Data Breach/Privacy

Subscribe to Data Breach/Privacy

Executive Summary and Takeaway. User agreements for websites and apps have become increasingly prevalent in recent years, and courts have had to adapt traditional rules of contract interpretation to the new digital frontier. On June 25, 2018, the First Circuit reversed a district court decision enforcing an arbitration clause contained in the terms of service for the defendant’s smartphone app, finding that those terms were not sufficiently “conspicuous” for a user to know that he or she had agreed to be bound by them. The First Circuit’s decision continues a trend of judicial hostility to arbitration clauses, and is notable for its scrutiny of the record below: the court studied in minute detail the design and content of the registration screen containing a hyperlink to the terms of service—including the size, shape, color, font, and location of the hyperlink—and concluded that the link to the terms of service failed “to grab the user’s attention.” Businesses with similar user agreements governed by Massachusetts law or that could potentially apply to Massachusetts consumers should review their websites and/or apps to ensure that their platforms disclose any terms of use in a clear and conspicuous manner in relation to the rest of the content on the screen.

Additional Background. To use the services provided by the defendant company (the “Company”) via its smartphone app, a customer must first register with the Company by creating an account. As part of the registration process, users are shown a screen that requests their payment information and notifies them that by creating an account they are agreeing to the Company’s Terms of Service and its Privacy Policy:

The words “Terms of Service & Privacy Policy” are in a clickable box that includes a hyperlink. Upon clicking on that hyperlink, the user is directed to a screen with two other links: one to the Terms of Service, and the other to the Privacy Policy. The user can view either document by clicking on the appropriate link.

Continue Reading First Circuit Invalidates Arbitration Clause in Mobil App User Agreement

Seyfarth Synopsis: In light of the uncertainties surrounding lawsuits alleging violations of the Illinois Information Biometric Privacy Act (“BIPA”), the Northern District of California has taken a firm position on a plaintiff’s Article III standing. U.S. District Judge James Donato delivered opinions in In re Facebook Biometric Info. Privacy Litig., Case No. 15-CV-03747; 2018 U.S. Dist. LEXIS 30727 (N.D. Cal. Feb. 26, 2018) and Gullen v. Facebook Inc., Case No. 16-CV-00937; 2018 U.S. Dist. LEXIS 34792 (N.D. Cal. March 2, 2018), denying Facebook’s motions to dismiss for lack of subject matter jurisdiction in both cases. The court held that plaintiffs’ Article III standing was satisfied through mere collection of biometric information.

The decisions provide plaintiffs the ability to get their feet in the door and threaten businesses and employers alike. The court dismissed Facebook’s argument that Article III standing requires “real-world harms,” stating that the argument exceeds the law. Instead, the court held that a plaintiff has standing when they are deprived of procedures that protect statutorily protected interests, similar to the procedures outlined in the BIPA. Continue Reading California Federal District Court Does Not ‘like’ Facebook’s Standing Argument in Illinois Biometric Information Privacy Act Case

Since its enactment a decade ago, the Illinois Biometric Information Privacy Act (BIPA) has seen a recent spike in attention from employees and consumers alike. This is due, in large part, to the technological advancements that businesses use to service consumers and keep track of employee time.

What Is The BIPA?

Intending to protect consumers, Illinois was the first state to enact a statute to regulate use of biometric information. The BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The statute defines biometric identifiers to include a retina or iris scan, fingerprint, or scan of hand or face geometry. Furthermore, the statute defines biometric information as any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Any person aggrieved by a violation of the act may sue to recover actual or statutory damages or other appropriate relief. A prevailing party may also recover attorneys’ fees and costs.

Since September of 2017, there have been more than thirty-five class action BIPA lawsuits with no particular industry being targeted. More commonly sued industries include healthcare facilities, manufacturing and hospitality.

The drastic increase in litigation is largely contributable to employers’ attempt to prevent “buddy punching,” a term that references situations where employees punch in for a co-worker where biometric data is not required to clock in or out. For example, in Howe v. Speedway LLC, the class alleges that defendants violated the BIPA by implementing a finger-operated clock system without informing employees about the company’s policy of use, storage and ultimate destruction of the fingerprint data. Businesses engaging in technological innovation have also come under attack from consumers. In Morris v. Wow Bao LLC, the class alleges that Wow Bao unlawfully used customers’ facial biometrics to verify purchases at self-order kiosks.

