In the past two months, the U.S. Court of Appeals for the Sixth and Eighth Circuits have issued significant decisions on the issue of standing in privacy cases. Taken together, these decisions are seemingly inconsistent, offering conflicting standards for what constitutes a cognizable injury sufficient to confer standing at the pleading stage in privacy cases.

Carlsen v. GameStop, Inc.

In Carlsen v. GameStop, Inc., No. 15-2453 (Eighth Cir. Aug. 16, 2016), the Eighth Circuit expanded standing to bring claims for violations of a privacy policy. Matthew Carlsen filed a class action suit for breach of contract, unjust enrichment and other state claims, alleging that GameStop violated its privacy policy, which provided that, with certain exceptions, GameStop did not share personal information with third parties. Specifically, Carlsen alleged that when users logged onto the Game Informer website, which was controlled by GameStop, through their Facebook accounts, the website transmitted their Facebook IDs and Game Informer browsing histories to Facebook if they did not log out of their Facebook accounts. Carlsen alleged that, had he known about the sharing of information, he either would not have paid as much for his subscription or would have refrained from accessing the online content on the Game Informer website for which he paid.

The district court dismissed Carlsen’s complaint for lack of standing, holding that Carlsen had failed to allege that he suffered a cognizable injury. The Eighth Circuit affirmed the dismissal, not for lack of standing, but for failing to state a claim. In addressing the issue of standing, the court found that Carlsen’s allegation that he suffered damages “in the form of devaluation of his Game Informer subscription in an amount equal to the difference between the value of the subscription that he paid for and the value of the subscription that he received, i.e., a subscription with compromised privacy protection,” constituted an “actual” injury. Carlsen, at *7. In addition, the court found that “Carlsen’s allegation that he did not receive data protection set forth in GameStop’s policies” was sufficient to establish standing for his unjust enrichment claim. Id.

Braitberg v. Charter Communications, Inc.

A few weeks later, the Eighth Circuit issued a seemingly contradictory decision inBraitberg v. Charter Communications, Inc., No. 14-1737 (Eighth Cir. Sept. 8, 2016), which limited standing to bring claims for the retention of personal information. In Braitberg, Alex Braitberg brought a class action lawsuit alleging that Charter Communications, Inc. (Charter) had violated the Cable Communications Protection Act (CCPA) by retaining the personally identifiable information of its customers after they had cancelled their subscriptions and after retention of that information was no longer necessary for Charter to provide services, collect payments, or satisfy any tax, accounting or legal obligations. In his complaint, Braitberg alleged that he and the other proposed class members had suffered two injuries. First, he alleged Charter’s retention of subscribers’ personal information directly invaded their federally protected privacy rights under the CCPA. Second, he alleged the class had not received the full value of the services that they had purchased from Charter. Specifically, Braitberg alleged that the class placed a monetary value on controlling and protecting their personal information and that when they subscribed to cable service, they paid for Charter to destroy their information when Charter no longer needed it. Charter’s failure to do so deprived them of the service for which they had allegedly paid.

The district court dismissed the complaint upon Charter’s motion challenging the plaintiff’s Article III standing. The Eighth Circuit affirmed the district court’s dismissal, finding that Braitberg’s complaint had fallen short of the Spokeo v. Robbins standard by failing to allege a concrete injury arising from Charter Communications’ alleged retention of the personal information. See Braitberg, No. 14-1737, at 8. Instead, Braitberg had only alleged “a bare procedural violation, divorced from any concrete harm.” See id. (citation omitted). The court noted that Braitberg had failed to allege that the personal information that Charter had retained, allegedly in violation of the CCPA, had been disclosed to or accessed by a third party or that Charter had even used the information itself during the disputed period. See id. The Eighth Circuit observed that while there was an established common law tradition recognizing injury based on the invasion of privacy rights, there was no such tradition for the retention of personal information that was lawfully obtained. See id. The court similarly rejected Braitberg’s economic injury argument, holding that “Braitberg has not adequately alleged that there was any effect on the value of the service that he [and the other class members] purchased from Charter.”Id., at 9.

Galaria, et al. v. Nationwide Mutual Insurance Co.

Only four days after Braitberg, the Sixth Circuit issued its decision in Galaria, et al. v. Nationwide Mutual Insurance Co., No. 15-3386/3387 (Sixth Cir., Sept. 12, 2016), which expanded standing in data breach cases. In Galaria, Mohammad Galaria and Alex Hancock filed class action complaints against Nationwide Mutual Insurance Co. (Nationwide) for negligence and other state claims after hackers broke into Nationwide’s network and stole the personal information of 11 million Nationwide customers. The complaints alleged that the Nationwide data breach created an “imminent, immediate and continuing increased risk” that the plaintiffs and the other class members would be the victims of identity theft and that they had suffered and would continue to suffer both “financial and temporal” costs, such as having to purchase credit reporting and monitoring services, instituting and/or removing credit freezes, and closing or modifying financial accounts.

The district court dismissed the complaints, concluding that the plaintiffs had not alleged an injury sufficient to confer Article III standing. The Sixth Circuit reversed the dismissal, concluding that the plaintiffs’ allegations that the theft of their personal information subjected them to a heightened risk of identity theft and caused them to incur mitigation costs, such as credit monitoring, was sufficient to establish standing at the pleading stage. Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 1150 n.5 (2013), the Sixth Circuit explained that “threatened injury must be certainly impending to constitute injury in fact,” and “standing [may be] based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid the harm, even where it is not ‘literally certain the harms they identify will come about.’”Galaria, Nos. 15-3386/3387, at 6. Turning to the allegations of the complaints, the court found that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hacker will use the victims’ data for…fraudulent purposes[,]” and “although it might not be ‘literally certain’ that Plaintiffs’ data will be misused…, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable." Id. at 6-7.

The Impact

At first glance, these three cases appear incompatible. However, upon closer inspection, they adhere to the proposition that injuries traditionally recognized by the common law are sufficient to confer Article III standing at the pleading stage, while novel theories of injury are less likely to be recognized. Carlsen was premised on a breach of contract claim in which the plaintiff alleged he did not receive the benefit of the bargain for which he had paid. The common law has long recognized that contract damages are concrete injuries for the purposes of establishing standing. Galaria involved circumstances involving criminal activity that led the court to conclude that the plaintiffs faced an imminent threat of identity theft and fraud, which would constitute concrete harm to those plaintiffs. In contrast, the common law does not recognize the existence of an injury based upon the retention of personal information that has been legally obtained, as in Braitberg.