Over the last two years, the prospect of a comprehensive federal data privacy law has been the subject of considerable attention in the press and in Congress. Some Members of Congress and outside groups have developed many proposals in the last six months alone. Some of the proposed legislation would limit companies' ability to use personal information collected online, require that companies protect customers from data breaches, provide certain disclosures about their use of personal information, or allow users to opt out of certain data practices. Some proposals combine all of those elements or take still different approaches.
One overarching question that every data privacy proposal raises is how to enforce any new federal rights or obligations that a given bill would impose. One traditional method of enforcement would be by a federal agency, such as the Federal Trade Commission or Department of Justice, through civil penalties or criminal liability. A bill could also provide for enforcement in civil lawsuits brought by State Attorney Generals. Along with these methods, several outside commentators have recently called for any new federal privacy legislation to include a federal private right of action—a right that would allow individuals aggrieved by violations of the law to file lawsuits against violators in order to obtain money damages in federal court. At least one bill proposed in Congress includes such a right: the Privacy Bill of Rights Act, S. 1214.
Such proposals for judicial enforcement by individual lawsuits must necessarily tangle with the constitutional limits on when federal courts can hear such claims. This Sidebar considers how the lower courts have addressed such questions in the wake of the Supreme Court's 2016 decision in Spokeo v. Robins. As is discussed in detail below, these cases reveal some common principles on the limits of federal justiciability that might inform Congress's efforts to craft a private right of action in the data privacy context.
Article III Standing and Spokeo v. Robins.
Under Article III of the Constitution, federal courts can only exercise the judicial power in "cases" and "controversies." The Supreme Court has interpreted this limitation to mean, among other things, that courts can only adjudicate a dispute if the party seeking relief shows "standing." The doctrine of standing requires that a litigant must have "a personal stake in the outcome of the controversy as to warrant [the] invocation of federal-court jurisdiction and to justify exercise of the court's remedial powers on his behalf." Courts generally evaluate standing with a three-part test: a litigant must show that he has personally suffered or will suffer (1) a concrete, particularized, and actual or imminent injury-in-fact (2) that is traceable to the allegedly unlawful actions of the opposing party and (3) that is redressable by a favorable judicial decision.
The constitutional nature of this limitation means that even if Congress provides for a private right of action, federal courts may not be able to adjudicate such claims, as the 2016 Supreme Court case Spokeo, Inc. v. Robins illustrates. Spokeo involved a Fair Credit Reporting Act (FCRA) lawsuit brought by Thomas Robins against a website operator that allowed users to search for particular individuals and obtain personal information harvested from several databases. Robins alleged that Spokeo's information about him was incorrect, in violation of the FCRA requirement that consumer reporting agencies "follow reasonable procedures to assure maximum possible accuracy." Although FCRA provides that individuals like Robins can sue for willful violations of its provisions, the Court explained that, under the first prong of the tripartite standing inquiry, Robins still had to show that Spokeo's conduct had injured Robins in a concrete and particularized way. Robins' complaint did not allege any financial or reputational injury from the inaccuracies, but he sought statutory damages (i.e., set monetary damages for bare violations of the law) for the entire class of similarly situated individuals.
Although there was no question that Robins's alleged injury was particularized (because it affected him in a distinct fashion), the Court determined that the lower court had failed to adequately analyze whether Robins's allegations amounted to concrete injury. According to the Court, this requirement did not necessitate that Robins allege a pecuniary, tangible injury as a result of the inaccurate representations—but whatever injury he alleged, it had to be "real," begging the question of what a "real" injury entails. On this front, the Court first explained that, no matter what Congress intended, a "bare procedural violation" could not give rise to standing. For example, no injury-in-fact would typically result if a consumer reporting agency incorrectly reported a consumer's zip code, as the court could not envision this kind of misrepresentation harming a consumer in a real way. The Court then identified two factors courts can consider in determining when an intangible harm rises to the level of a concrete injury. First, "the judgment of Congress play[s] [an] important role" with respect to this question, although the Court did not clarify the extent of that role. Second, because the "case or controversy requirement is grounded in historical practice," courts should look to harms that have been "traditionally [] regarded as providing a basis for a lawsuit in English or American courts" as "instructive" in identifying statutory violations that can amount to concrete injuries. Ultimately, the court did not decide whether Robins's injury was concrete, remanding the case to the Ninth Circuit to make that determination in the first instance.
Post-Spokeo Case Law.
In the wake of Spokeo, many courts have considered whether concrete injury-in-fact is present under existing private rights of action.