Recent Precedent

In Rivera v. Google Inc.,the District Court for the Northern District of Illinois explained that a “biometric identifier” is a “set of biometric measurements” while “biometric information” is the “conversion of those measurements into a different, useable form.” The court reasoned that “[t]he affirmative definition of “biometric information” does important work for the Privacy Act; without it, private entities could evade (or at least arguably could evade) the Act’s restrictions by converting a person’s biometric identifier into some other piece of information, like mathematical representation or, even simpler, a unique number assigned to a person’s biometric identifier.” Thus, a company could be liable for the storage of biometric information, in any form, including an unreadable algorithm.

More recently, in Rosenbach v. Six Flagsthe Illinois Appellate Court, Second District, confirmed that the BIPA is not a strict liability statute that permits recovery for mere violation. Instead, consumers must prove actual harm to sue for a BIPA violation. The court reasoned that the BIPA provides a right of action to persons “aggrieved” by a statutory violation, and an aggrieved person is one who has suffered an actual injury, adverse action, or harm. Vague allegations of harm to privacy are insufficient. The court opined that, if the Illinois legislature intended to allow for a private cause of action for every technical violation of the BIPA, the legislature could have omitted the word “aggrieved” and stated that every violation was actionable. The court’s holding that actual harm is required is consistent with the holdings of federal district courts on this issue.

Damages and Uncertainty

Plaintiffs and their counsel are attracted to the BIPA because it provides for significant statutory damages as well as attorneys’ fees and costs. The BIPA allows plaintiffs to seek $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation, plus attorneys’ fees and costs.

To date, all claims have been filed as negligence claims, and, thus, it is unclear what a plaintiff must show to establish an intentional violation. Similarly, the law is unsettled on whether the statutory damages are awarded per claim or per violation. A per violation rule would exponentially increase a defendant’s potential liability. For example, some plaintiffs are currently seeking $1,000 or $5,000 for each swipe of a fingerprint to clock in or out.

How To Protect Your Business

To avoid a costly mistake when retaining biometric data, businesses should:

  1. provide employees or consumers with a detailed written policy that includes why and how the data will be collected, stored, retained, used, and destroyed;
  2. require a signed consent before collecting the data;
  3. implement a security protocol to protect the data; and
  4. place an appropriate provision in vendor contracts (e.g., for data storage) to require vendors to adhere to the law and report any data breaches.

Consent can be obtained in different ways. For example, employers may condition employment upon an individual’s consent to a data retention policy, and companies can require consumers to accept a click-through consent before accessing a company’s website or application.

For questions or additional information, please contact Esther Slater McDonald at emcdonald@seyfarth.com or Paul Yovanic Jr. at pyovanic@seyfarth.com.

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.

Click here to access the new Carpe Datum Law blogsite.

The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.

Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:

  • C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
  • In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
  • eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
  • Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients

Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.

Carpe Datum Law can be accessed at www.carpedatumlaw.com.

For lawyers who frequently litigate class action lawsuits, whether or not the named plaintiffs have standing to bring a claim is one of the first issues that is analyzed and considered.  Plaintiffs’ lawyers often look for named plaintiffs that have suffered easily identifiable damages, while defense lawyers often rely on standing defenses to ward off costly class action cases.data-breach-warning-label

Background

In order to have standing under Article III of the United States Constitution, potential plaintiffs must be able to show that the injury suffered is (1) concrete, particularized, and actual or imminent, (2) fairly traceable to the challenged action, and (3) redressable by a favorable ruling.  These three factors have been subject to much debate and judicial review.  In recent years, standing has been frequently litigated in cases where plaintiffs claim that they were injured due to someone gaining access to their confidential or private information.

In 2013, the United States Supreme Court attempted to provide guidance on standing questions in the digital age in the case of Clapper v. Amnesty International.  In Clapper, the plaintiffs challenged the constitutionality of section 702 of 50 U.S.C. § 1881a, the Foreign Intelligence Surveillance Act (“FISA”).  Section 702 was added by the FISA Amendments of 2008 and permits the Attorney General and the Director of National Intelligence to conduct warrantless wiretapping of telephone and email communications of certain persons located outside the United States.  Plaintiffs contended that the FISA violated their fourth amendment rights because plaintiffs may have confidential communications with non-United States persons who are subject to surveillance under FISA.

