Background

Data privacy law is rapidly developing; significant updates to data privacy and protection laws (now enacted in over 100 jurisdictions worldwide) are of increasing importance to class action litigation. Especially after the enactment of the EU General Data Protection Regulation (GDPR) and the Chinese Cybersecurity Law (and its supporting guidelines and regulations), there is a strong push for the enactment of stricter data protection laws in the United States. Practitioners must consider the implications of Article III standing on putative data privacy class actions.

According to Article III of the United States Constitution, the federal judicial power extends to all cases arising under the Constitution between citizens of different states. U.S. Const. art. III, § 2, cl. 1. The Constitution requires that the plaintiffs must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1542 (2016). To properly establish an “injury in fact” in data privacy class actions, plaintiffs must prove that their injuries are “concrete and particularized” and “certainly impending.” As courts continue to grapple with this emerging area of law, additional, significant changes are likely to develop.

Class Injuries must be Concrete and Particularized

Courts must determine whether plaintiffs have alleged a concrete, particularized injury before conferring Article III standing. In Spokeo v. Robins, the plaintiff alleged that Spokeo violated the Fair Credit Reporting Act (FCRA) by making false personal information publicly available on the Internet, including false assertions that plaintiff was married and wealthy. The Ninth Circuit held that the technical violation of the FCRA alleged by the Plaintiff was an adequately alleged “injury in fact” sufficient for the purposes of Article III standing. On appeal, the Supreme Court held that the Ninth Circuit “failed to fully appreciate” whether the particular procedural violations alleged by the plaintiff was sufficiently concrete, reasoning that plaintiffs cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1550 (2016). Thus, plaintiffs do not “automatically satisfy the injury-in-fact requirement whenever a statute grants a right and purports to authorize a suit to vindicate it.” Id. at 1549.

Post-Spokeo, courts have continued to require parties to prove concrete harm before conferring Article III standing. For example, in a recent putative class alleged that a national retailer violated the D.C. Consumer Protection Act by requesting customers to provide their zip codes at checkout. The D.C. Circuit ruled that the retailer’s simple request and recording of the zip codes, “without any concrete consequence,” did not present a risk of real harm. Similarly, the Eighth Circuit found no real injury where a defendant cable company retained records of former customer telephone and Social Security numbers for years after the former customers cancelled their cable subscriptions. The Seventh Circuit has agreed that such record retention poses no material risk. These subsequent holdings indicate that the mere retention of consumer data, without the presence of material, concrete risks (such as those posed by a data breach) is not itself sufficient to confer Article III standing.

Class Injuries must be Actual or Certainly Impending

Courts must also determine whether plaintiffs have suffered “actual” or “certainly impending” injuries before conferring Article III standing. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 1147 (2013). In Clapper, a putative class alleged that the National Security Administration had violated the Fourth Amendment when it conducted warrantless wiretapping of telephone and e-mail communications authorized by the Bush administration. The Supreme Court held that the class’s arguments were too speculative because the government had not indicated it intended to imminently target class member communications. Id. at 1147-48 (“[W]e have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that [a]llegations of possible future injury are not sufficient.”) (internal citations omitted) (emphasis in original).

Post-Clapper, courts have struggled to define what constitutes an “actual” injury. The Third Circuit has recognized that it has “not been entirely consistent” in defining “actual injury” sufficient to support Article III standing. “In some cases, we have appeared to reject the idea that the violation of a statute can, by itself, cause an injury sufficient for purposes of Article III standing. But we have also accepted the argument, in some circumstances, that the breach of a statute is enough to cause a cognizable injury — even without economic or other tangible harm.” For example, in a recent case, hackers accessed the personal financial data of 27,000 employee class members, including names, Social Security numbers, dates of birth, and bank account information. The Third Circuit held that the risk of harm was too speculative–to actually cause injury, the hackers would have to read, copy, and understand the class members’ personal information; intend to commit a future criminal act by misusing the information; and conduct unauthorized transactions in each class member’s name. “Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”

In comparison, the Third Circuit did find injury sufficient to establish Article III standing in a case where plaintiffs alleged a violation of the FCRA. The Third Circuit held that “the violation of a statute can cause an injury in fact and grant Article III standing,” noting that “the actual or threatened injury required by Article III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” However, “there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact.”

Some courts have clearly identified “actual” injuries where consumers were forced to expend tangible resources to protect their rights and/or privacy. However, the Third Circuit has explained that when it comes to laws that protect privacy, a focus on economic loss is misplaced.

Thus, although it is unclear exactly which injuries are considered “actual,” courts appear to emphasize injuries that “affect plaintiff[s] in a personal and individual way.”

Implications

Although “concreteness,” “particularity,” and “certainty” are not interpreted uniformly, it appears that courts are unlikely to confer Article III standing on “bare” allegations of violations of procedural or statutory rights. However, courts are more likely to find Article III standing where parties’ privacy interests are alleged to have been violated in a concrete, material way. To that end, where personal information has actually been exposed (for example, as the result of a data breach) or plaintiffs have suffered tangible loss, courts are likely to confer Article III standing.