Exposure of Personal Information. A few federal statutes already provide litigants a private right of action when certain information is inadvertently exposed or inadequately protected. For example, the Fair and Accurate Credit Transactions Act (FACTA), which amended FCRA in 2003 to better protect individuals from identity theft, requires, among other things, that the truncation of credit card numbers printed on receipts—no more than the last five digits of a card number or the expiration date may be printed on any receipt. Individuals can sue to enforce this provision, just like other violations of FCRA.
The Third Circuit considered this provision in a case decided earlier this year, Kamal v. J. Crew Group, Inc. There, plaintiff Kamal filed a class action suit against the clothing store J. Crew alleging that, after his purchases at J. Crew retail stores, he received receipts printing the first six digits of his credit card number, as well as the last four digits. Kamal did not allege that anyone other than the cashier saw the receipt or that someone stole his identity as a result of the apparently unlawful redaction. The court, joining with several other circuits that had considered similar claims under FACTA, concluded that Kamal had failed to allege a concrete injury. Kamal claimed that he was injured in two ways. First, he claimed the printing of the unredacted information in violation of FACTA, standing alone, amounted to an injury-in-fact. Second, he claimed an increased risk that his identity would be stolen constituted a sufficient injury. On the first argument, the court, applying the two key factors enunciated in Spokeo, acknowledged that while Congress had expressed "an intent to make the injury redressable," this was not enough to "automatically satisfy" the injury-in-fact inquiry. In considering whether history and tradition supported Kamal's claim of concrete injury, the court analogized the harm alleged to "traditional privacy torts" and determined that the key factor underlying such torts was disclosure "to a third party." Here, Kamal had alleged no disclosures of information to third parties, meaning that his harm did not bear a close relationship to the harms recognized at common law. On Kamal's second argument, the court rejected the idea of injury arising from "increased risk" of identity theft as depending on an unreasonably speculative chain of future events. In the court's view, Kamal had not plausibly alleged that he would lose the receipt and that unidentified third parties would use the information in the receipt to steal his identity.
By contrast, in the Third Circuit's prior decision in In re: Horizon Healthcare Services Data Breach Litigation, the court held that plaintiffs properly alleged standing to pursue a claim under FCRA when the defendant had allegedly allowed the theft from their headquarters of laptop computers containing the unencrypted personal information of the plaintiffs. The plaintiffs claimed that this violated FCRA by unlawfully "furnishing" their personal information to third parties, and that this unlawful furnishing alone constituted concrete injury (the court ruled only on standing and declined to consider whether such a claim was viable under FCRA on the merits). The court agreed that this violation constituted an injury-in-fact. Unlike in Kamal, in Horizon, and in similar decisions from other circuits, the key factor was that the plaintiffs alleged that information was shared with third parties—the laptop thieves—and that was enough to make the harm concrete because of the connection to common law privacy torts involving dissemination of private information. Although the common law did not proscribe the release of "truthful information that is not harmful to one's reputation," Congress had elevated this to a concrete injury by passing the statute in question.
Retention and Collection of Personal Information. A few other federal and state laws provide private rights of action against companies that collect or retain information without proper authorization. Like the claims under FCRA discussed above, lower courts have considered standing to pursue these claims after Spokeo. For example, in Gubala v. Time Warner Cable, the Seventh Circuit confronted a claim under the Cable Communications Policy Act (CCPA), which requires cable operators to "destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected." The CCPA also provides for a private right of action against cable operators that violate this provision. The plaintiff Gubala alleged that, although he canceled his Time Warner Cable subscription in 2006, in 2014 he learned that all of the information that he originally provided to the company had remained in the company's possession. Gubala, however, did not allege any specific consequences flowing from the cable company's actions—only that "retention of the information, on its own, has somehow violated a privacy right." The court rejected this argument because there was "no indication that Time Warner has released, or allowed anyone to disseminate any of the plaintiff's personal information in the company's possession." Similarly, in Hancock v. Urban Outfitters, Inc., the D.C. Circuit determined that there was no injury-in-fact when a plaintiff alleged a clothing retailer's unlawful collection of her zip code at the point of purchase violated her rights. Under D.C.'s Identification Act, it is unlawful to collect a consumer's address as a condition of accepting a credit card. However, similar to the holding in Gubala, the plaintiff alleged no injury apart from a bare violation of the requirements of the D.C. law, and she did not tie that violation to any privacy interest recognized by the court.
Even though cases like Gubala suggest that a failure to retain personal information, without more, generally does not amount to an injury-in-fact, some courts have suggested that this principle can be limited when certain types of especially sensitive information—like biometric information—are involved. However, other courts have disagreed, and the precise boundaries of this limitation have yet to be established.