In ruling that the plaintiffs did not have standing to challenge the statute, the Supreme Court made several impactful statements that have resonated with the lower courts.  With respect to the first standing element that the injury suffered must be concrete, particularized, and actual or imminent, the Supreme Court stated that the “threatened injury must be certainly impending to constitute injury in fact.”  Since the plaintiffs could only speculate as to whether their conversations would be intercepted, the first standing element was not met. The court found that allegations of possible future injury are not sufficient.  Alternatively, plaintiffs argued that they have already suffered a concrete injury because they were undertook costly and burdensome measures to protect the confidentiality of their communications.  The Supreme Court found that plaintiffs could not “manufacture standing merely by inflicting harm upon themselves” and that fear is insufficient to create standing.

Clapper was considered a win by many retailers who were vulnerable to large class action suits by customers following incidents of privacy breach.  In many district court cases, relying on the reasoning in Clapper, retailers were able to successfully dismiss claims where customers claimed that their confidential information was exposed to hackers, but were unable to articulate a concrete and imminent injury, as opposed to a hypothetical future injury, had already occurred.

Decision

The Seventh Circuit, however, took a more expansive view of standing in Remijas v. Neiman Marcus Group, LLC.  In mid-December 2013, Neiman Marcus suffered a data breach caused by hackers.  The banking information of approximately 350,000 may have been compromised.  Neiman Marcus notified all customers and offered one year of free credit monitoring and identity-theft protection.  The plaintiffs in Neiman Marcus, filed suit relying on a number state data breach laws for relief.  Neiman Marcus’s motion to dismiss for lack of standing was granted by the district court and plaintiffs appealed to the Seventh Circuit.

The Seventh Court reversed, and held that plaintiffs did have standing to proceed against Neiman Marcus.  The class of plaintiffs contained persons who experienced fraudulent charges on their accounts, and those that did not.  With respect to plaintiffs who experienced fraudulent charges, Neiman Marcus argued that they had not suffered actual injuries because they were reimbursed.  The court found this argument unavailing because there are identifiable costs associated with “the process of sorting things out.”  With respect to the plaintiffs who have not yet seen fraudulent charges on their accounts, the Seventh Circuit said those plaintiffs had standing because there was a “substantial risk” of future harm.  The Seventh Circuit stated that Clapper does not foreclose any use whatsoever of future injuries to support Article III standing.  Notably, the Seventh Circuit also referenced the fact that Neiman Marcus offered one year of credit monitoring and identity-theft protection as a reason for concluding that the risk of harm is not “so ephemeral that it can be safely disregarded.”

Implications

The ruling in Neiman Marcus is at odds with prior, lower court precedent interpreting Clapper.  Nevertheless, it will likely be cited as a leading authority on the scope of Clapper and the issue of standing in data breach cases.  Retailers should be aware of the ruling in Neiman Marcus and its implications, as it arguably makes the standing hurdle easier to overcome for plaintiffs in data breach or privacy cases.  Retailers should also be mindful that “good-will” policies, such as notification to customers of a data breach and offering of credit monitoring services, may be considered by the Court in its reasoning to find that plaintiffs have standing.  The business benefits of these “good-will” policies need to be weighed against the litigation costs when formulating company strategies.

The reach of the Seventh Circuit’s ruling in Neiman Marcus has yet to be tested, but we anticipate that it will spawn more litigation and lengthier cases as more plaintiffs file suit and survive past motions to dismiss based on standing.  We will continue to provide updates on this topic if more circuit courts weigh in on this important issue.

WebinarOn Thursday, September 10 at 12:00 p.m. Central, Seyfarth attorneys Michael Burns, Robert Milligan and Jason Stiehl will present the second installment of our 2015 Class Action Webinar Series. Presenters will discuss the climate to help retailers avoid becoming targets of litigation. This webinar will provide an overview of the current class action lawsuit landscape complete with discussion of recent cases, hot areas, and valuable takeaways to inform strategy. In addition, the panel will explain business practices that retailers should implement to reduce their risk of becoming a defendant in a class action lawsuit, including class action waivers.

