions of independent actors.
With respect to Robins’ claim specifically, the Court elaborated that Robins’ allegations as to procedural violations of the FCRA were insufficient to confer standing, since not all inaccuracies in the information purportedly disseminated by Spokeo would cause harm or even a risk of harm. The Court declined to delineate whether the particular inaccuracies alleged by Robins here would “entail a degree of risk sufficient to meet the concreteness requirement,” remanding that issue to the Ninth Circuit.
Spokeo has significant implications for private litigation, particularly in the field of privacy and data security. In the context of suits over data security breaches, the Spokeo decision may serve to erect additional barriers for plaintiffs seeking entry to the federal courts by way of claims for violation of the FCRA, the Stored Communications Act, and other statutes, since the allegation of a procedural or technical violation alone will no longer suffice. These hurdles may be particularly daunting for data breach plaintiffs alleging only the mere risk of future injury from the breach or steps plaintiffs took to mitigate that risk, since courts increasingly have found such injuries to be insufficient to confer standing under the Court’s previous decision in Clapper. In the privacy context, plaintiffs seeking to assert claims under statutes such as the FCRA, Telephone Consumer Protection Act, and Video Privacy Protection Act similarly will be subjected to renewed scrutiny in cases where the alleged harm in many instances is nothing more than an absent notice or other similarly inconsequential noncompliance. And even where a data security or privacy plaintiff alleges a sufficiently concrete injury-in-fact, Spokeo’s focus on the “risk of real harm” to each individual plaintiff could potentially frustrate attempts to later certify a class.
For more information regarding the Spokeo decision and its potential impact, please contact Rohan Massey, David McIntosh, Mark Szpak, Laura Hoey, or another member of Ropes & Gray’s leading privacy & data security team.