In the three years following Spokeo v. Robins, 136 S. Ct. 1540 (2016), Article III standing has been a focal point in consumer class action litigation. Federal courts have grappled with applying Spokeo’s requirements, often with inconsistent results, and the Supreme Court on multiple occasions declined to clarify its ruling. Especially for claims based on violations of consumer statutes with private rights of action, demonstrating Article III standing is now a higher hurdle. Circuit-level divisions have intensified as new categories of class actions, particularly related to consumer data privacy and security, are pushing courts to consider injury and standing in new ways. Most recently, in Frank v. Gaos, No. 17-961 (U.S. Mar. 20, 2019), the Supreme Court declined to take up the issue again, which means that outstanding questions and divisions will likely persist as legislatures look to enact new consumer protections in the future.
Article III Standing
Under Article III of the U.S. Constitution, federal courts may not issue advisory opinions; they may only decide a “case or controversy.” The Supreme Court interpreted this restriction to limit standing to plaintiffs with an “injury in fact” that is concrete and particularized. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992). Injury that establishes standing is “actual or imminent,” not “conjectural or hypothetical,” and it must be “likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 180–81 (2000). For actions based on exposure to future injury, a party will satisfy Article III only if there is a “substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013)).
Spokeo Expands the Analytical Framework
Against this backdrop, the Supreme Court considered Spokeo, which centered on whether the Fair Credit Reporting Act of 1970 (FCRA), by its private right of action, automatically conferred standing for violations based on inaccuracies in a search engine database. The Ninth Circuit reinstated the plaintiff’s complaint because the alleged harm was based on the particularized violation of “his statutory rights, not just the statutory rights of other people.” 136 S. Ct. 1544–45 (emphasis in original). The Supreme Court found that analysis “incomplete.” While particularized injury is necessary for injury in fact, it is not sufficient. Injury must be “both concrete and particularized.” Id. at 1545 (quoting Friends of the Earth, 528 U.S. at 180–81). Because the Ninth Circuit had not considered whether Robins’s injury was concrete, the Supreme Court reversed and remanded.
The Court elaborated: “To establish injury in fact, a plaintiff must show he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Id. at 1548 (quoting Lujan, 504 U.S. at 560). Concrete injury must be “real, and not abstract.” Id. at 1549. When intangible, the injury must also implicate a legally protected interest. Id. Importantly, the Court also explained that standing is not automatic “whenever a statute grants a person a statutory right and purports to authorize that person to sue.” Id. Instead, there must be a “concrete injury even in the context of a statutory violation” and not a “bare procedural violation, divorced from any concrete harm.” Id. Returning to the FCRA, the Court explained a complaint must allege more than “a violation of one of the FCRA’s procedural requirements” and must show how the inaccurate reporting would “cause harm or present a material risk of harm.” Id. at 1550.
Spokeo Remanded and Resolved
On remand, the Ninth Circuit concluded the alleged harm was sufficiently concrete to confer standing. 867 F.3d 1108 (9th Cir. 2017). In doing so, the Ninth Circuit embraced the analysis of the Second Circuit, “that an alleged procedural violation [of a statute] can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff’s concrete interests and where the procedural violation presents ‘a risk of real harm’ to that concrete interest.” Id. at 1113 (quoting Strubel v. Comenity Bank, 842 F.3d 181, 190 (2d Cir. 2016)). Spokeo sought review in a petition asking the Supreme Court to resolve “widespread confusion” about what intangible injuries from statutory violations constitute “concrete” harms. The Court denied the petition, ending the case’s long appellate history but continuing the debate over its ultimate meaning. 138 S. Ct. 931 (2018).
The Supreme Court Declines to Revisit Standing
After Spokeo, the Supreme Court considered other requests to revisit its analysis. In 2018, the Court denied a petition in CareFirst v. Attias, seeking review of the D.C. Circuit’s conclusion that standing was satisfied by injury from a data breach. 865 F.3d 620 (D.C. Cir. 2017), cert. denied, No. 17-641, 138 S. Ct. 981 (2018). The Court also had two opportunities this year to revisit Article III standing in appeals from Ninth Circuit decisions. In the first case, the Court denied a petition in Zappos.com, Inc. v. Stevens, No. 18-255, about data breach standing. In the second case, Frank v. Gaos, No. 17-961, in a per curiam opinion, the Court vacated and remanded to address the plaintiffs’ standing based on alleged data privacy violations in light of Spokeo.