Topics will include:

  • Telephone Consumer Protection Act (TCPA);
  • Song Beverly Consumer Warranty Act and similar state statutes;
  • Call Recording;
  • False Advertising and Comparative Pricing Fraud; ‘
  • Gift Cards/Loyalty Programs; and
  • Data Privacy.

register

If you have any questions, please contact events@seyfarth.com.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

 

WebinarOn Tuesday, May 26, 2015 at 12:00 p.m. Central, Jason P. Stiehl, Giovanna A. Ferrari and Jordan P. Vick will present the first installment of the 2015 Class Action Webinar series. They will provide a summary of key decisions from 2014, identify key trends for companies to watch for in 2015, as well as practical “best practices” and risk management for the future.

In 2014, companies saw a major change in the focus and risk of class action litigation. According to one industry survey, the percentage of class actions qualifying as “high risk” or “bet-the-company” tripled from 4.5 percent to 16.4 percent. This no doubt derives from the increase in volume of large settlements and continued increase in volume of suits under statutes with minimum statutory penalties, such as the Telephone Consumer Protection Act (TCPA).

The webinar will be provide insight on:

  • The landscape for in-house counsel, including identifying the legal market spend and risk for class actions
  • Case law and trends from 2014, including:
    • evolving class certification standards post-Comcast
    • increased scrutiny of class settlements
    • continued TCPA filings and large settlements
    • post-Concepcion waiver decisions and the CFPB’s arbitration study
    • standing and privacy/data breach cases
  • Highlights from 2015, including:
    • increase use of motion to strike class allegations
    • CAFA challenges
    • TCPA decisions
    • DirecTV Supreme Court arbitration case
    • International expansion of class action vehicle in Europe
  • Practical considerations and takeaways

register

Registration: there is no cost to attend this program, however, registration is required.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

If you have any questions, please contact events@seyfarth.com.

By Robert B. Milligan and Christina F. Jackson

Plaintiffs’ attorneys have increasingly filed consumer class actions in California seeking to apply the state’s privacy laws to routine communications between businesses and their customers. If a company records or monitors inbound or outbound telephone calls with customers for calls made to or received by someone located in California, it runs the risk of violating California’s call recording and monitoring laws, which have become enticing to the plaintiffs’ consumer class action bar.

A recent California appellate decision, Kight v. CashCall, Inc., will make it more difficult for plaintiffs to obtain class certification in such cases. Case No. D063363, 4th Appellate Dist., 1st Div. 2014.

Background

Nearly 100 cases have been filed in the last year alleging that companies violated the California Invasion of Privacy Act by failing to inform customers that their inbound or outbound telephone calls were being recorded or monitored.

The CIPA prohibits the intentional recording or eavesdropping of telephone calls without the consent of all parties. Eleven other states also prohibit call recording without the consent of both parties to a telephone call: Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania and Washington.

The CIPA imposes both criminal and civil liability for violators of the statute. For private causes of action, there is arguably no requirement that the plaintiff suffer actual damages. In particular, there is a $5,000 penalty for each violation of California Penal Code section 632. These penalties can quickly accrue as companies who may record or monitor hundreds, if not thousands, of calls each week could be potentially liable for millions of dollars in penalties.

Section 632 prohibits the intentional recording or eavesdropping of a confidential communication without the consent of all parties to the confidential communication.

The California Appellate Court’s Decision

In Kight v. CashCall, Inc., a California Appellate Court affirmed a trial court’s order decertifying a putative class action in a case alleging violations of California Penal Code section 632.  The appellate court held that trial court did not abuse its discretion in finding that “individual issues regarding the individual putative class members’ ‘objectively reasonable expectation of privacy’ predominate over defendant’s alleged uniform policies.” (Slip Op. at 14-15).

In the case, a small group of CashCall borrowers brought a putative class action against the company alleging the unlawful monitoring of telephone conversations. CashCall’s decertification motion argued that numerous individual factual issues relevant to the confidential-communications issue demonstrated that liability on the section 632 claim “cannot be resolved on a class-wide basis.” CashCall focused on the circumstances surrounding each of the named plaintiff’s telephone conversations with CashCall employees and demonstrated that each plaintiff had different experiences regarding “the timing, extent, and nature of the monitored calls and of the call monitoring disclosure, and had different prior experiences with business communications.” (Slip Op. at 13).

