There has been a recent proliferation of cases brought by consumers claiming various statutory and common law violations by websites and smartphone applications. In response, defendants often argue that the consumers failed to allege any demonstrable, concrete, or particularized harm and, thus, lack sufficient injury-in-fact for Article III standing.
Three recent decisions in privacy cases within the Ninth Circuit illustrate how courts are grappling with Article III standing issues.
Robins v. Spokeo, Inc.
Perhaps no case better illustrates how courts are grappling with these standing issues than Robins v. Spokeo, Inc.1 Spokeo operates a search engine (http://www.spokeo.com) that helps users to connect with family, friends, business contacts and others by searching for a name, email address, or phone number. Thomas Robins, who was unhappy with the allegedly incorrect information about him available on spokeo.com, sued Spokeo under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (FCRA). In the complaint, Robins alleged that Spokeo was a consumer reporting agency, and that it issu es consumer reports under FCRA without taking certain precautions or making certain disclosures required under the terms of that act.
In his initial complaint, Robins, who was unemployed, alleged concern that the inaccuracies in his profile on spokeo.com would affect his ability to obtain employment. In response, Spokeo—which was represented by Mayer Brown—argued, among other things, that Robins’ speculative and hypothetical concern about possible future harm to employment prospects was insufficient to confer Article III standing. Spokeo also argued that simply alleging violations of FCRA is insufficient for standing because even where statutory damages are available, plaintiff still must show an injury-in-fact to meet Article III’s standing requirements.
The court initially agreed with Spokeo, and granted Spokeo’s request for dismissal. The court explained that “even when asserting a statutory violation, the plaintiff must allege ‘the Article III minima of injury-in-fact,’” and that “Plaintiff has not suffered an injury-in-fact because Plaintiff has failed to allege that [Spokeo] has caused him any actual or imminent harm.”2 The court concluded that, because the Supreme Court has made it clear that allegations of possible future injury do not satisfy Article III, plaintiff’s concern that he will be adversely affected by spokeo.com in the future is insufficient to confer standing.3
Plaintiff amended his complaint to include further allegations regarding his harm—that he suffers actual harm in the form of anxiety, stress, concern and/or worry about his diminished employment prospects because incorrect information about him can be found through a search on Spokeo.com. Although the these allegations varied little from those in his initial complaint, the court found that the First Amended Complaint contained sufficient allegations of harm for standing: “Plaintiff has alleged an injury in fact—the ‘marketing of inaccurate consumer reporting information about Plaintiff’—that is fairly traceable to Defendant’s conduct—alleged FCRA violations—and that is likely to be redressed by a favorable decision from this Court.”4
Spokeo subsequently sought certification from the district court to appeal the lower court’s order holding that plaintiff had standing, arguing that the Ninth Circuit’s guidance was needed regarding the application of the Article III injury-in-fact requirement in the Internet privacy context. In a stunning move, the district court reinstated its initial Order, which found that plaintiff lacked standing, and dismissed the case.
The court affirmed that “the alleged harm to Plaintiff’s employment prospects is speculative, attenuated and implausible,” that “[m]ere violation of the Fair Credit Reporting Act does not confer Article III standing … where no injury in fact is properly pled,” and that “[o]therwise, federal courts will be inundated by web surfers’ endless complaints.”5 And, in dismissing the action, the court added that plaintiff failed to alleged facts sufficient to trace his alleged harm to Spokeo’s alleged FCRA violations.6
In Re iPhone Application Litigation
On the day after the final Spokeo decision was filed in the Central District of California, a court from the Northern District of California ruled, on similar grounds, that the plaintiff in In Re iPhone Application Litigation lacked standing.7 The iPhone Application Litigation arose from numerous consolidated actions from around the country in which plaintiffs brought claims under federal and state law against Apple, Inc., and others in the mobile phone industry for alleged privacy violations stemming from the collection, use, and distribution of iPhone, iPad, and App Store users’ personal information.