The Inconsistent Application of Spokeo in Consumer Class Actions
As of this writing, 2,749 decisions have cited Spokeo. This body of case law is as inconsistent as it is vast. Courts have grappled especially with how to assess injury arising from statutory violations. Appellate courts also have struggled to apply Spokeo to the exposure of consumer information in data breach cases. Finally, a rapidly evolving area of jurisprudence is the application of Article III to consumer data privacy offenses that have no private right of action under federal statute and that require courts to consider injury in fact in new ways.
Post-Spokeo standing based on federal consumer protection statutes. After Spokeo, plaintiffs cannot rely on the existence of a private right of action to establish standing. Instead, they must show actual injury to a legally recognized interest and more than a technical violation. The impact of this higher bar varies depending on the federal statute in question. It is illustrative to consider separately the FCRA, the Fair and Accurate Credit Transactions Act (FACTA), the Telephone Consumer Protection Act (TCPA), the Fair Debt Collection Practices Act (FDCPA), the Stored Communications Act (SCA), and the Video Privacy Protection Act (VPPA).
FCRA: After the Supreme Court declined to disturb the Ninth Circuit’s finding on remand that the transmission of an inaccurate consumer report is a concrete injury, the Third Circuit adopted the reasoning. See In re Horizon Healthcare Servs. Inc., 846 F.3d 625 (3d Cir. 2017). However, with regard to the failure to provide consumers with copies of their reports, both the Seventh and Ninth Circuits have inconsistent holdings. See Dutta v. State Farm, 895 F.3d 1166 (9th Cir. 2018) (no standing); Robertson v. Allied Sols. LLC, 902 F.3d 690 (7th Cir. 2018); Syed v. M-I LLC, 853 F.3d 492 (9th Cir. 2017) (standing); Groshek v. Time Warner Cable, Inc., 865 F.3d 884 (7th Cir. 2017) (no standing). On the other hand, the Fourth, Seventh, Eighth, and D.C. Circuits have found that technical violations of the FCRA, without more, cannot confer standing. See Dreher v. Experian Info. Sols., Inc., 856 F.3d 337 (4th Cir. 2017); Robertson v. Allied Sols., LLC, 902 F.3d 690 (7th Cir. 2018); Auer v. Trans Union, LLC, 902 F.3d 873 (8th Cir. 2018); Owner-Operator Indep. Drivers Ass’n, Inc. v. U.S. D.O.T., 879 F.3d 339 (D.C. Cir. 2018).
FACTA: Most courts have found violations of the statute, which prohibits retailers from printing full credit card numbers and expiration dates on receipts, an insufficient injury. The Second, Third, Seventh, and Ninth Circuits all held that a statutory violation, without more, cannot establish standing. See Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76 (2d Cir. 2017); Kamal v. J. Crew Grp., Inc., 918 F.3d 102 (3d Cir. 2019); Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724 (7th Cir. 2016); Bassett v. ABM Parking Servs., Inc., 883 F.3d 776 (9th Cir. 2018). Conversely, the Eleventh and D.C. Circuits found a statutory violation is sufficient. See Muransky v. Godiva Chocolatier, Inc., 922 F.3d 1175 (11th Cir. 2019) (distinguishing as an account number exposure); Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059 (D.C. Cir. 2019) (distinguishing as an egregious violation).
TCPA: A vast majority of courts have concluded that unwanted phone calls, text messages, or faxes, which the statute prohibits, are sufficient to establish concrete injury from nuisance, privacy invasion, loss of time, and device congestion. The Second, Third, Fourth, Ninth, and Eleventh Circuits expressly reached this conclusion. See Melito v. Experian Mktg. Sols., Inc., 923 F.3d 85 (2d Cir. 2019); Manuel v. NRA Grp. LLC, 2018 WL 388622 (3d Cir. Jan. 12, 2018); Krakauer v. Dish Network, L.L.C., 925 F.3d 643, 653 (4th Cir. 2019); Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037 (9th Cir. 2017); Florence Endocrine Clinic, PLLC v. Arriva Med., LLC, 858 F.3d 1362 (11th Cir. 2017).
FDCPA: Most courts have held that violations of the statute, which governs the conduct of third-party debt collectors, suffice to establish standing. See Zirogiannis v. Seterus, Inc., 707 F. App’x 724 (2d Cir. 2017); St. Pierre v. Retrieval-Masters Creditors Bureau, Inc., 898 F.3d 351 (3d Cir. 2018); Ben-Davies v. Blibaum & Assocs., P.A., 695 F. App’x 674 (4th Cir. 2017); Sayles v. Advanced Recovery Sys., Inc., 865 F.3d 246 (5th Cir. 2017); Evans v. Portfolio Recovery Assocs., LLC, 889 F.3d 337 (7th Cir. 2018); Demarais v. Gurstel Chargo, P.A., 869 F.3d 685 (8th Cir. 2017); Tourgeman v. Collins Fin. Servs., Inc., 755 F.3d 1109 (9th Cir. 2014), as amended (Oct. 31, 2014); Church v. Accretive Health, Inc., 654 F. App’x 990 (11th Cir. 2016). The Sixth Circuit held that a technical violation of the statute cannot constitute concrete injury. See Lyshe v. Levy, 854 F.3d 855 (6th Cir. 2017).
