As millions of consumers gamely plug in their names, credit card numbers and home addresses on various retail websites — all while “multitasking” at their office computer this Cyber Monday — many will feel that familiar but fleeting sense of unease regarding their personal privacy. How secure is my information? What data are these websites collecting, storing, sharing or outright selling about me that I don’t even realize?
Though still vaguely expressed in most instances, there appears to be a growing sentiment in this country that not enough is being done to protect the privacy rights of individuals. The Federal Trade Commission (FTC) recently completed a three-year effort to particularize the concern and prod reform. In its March 2012 final report entitled: Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policy Makers, the FTC called for three general areas of reform: (1) build in privacy at every stage of product development; (2) give consumers the ability to make decisions about their data at a relevant time and context, including a “Do Not Track” mechanism, while reducing the burden on businesses of providing unnecessary choices; and (3) make information collection and use practices transparent.1
The FTC report and other governmental and industry-based efforts to develop best practices offer an emerging set of actionable guidance that businesses can assess in an effort to mitigate risk. However, a comprehensive risk mitigation strategy also requires careful monitoring of litigation outcomes and the opportunity for proactive modification of business rules.
Class action litigation is a favorite vehicle of the data privacy plaintiffs’ bar because the nature of the technology lends itself to commonality and the identification of class members. Computers and computer algorithms may not always be “right,” but they nearly always execute instructions consistently. Thus, when you scale consistently applied business processes across a very large number of records and individuals — and there is no denying the numbers are enormous — you have some of the basic ingredients necessary to foster a very active plaintiffs’ class action bar.
In the data breach category of cases, plaintiffs have historically struggled to establish standing because an actual injury in fact is often unsubstantiated. As recently explained by the Western District of Kentucky in Holmes v. Countrywide Fin. Corp.:
Because an increased risk of identity theft involves a future injury, some jurisdictions find the plaintiffs have not suffered an ‘actual and imminent’ injury as is constitutionally required. Instead, the courts conclude that the injury of identity theft may never come to pass and is therefore too speculative to satisfy constitutional standing.2
Data breach plaintiffs have tended to fair better in situations in which a credible threat of real or immediate harm has at least some factual support. Following Sixth Circuit precedent in Lambert v. Hartman,3 the Holmes court distinguished data loss cases from data theft cases and found sufficient injury in fact for the cost of credit monitoring services to prevent further injury and future identity theft.4 Likewise, the Ninth Circuit has twice found standing in cases involving the theft — as distinguished from the mere loss — of a laptop containing unencrypted data.5
In the separate category of invasion of privacy class action lawsuits, plaintiffs have sought claims under a variety of federal and state statutes. Some of the most frequently litigated federal statutes include the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA), the Telephone Consumer Protection Act (TCPA), the Driver’s Privacy Protection Act (DPPA), the Federal Wiretap Act as amended by the Electronic Communications Privacy Act (ECPA), the Computer Fraud and Abuse Act (CFAA) and the Video Privacy Protection Act (VPPA). At the state level, California’s “Shine the Light” law and the Song-Beverly Credit Card Act are the standouts.
The availability of statutorily defined damages, especially on a per violation or per defendant basis, is an attractive feature of such claims for class plaintiffs. However, plaintiffs are still left with the burden of demonstrating their qualification under the detailed, often technical requirements of the statutes upon which their claim is based. In other words, even if standing is a lower bar in some cases, defendants may well have plenty of arguments at their disposal.
Low v. LinkedIn Corp.,6 a case decided this year by the Northern District of California, exemplifies the dynamic for statutory invasion of privacy cases. Here, the plaintiff class sued under the Stored Communications Act (SCA), alleging that the defendant transmitted information stored in a user’s cookies to third parties, which could theoretically allow the third parties to de-anonymize that user's LinkedIn ID number. The court found the necessary injury for standing, noting that the SCA itself establishes the “concrete and particularized” injury and plaintiffs satisfied their burden by alleging that their information had been disclosed to third parties by LinkedIn's policies.7
However, after finding standing the court proceeded to dismiss the claim because plaintiffs failed to establish the technical requirements for relief under the statute. In this case, the SCA applies to two types of entities: (1) "remote computing services" ("RCS"), and (2) "electronic communication services" ("ECS"). Plaintiffs argued that LinkedIn qualified as an RCS, which, under the Act, requires "the provision to the public of computer storage or processing services by means of an electronic communications system." Under the court’s interpretation of the SCA, the particular services provided by LinkedIn did not meet the definition.
Thus, LinkedIn’s choice to offer their services in a particular manner — presumably after having been well advised on the limitations of the SCA and other statutes applicable to its business — had a critical impact on the outcome of this case.
In another example, the Sixth Circuit this year upheld the dismissal of a Driver’s Privacy Protection Act (DPPA) class action, finding that the defendant’s bulk purchase of motor vehicle records without a specific need for every record does not violate the statute.8 Here, it was a point in that defendant’s favor that bulk purchasing and stockpiling of motor vehicle records was a common practice, which the court found the statute left undisturbed.
As these and many other cases in the privacy area demonstrate, the next class action awaits only a new creative interpretation of statute by the plaintiffs’ bar or a new and innovative use of your personal information by online businesses.