Intrusion into Private Spaces and Nuisance Correspondence. Yet another category of cases in which courts have considered statutory violations are cases in which a consumer has received an unwanted communication. Under the Telephone Consumer Protection Act (TCPA), it is generally unlawful to call a consumer's cell phone using an automatic telephone dialing system. In a series of cases, courts have largely concluded that consumers have standing to sue for violating the TCPA without alleging any additional harm beyond the statutory violation itself. For example, in Melito v. Experian Marketing Solutions, a case decided in April 2019, the Second Circuit determined that plaintiffs had standing to bring a class action lawsuit for the receipt of unsolicited text messages in violation of the TCPA, despite alleging no additional injury beyond the receipt of unwanted messages. The court explained that "the receipt of unwanted advertisements is itself the harm" that Congress sought to prevent. The court analogized the harm from the receipt of such advertisements to the common law injury of "intrusion upon seclusion," concluding that Congress could create such a cause of action without requiring a showing of additional injury. As a different circuit explained in analyzing a similar claim, although one phone call or a handful of text messages would ordinarily not give rise to an intrusion upon seclusion claim, Congress "sought to protect the same interests" and the TCPA successfully "elevat[ed] a harm" that was previously inadequate to one that is concrete.
Disclosures About Existing Practices. Finally, many federal statutes provide consumers a right to be informed of certain information through mandatory disclosures. Whether standing exists to complain about the failure to make a particular disclosure turns on the factual circumstances—specifically, the nature of the disclosure and allegations of how the lack of the information affected the plaintiff. However, in general courts have rejected the idea that the failure to make a disclosure—standing alone—results in a justiciable injury. For example, in Hagy v. Demers & Adams, the Sixth Circuit found that a plaintiff had not suffered a concrete injury-in-fact when a law firm sent a letter to the plaintiff about a debt that failed to include a disclosure required by the Fair Debt Collection Practices Act (FDCPA). The FDCPA mandates, among other things, that all communications concerning a debt indicate if they are from debt collectors. However, the actual letter at issue in Hagy, although from a debt collector and lacking the required disclosure, was only sent to confirm that the lender would not be collecting on the debt. Plaintiffs failed to explain how the lack of the required disclosure had harmed them. Plaintiffs even asserted that a more favorable letter, such as one attaching $1,000 in cash, would support an injury if it lacked the required disclosure. The court could not see how an injury could exist in such a case and refused to conclude that the lack of a disclosure would, in all circumstances, give rise to concrete injury.
Although a missing disclosure by itself rarely establishes a concrete injury, courts have concluded that not much more is needed to establish standing. Some courts have concluded that an abstract explanation of the importance of the disclosure, even without tying it to the plaintiff's specific circumstances, can be enough to establish concrete injury. For instance, in Macy v. GC Services Limited Partnership, a Sixth Circuit case that followed Hagy, the court found that plaintiffs had suffered a concrete injury when they had received a letter from a debt collector that failed to inform them that they had to dispute debts in writing, as the FDCPA requires. Unlike Hagy, in Macy the court determined that the lack of this disclosure created a risk of harm to the plaintiffs because it provided "misleading information" about how consumers could dispute the debt and could have led them to inadvertently waive their rights.
Relevance to Future Privacy Legislation
A future federal privacy law may seek to create a private right of action that could allow individuals to enforce any rights created under the statute. For example, a future privacy law could afford rights mirroring more limited ones that currently exist in federal law—including rights that protect users from unauthorized sharing of their information, rights that prevent companies from collecting or retaining too much information, or rights that companies inform consumers about data practices. As a result, the case law discussed above may provide insight into how a court might evaluate the constitutionality of a new private right of action contained in future privacy legislation.
The case law on standing and privacy law provides several guideposts for Congress to consider. First, it is important to understand what the post-Spokeo cases did not consider, namely a situation where a plaintiff has suffered a pecuniary or reputational injury as a result of a violation of a privacy. In such a situation, there would be no question as to standing because such injuries are injuries-in-fact. However, many data breaches and other privacy violations that a data privacy law may target generally will not involve pecuniary injury.
Congress's role can be to elevate these intangible harms to concrete status, irrespective of financial harm. As the case law discussed above suggests, Congress can craft privacy legislation which does this in two ways. First, Congress can ensure that the federal right of action involves a harm bearing a "close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts," such as a harm involving nuisance or involving the sharing of private information with third parties. Second, Congress can tie the federal right of action to some sort of "substantial risk" of actual harm and can "articulate chains of causation that will give rise to a case or controversy where none existed before." Ultimately, however, this is a legal area that is in flux, and a future Supreme Court decision could further change the landscape for Congress.
Former Legislative Attorney Wilson Freeman was the author of this Sidebar. Future inquiries on this issue can be submitted to Chris Linebaugh, who is listed as the coordinator for this product, but is not the author.