SCA and VPPA: Post-Spokeo circuit court decisions analyzing standing under these statutes are sparse. The SCA addresses the disclosure of stored wire and electronic communications and transactional records held by third-party Internet service providers, and VPPA prevents the wrongful disclosure of video rental or sale records. The Ninth and Eleventh Circuits both found that sharing customer viewing data is a sufficient invasion to establish standing under VPPA (see Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017); Perry v. Cable News Network, Inc., 854 F.3d 1336 (11th Cir. 2017)), and Spokeo standing for SCA claims was the subject of the Supreme Court’s recent remand in Frank v. Gaos, which the Ninth Circuit must now consider.
Post-Spokeo standing in consumer data breach class actions. Because the Supreme Court repeatedly declined to address standing in data breach cases, federal courts follow the guidance of Driehaus and Clapper with differing results. Courts diverge on whether the exposure or theft of consumer data alone is sufficient for standing under Article III or if actual misuse is required.
The Third, Sixth, Seventh, Ninth, and D.C. Circuits held that data breaches can constitute concrete injury if personal data were stolen. See In re Horizon Healthcare Servs. Inc., 846 F.3d 625 (3d Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 2016 WL 4728027 (6th Cir. Sept. 12, 2016); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 830 (7th Cir. 2018); In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018), cert. denied, 139 S. Ct. 1373 (2019); Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied, No. 17-641 (U.S. 2017). Of note, in CareFirst, the D.C. Circuit found it was plausible that hackers intended to commit imminent theft or fraud, indicating that the risk of harm was substantial. The Seventh Circuit deployed similar logic in the pre-Spokeo case Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015). And in Nationwide and Barnes & Noble, the Sixth and Seventh Circuits credited post-breach efforts to prevent identity theft.
In contrast, the Second, Fourth, and Eighth Circuits concluded that plaintiffs cannot establish standing through a data breach alone and must demonstrate actual misuse. See Whalen v. Michaels Stores, Inc., 689 F. App’x 89 (2d Cir. May 2, 2017); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied, No. 16-1328 (U.S. June 26, 2017); In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017). In each case, an enhanced risk of future fraud failed to establish standing. Of note, in Whalen, the risk was too remote because the plaintiff’s credit card was promptly canceled. In Beck, the burden of efforts to prevent identity theft could not constitute actual injury. In SuperValu, the court reasoned that data breaches did not ultimately result in identity theft for a majority of consumers.
The First Circuit has not reached this issue following Spokeo; however, its earlier decisions suggest a requirement of actual misuse. See Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012); Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir. 2011). In contrast, the Eleventh Circuit’s pre-Spokeo holding that a data breach alone establishes standing, Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), paired with its recent analysis in Muransky v. Godiva Chocolatier, Inc., 922 F.3d 1175 (11th Cir. 2019), suggests it would not require actual misuse.
Post-Spokeo standing based on consumer data privacy. An emerging area in which the courts are increasingly evaluating Article III standing is the alleged violation of consumer data privacy rights. These claims can involve federal statutes without a private right of action (like the Children’s Online Privacy Protection Act of 1998 (COPPA), the Family Educational Rights and Privacy Act of 1974 (FERPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPPA)). Claims may also arise from state consumer data privacy statutes, like the Illinois Biometric Information Privacy Act (BIPA), or more general statutory or constitutional provisions, including intrusion upon seclusion, violation of a right to privacy, and unfair and deceptive trade practices. These suits raise questions about legally recognized rights and concrete harm, and they produce differing results. This area of law is rapidly evolving, especially in light of recently proposed and enacted state consumer data privacy laws with private rights of action, especially the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Because some circuit courts recently suggested certain violations of consumer data privacy rights may satisfy Spokeo, it is likely that these inquiries will expand in the years to come. See, e.g., Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019) (violation of BIPA sufficient injury); In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016) (violation of COPPA sufficient).
These cases are the next frontier in constitutional standing debates, and they will likely form the basis of future circuit court and, ultimately, Supreme Court litigation on the enduring legacy of Spokeo.
Melanie Conroy is counsel at Pierce Atwood LLP in Boston, Massachusetts.
Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).