Recently, the U.S. Court of Appeals for the Ninth Circuit held that a plaintiff failed to allege a sufficiently concrete injury caused by a printed receipt that included the plaintiff’s credit card expiration date. The plaintiff alleged that the receipt’s inclusion of the expiration date constituted a violation of the Fair and Accurate Credit Transactions Act (FACTA), as amended by the Credit and Debit Card Receipt Clarification Act, which limits the amount of information that may be printed on credit card receipts and prohibits the printing of a credit card’s expiration date. Despite this alleged technical violation of FACTA, the district court granted the defendant’s motion to dismiss for lack of standing, finding that the plaintiff failed to properly allege a sufficiently concrete injury.
On appeal, the Ninth Circuit affirmed the lower court’s ruling under the Supreme Court’s landmark standing decision, Spokeo v. Robins, which held that mere technical statutory violations are insufficient to assert standing unless the plaintiff has actually suffered a concrete injury in fact. In its ruling, the Ninth Circuit found that the plaintiff suffered no injury as the “receipt fell into [the named plaintiff’s] hands in a parking garage and no identity thief was there to snatch it.” Moreover, the Ninth Circuit found that the mere increased risk of identity theft caused by the printed receipt did not constitute a sufficiently concrete injury for standing under Spokeo.
The Ninth Circuit’s decision comes amidst continued uncertainty relating to how the courts should read Spokeo in the data privacy context, where plaintiffs often struggle to allege a specific injury without evidence of actual identity theft or fraud.
TIP: Despite the defendant’s successful dismissal in this matter, this litigation demonstrates the plaintiffs’ bar’s increased focus on data privacy litigation.