Plaintiffs alleged that the design of Apple’s devices allows applications (apps), without user consent, to access, use, and track the following purportedly personal and private user information for advertising and analytical purposes: address book, cellphone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID).
Apple and its co-defendants raised a number of arguments in response to these alleged privacy violations, including the argument that plaintiffs’ allegations did not establish an actual injury or harm, or an injury fairly traceable to defendants, sufficient for Article III standing. In its order dismissing the complaint with leave to amend, the court agreed.8 The court explained that plaintiffs had failed to allege injury-in-fact to themselves, as opposed to consumers in general. According to the court, plaintiffs failed to allege any particularized facts about the devices they used, which defendants or which apps accessed or tracked their personal information, or what harm (if any) resulted from the access or tracking of their personal information.
While this failure alone is sufficient for dismissal, the court made clear that plaintiffs also lacked standing because of their failure to allege a concrete harm sufficient to create an injury-in-fact from the alleged collection and tracking of their personal information. Rather, as the court explained, plaintiffs only made general allegations about defendants and the market for apps, and similar abstract concepts (e.g., lost opportunity costs, value-for-value exchanges), and none of these is sufficient to establish an actual injury sufficient for Article III standing.
And, the court also concluded that Plaintiffs failed to allege any causal chain between the alleged harm and any of the Defendants sufficient to meet the traceability requirement of Article III, because Plaintiffs’ allegations failed to differentiate among Defendants, making it impossible to determine what alleged harm stemmed from what conduct. Leave to amend the complaint was granted, so it remains to be seen whether plaintiffs will be able to develop allegations sufficient for standing.
Krottner v. Starbucks Corp.
While the defendants’ bar has no doubt taken heart over the Spokeo and iPhone Application Litigation decisions, the Ninth Circuit Court of Appeals has recently provided some insight on the contours of standing in the data breach and identity theft contexts that should give the defendants’ bar pause. In Krottner v. Starbucks Corp.,9 the Ninth Circuit held that three current or former Starbucks employees had standing to bring claims against Starbucks arising out of the theft of a laptop containing unencrypted, personally identifiable information, despite the fact that plaintiffs had not suffered any financial harm.
The substance of the three plaintiffs’ claims was similar. One alleged that the only injury he had suffered was generalized anxiety and stress, and that he had spent substantial amounts of time checking his financial accounts and placing fraud alerts on his credit cards. The other plaintiffs alleged that they had been extra vigilant in monitoring their accounts and guarding against future identity theft. Finally, one of the plaintiffs alleged that a potential breach had occurred when someone attempted to open a bank account with his social security number, but the account closed before he suffered any financial loss.
The Ninth Circuit held that these allegations were sufficient to establish injury-in-fact, and noted that while it had not previously decided whether an increased risk of identify theft constituted an injury-in-fact, it had, in the environmental and medical contexts, found that the threat of future harm may be sufficient to confer standing. In particular, the court recited, “[a] plaintiff may allege a future injury in order to comply with [the injury-in-fact] requirement, but only if he or she is immediately in danger of sustaining some direct injury as the result of the challenged … conduct and the injury or threat of injury is both real and immediate, not conjectural or hypothetical.”10
The court specifically found that the possibility of identify theft stemming from the actual theft a laptop containing plaintiffs’ unencrypted personally identifiable data was a “credible threat of harm” sufficient to meet the injury-in-fact requirement of Article III.11 However, the court went on to explain that had plaintiffs’ “allegations been more conjectural or hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—[it] would find the threat far less credible.”12
Implications in for Internet Privacy Cases
In light of theses recent decisions it is difficult to predict how courts will apply the Article III standing requirements in Internet privacy cases. As can be seen in the holdings in Spokeo and the iPhone Application Litigation on the one hand, and Starbucks on the other, decisions based on standing can turn on the intricate details of plaintiffs’ allegations. Until more Internet privacy cases make their way to the higher courts and authoritative guidance is offered, courts will continue to grapple with these issues.