CashCall argued that section 632 prohibits eavesdropping only “without the consent” of all parties, and that “[t]he issue of consent cannot be determined on a class-wide basis,” particularly regarding the inbound-caller class members because they may have heard the monitoring disclosure at the outset of call. CashCall argued the “case would quickly splinter into more than 500 mini-trials” and “would be riddled with administrative burdens and complexities that defeat the purpose of the class action mechanism.”  (Slip Op. at 14).

Seeking to overturn the trial’s court decertification order, Plaintiffs argued that the court erred in concluding that individual issues existed regarding whether there was a “confidential communication” within the meaning of section 632 that precluded class action treatment. Plaintiffs argued that common issues predominated because it was undisputed that CashCall secretly monitored more than 500 calls, and no outbound-caller class member received the call monitoring disclosure during the telephone conversation. Plaintiffs argued that whether inbound-caller class members heard the monitoring disclosure during or before the monitored inbound call could be determined on “question and answer forms.”  (Slip Op. at 14).

The appellate court ruled that there were individual fact issues critical to resolving the issue of liability: “although each plaintiff declared that he or she did not believe anyone was listening to their monitored calls with CashCall employees, the trier of fact would have to determine whether a person under the particular circumstances and given the background and experience of each plaintiff would have understood that the particular call was not being monitored.” (Slip Op. at 23).  Instead of relying upon “question and answer forms,” the court found that cross-examination must be permitted, to determine whether each monitored telephone call was a confidential communication subject to section 632’s statutory prohibition.

The court ruled that under section 632, the defendant has the right to litigate the issue of each class member’s consent and each class member’s claimed objectively reasonable expectation that the call was not being monitored. The appellate court reasoned that although “there remain certain common questions—including whether CashCall monitored the calls and the timing of the Call Monitoring Disclosures—the [trial] court acted within its discretion in finding these questions pale in terms of factual complexity and scope when compared with the significant individual questions regarding liability.” (Slip Op. at 26).  The appellate court also found that there were significant individual issues regarding each plaintiff’s reasonable expectations that the conversation would not be overheard or recorded.

Implications

While this decision will help defeat class certifications motions brought under section 632, it remains to be seen whether it will be useful in defending against Section 632.7 claims. Section 632.7 prohibits the recording or monitoring of calls involving cellular or cordless phones and there is no requirement that the communications be confidential.

In this emerging area, sensible business leaders should seek advice from competent counsel to ensure that their call monitoring and recording practices comply with applicable law.

Summary

California Penal Code Section 632 has provided a springboard to litigation related to the recording of telephone calls in the State of California.  Last week, in Hatisihi v. First American, Case No. B244769 (Cal. Ct. App. 2d Dist.), the California Court of Appeal affirmed the recent trend of class certification denials in cases brought under Section 632, based upon the individualized inquires into a determination of whether the communication recorded was “confidential.”

Background Facts

First American issues one-year home warranty plans for major home systems and appliances to customers in 46 states, including California.  Customers may make warranty claims by calling an “800” number (“inbound” calls).  In addition, First American makes calls to existing customers as part of marketing and warranty renewal campaigns (“outbound” calls).  All calls between First American — whether inbound or outbound  — are recorded.  Inbound calls include an automated disclosure that the call may be monitored or recorded.  Outbound calls, however, do not include any such automated disclosure, and, prior to 2009, First American did not have a policy of requiring sales representatives to advise customers that the call may be monitored or recorded.  Id. at *2-4.

Plaintiff purchased a one-year First American Warranty in 2005 and renewed it annually for the next three years until it expired in May 2009.  Between 2005 and May 2008, Plaintiff admitted to making approximately 12 inbound calls to First American during which she received the automated disclosure that her call may be monitored or recorded.  Plaintiff also admitted that she participated in “dozens” of telephone calls with other companies where she understood her call would be recorded or monitored for quality assurance.  Plaintiff did not object to any of the inbound calls with First American or the other companies being recorded.  Id.

In May 2008 and May 2009, Plaintiff received outbound calls from First American’s sales group.  Both calls were recorded and Plaintiff was not given the disclosure that the calls would be recorded or monitored.  Id.

