We may allow third-party analytics companies, research companies or ad networks to collect nonpersonally identifiable information on our website. These companies may use tracking technologies, including cookies and Web beacons, to collect information about users of our site in order to analyze, report on or customize advertising on our site or on other sites. For information about how to opt-out of the customization of advertising from many ad networks, you can visit here.
This assurance is limited by a number of caveats elsewhere in the Policy. For instance, a separate paragraph of Section 4 informs the user that "[i]f you stay logged on to your social media accounts … while visiting our website [,] those social media companies may collect information from you." (emphasis added). Likewise, Section 5 of the Policy notifies the user that AARP may share information, including personally identifiable information (PII), with services that help the organization improve advertising services.
As with many others that confront alleged violations of privacy policies, this case was decided on the threshold ground of standing. Specifically, the court had to first determine whether Austin-Spearman had pled the necessary injury-in-fact so as to push her claims into the purview of federal court jurisdiction. See Lujan v. Defenders of Wildlife, 504 U.S. 550 (1992) (observing that a showing of standing is an "essential and unchanging predicate" to an exercise of federal court jurisdiction). Injury-in-fact is an invasion of a protected interest that is both (1) concrete and particularized, (2) and actual or imminent. Mere conjecture or a hypothetical is insufficient to meet the second prong. As for the nature of the injury, while economic harm is a unquestioned example of a sufficient injury-in-fact, a mere request for money is not generally considered such an injury. Rather, there must be some evidence of overpayment relative to what the complainant bargained for, and what was actually received. As applied to this case, Austin-Spearman alleged that she would not have paid $43 for her membership but for her belief that her PII gleaned by AARP from her use of its website was not distributed to third parties.
Even while affording Austin-Spearman's factual claims the presumption of truth and the benefit of all reasonable inferences deriving therefrom, as mandated by Federal Rule of Civil Procedure 12(b)(1) and (b)(6), the court did not find that a sufficient injury-in-fact existed which would warrant a grant of standing. See also Browning v. Clinton, 292 F.3d 235 (D.C. Cir. 2002) ("legal conclusions cast in the form of factual allegations" are insufficient to survive a motion to dismiss). In fact, for two reasons, the court cast such claims as "entirely implausible."
Consequently, the court granted AARP's motion to dismiss. As for Austin-Spearman, this is the second reported decision since April 2015 involving privacy issues in which she is the named plaintiff. In Austin-Spearman v. AMC Network Entertainment LLC, --- F. Supp. 3d ----, 2015 WL 1539052 (S.D.N.Y. Apr. 7, 2015), she sued a television network for alleged Video Privacy Protection Act (VPPA) violations after the network disclosed her personal information to Facebook. Unlike the AARP case, Austin-Spearman was found here to have standing based on the specific language of the VPPA. However, as Austin-Spearman had not paid to view any content, nor had she registered for an account on AMC's site, she was not deemed to be a "consumer" protected by the VPPA.
What is most notable about AARP is that it exemplifies how courts distinguish between data sharing cases and data breach cases. In the former, given that there is less of downstream harm, courts are hesitant to confer standing. In the latter, given that hackers often seize data in order to create harm in the future, courts are much more likely to conclude that plaintiffs' have been the victim of a cognizable injury so as to confer Article III standing.