The Lower Court’s Opinion

Thereafter, Plaintiff filed a class action complaint entitled Hataishi v. First American (Los Angeles County Super. Ct. Case No. B244769) against First American for statutory invasion of privacy under California Penal Code Section 632, which prohibits the intentional recording of a “confidential communication” without the consent of all parties to the communication.  Plaintiff filed a class certification motion seeking to certify a class of California consumers who received telephone calls from First American between 2006 and 2009.  Plaintiff asserted that there were common issues of law and fact because: (1) First American was the only defendant; (2) First American’s policy was to record all outbound calls; (3) the outbound calls were not proceeded by an automated warning that the call would be recorded; and (4) prior to 2009, First American did not have a policy requiring its sales persons to give a verbal warning that the call would be recorded.  The trial court denied the motion finding, among other things, that individual issues predominated.  The trial court also rejected Plaintiff’s contention that the objective reasonableness of each plaintiff’s expectations could be assessed by First American’s uniform call recording procedures.  Id. at *6.

The Court of Appeal Affirms Denial of Class Certification

On February 21, 2014, the California Court of Appeal Second Appellate District, addressing only the community of interest issue, affirmed.  The Court of Appeal explained that a communication is “confidential” for purposes of Section 632 if the party has an objectively reasonable expectation that the conversation is not being overheard or recorded.  Accordingly, in order to establish that an outbound First American call was subject to Section 632, Plaintiff would need to prove the objective reasonableness of her expectation that the call would not be recorded and the objective reasonableness of each putative class members’ expectations of the same.  This required individualized proof of (1) the length of the customer relationship, (2) the plaintiffs’ prior experiences with calls to or from the defendant including the number of calls and whether or not those calls included a recording/monitoring disclaimer, and (3) the plaintiffs’ prior experiences with other companies wherein they were provided the recording/monitoring disclaimer.  Such individualized inquiry precluded the certification of Plaintiff’s class claims especially considering her admissions regarding inbound calls to First American and calls from other businesses wherein the recording/monitoring disclaimer was provided.    Id. at *14-15.

Significance

In recent years, plaintiffs’ lawyers have used, and, arguably, abused, section 632 (and similar state and federal statutes), bringing harrowing class cases against corporations, then demanding large settlements for quick resolution.  The First American decision should hopefully limit the number of Section 632 class action claims filed in the future, and provides strong support for the denial of pending cases seeking class certification.  First American also provides a strong framework for mounting early dispositive challenges to cases brought under Section 632, and similar call recording statutes.

“Injury-in-fact is not Mount Everest,” Supreme Court Justice Samuel Alito once opined. The threshold to establish constitutional standing — which requires that plaintiffs establish an “injury-in-fact” — is low; so low that in most types of lawsuits, plaintiffs have no trouble scaling the requirement.  While standing may not be Mount Everest, in consumer privacy lawsuits, particularly those involving internet privacy, it can be more than a molehill.  Indeed, in some cases, plaintiffs alleging harm based on alleged privacy violations have found standing to be an insurmountable defense.  In particular, plaintiffs bringing claims based on the online collection, sharing, or dissemination of their personal information without more have been unable to show any “actual or imminent” harm (rather than purely speculative or possible future injury) from the allegedly unlawful conduct.  See e.g., In Re Iphone Application Litig., No. 11-MD-2250, 2011 U.S. Dist. LEXIS 106865 (N.D. Cal. Sept. 20, 2011) (granting defendant’s motion to dismiss for lack of Article III standing).

Are privacy violations sufficient to constitute an injury-in-fact under the Fair Credit Reporting Act (“FCRA”)?  This is one of the nuanced issues that the Ninth Circuit is pondering in connection with the appeal in Robins v. Spokeo, Inc., No. 11-56843 (9th Cir. 2012)Although Judges Diarmund O’Scannlain, Susan P. Graber or Carlos T. Bea likely should base their ruling on narrow, well-settled standing principles, it is possible that they may stretch the concept of standing under the FCRA to include harm resulting from violations of privacy interests.

Proceedings At The District Court Level

Spokeo is a website that describes itself as an aggregator of information.  Unlike traditional search engines like Yahoo!, Google, or Bing, Spokeo’s search engine focuses on finding people.

Spokeo issues prominent disclaimers to users that it is not a consumer reporting agency.  See Spokeo, No. 11-56843, ECF No. 26 (Brief of Appellee Spokeo, Inc.), at 4-6.  It also requires users to agree that information they obtain from Spokeo cannot “be considered for purposes of determining a consumer’s eligibility for credit, insurance, employment, or for any other purpose authorized by the FCRA.”  See id.  Nevertheless, Plaintiff claims Spokeo is a consumer reporting agency as defined under the FCRA.  In fact, he contends that Spokeo not only “assembles” data from a variety of sources, it also creates data not available from other sources, including information that allegedly bears on individuals’ economic wealth and purported creditworthiness.  See Spokeo, No. 11-56843, ECF No. 8 (Appellant’s Opening Brief), at 8.

Plaintiff filed a complaint against Spokeo for violation of the FCRA, arguing that the “reports generated by Spokeo.com contain inaccurate consumer information that is marketed to entities performing background checks.”  According to Plaintiff, Spokeo’s search results stated that Plaintiff had more education and professional experience that he actually has, stated he was married when in fact he is not, and inflated his financial position.  Though the inaccuracies favored Plaintiff, he allegedly was concerned that Spokeo’s search results would affect his ability to obtain credit, employment, or insurance.

Spokeo moved to dismiss the complaint for lack of standing.  After flip-flopping on the standing issue, the district court ultimately agreed with Spokeo.  Initially, Plaintiff argued that a statutory violation (i.e., FCRA violation) is sufficient to constitute an injury-in-fact.  But because the district court was unconvinced (it granted Spokeo’s first motion to dismiss), Plaintiff added allegations to his amended complaint that Spokeo’s dissemination of inaccurate information about him caused him actual harm in the form of diminished employment prospects, as well as anxiety, stress, and concern.  The district court initially accepted these allegations as sufficient and denied Spokeo’s second motion to dismiss but when Spokeo sought interlocutory appeal the district court dismissed the Plaintiff’s amended complaint.

Issues On Appeal

In this post, we focus on the standing issues raised in the Spokeo case.  However, we note that Plaintiff in this case is pushing the envelope on other arguments as well: he is alleging that Spokeo, an internet search engine, is a consumer reporting agency, and he is arguing that Spokeo is not entitled to a defense that it is an “aggregator” merely passing through publicly available information and, thus, immune from FCRA liability.

On appeal, the Plaintiff urges the Ninth Circuit to find standing and revive his complaint. According to Plaintiff, Article III’s requirements are met when a plaintiff alleges a statutory violation where the statute creates legal rights.  Borrowing from arguments plaintiffs have made (with limited success) in internet privacy cases, he argues, the injury-in-fact is the statutory violation itself and not the harmful consequences that may ultimately result.  Plaintiff claims that the FCRA is a “privacy statute designed to protect consumers from unlawful or inaccurate dissemination of their confidential consumer credit information.” Even if the FCRA required actual harm, according to Plaintiff, the harm at issue here is the “invasion of consumer’s right of privacy” arising from Spokeo’s dissemination of inaccurate information that arguably bears on creditworthiness even absent any allegations of a specific economic injury.  Thus, Plaintiff claims he adequately alleged an injury because Spokeo violated Plaintiff’s FCRA rights to be free from inaccurate dissemination of consumer information.

Spokeo counters that the concept of standing is a “screen” that is meant to limit the individuals who can enforce statutory and regulatory requirements.  It contends that although the FCRA creates a cause of action for statutory damages, only those individuals who can establish a concrete injury (actual harm) have standing to pursue a cause of action.  Spokeo points out that Plaintiff failed to allege any consequence resulting from Spokeo’s allegedly harmful conduct; and although he is concerned that incorrect information appears in a Spokeo search might affect his job prospects, he alleges no facts to substantiate his concern.

Implications

Defendants can be on the hook for millions of dollars in consumer class actions filed in the wake of data breaches or other privacy violations.  Given the stakes, standing arguments have been a primary defense in internet privacy class actions.  However, in some privacy cases, courts have held that plaintiffs have standing by virtue of asserting claims under certain statutes, such as those that provide civil relief to persons whose electronic communications are intercepted or accessed without their authorization.  In Spokeo, the Plaintiff is attempting to advance a similar argument to assert standing under the FCRA.  It remains to be seen whether the Ninth Circuit will accept this argument and in so doing lower the standing bar so much so that it is no more than a speed bump for FCRA plaintiffs.