The Supreme Court has been on a roll this past week. Obergefell v. Hodges found that same-sex marriage is a fundamental right and therefore legal in all 50 states; King v. Burwell upheld Obamacare (I would encourage you to also read Justice Scalia’s dissent); Kimble v. Marvel gave us some wonderful Supreme Court Spiderman puns; and Los Angeles v. Patel resolved a case with potentially major privacy ramifications in a manner that was decidedly uneventful. As such, I thought this would be a good time to talk about an upcoming Supreme Court case involving consumer privacy: Spokeo v. Robins. Spokeo is a corporate challenge to class action lawsuits that are based purely on statutory violations: basically, it asks if consumers can sue a company for shady privacy practices even if they cannot show that anything bad happened. This case is potentially a big deal, particularly for big business, and so its worth a closer look.
Despite my privacy focused lead-in, Spokeo is really a case about standing: the legal basis for an individual to sue. Basically, Spokeo asks whether a plaintiff can bring a lawsuit purely because Congress says they can. While this may seem like common sense, courts have constitutional restrictions on whom they will hear cases from. Typically, standing requires three things: 1. that you have suffered an injury; 2. that the injury was caused by the person you are suing, and 3. that the court can provide you some form of legal relief. These are typically shortened into “injury, causation, and redressability.” Absent all three, bringing the case doesn’t make much sense. Why sue someone if the court can’t do anything to help you? Why sue someone if that person didn’t cause the problem? Why sue someone if you haven’t been injured?
It is on that last point that the case arises. Spokeo is one of those online information aggregators that people use to reverse lookup phone numbers and the like, and Robins claims that Spokeo published inaccurate information on its website. While seemingly minor, (and indeed kind of expected), this potentially means Spokeo violated the Fair Credit Reporting Act (FCRA), and is subject to statutory penalties. But was there really an injury? We can speculate, arguing that information on the website might be used to deny a loan or to refuse employment, (although it’s not likely), yet it is difficult to say you’ve suffered an injury purely from the publication of inaccurate information. At best, you are put in a position where it is more likely that you will be injured. But it’s not clear that the mere potential for injury is sufficient to give you standing to sue. And Robins’ class action lawsuit creates the potential for millions in damages, all without any clear injury.
I should clarify that a ruling for Spokeo would not mean that data breaches or similar privacy violations would go unpunished. Rather, it would require that anyone potentially affected by a breach not sue until they could establish that they suffered a concrete injury. It would not be enough to say you might have your identity stolen: you must show something more definitive. This would also not preclude other enforcement actions, such as those brought by state attorneys general, the FTC, or other consumer protection agencies. So the issue should not be framed purely as a win for big business, (although it surely would be), but rather as clarifying how the government should respond to these issues.
And I should also note that consumers rarely directly benefit from these cases. Class action lawsuits over privacy violations are largely settled, and the settlements typically award too little money for it to be economically distributed to the class. (Splitting $5 million among a class of 1 million plaintiffs isn’t worth the cost of postage). So the primary winners in these cases are the attorneys (obviously) and the recipients of odd things called cy pres awards. These basically donate the settlement money to nonprofits with the intent that the nonprofits will use the money to further the interests of the class of plaintiffs.
Tell me where it hurts
Returning to Spokeo, the legal arguments the case must tackle are tricky. Standing is frequently litigated, as it offers judges a quick way to decide a case, and injury in particular can be a contentious issue. Oftentimes plaintiffs are adamant that they have been injured, but cannot adequately express how. It’s like going to a doctor because you feel “weird” or “off”; there isn’t much they can do for you. And injury is further complicated by the limited remedies available to a judge: not every problem can be solved by throwing money at it, and money is the primary form of relief available to courts. Keeping with the doctor analogy, this would be like going to a doctor who only prescribes painkillers, even when your symptom is fatigue.
The principles guiding what constitutes “injury” are that the alleged injury must be “concrete and particularized” and “actual or imminent.” Basically, you have to be specific when telling the court how you were harmed, and that harm shouldn’t be merely hypothetical or pure conjecture. While that adds more language to play with, it does little to clarify what constitutes an “actual injury” or whether that injury is “concrete.” While it might seem like an express conferral from Congress should be sufficient to clarify any ambiguity, constitutional purists see this as a separation of powers issue, and therefore dislike any attempt by Congress to circumvent the constitutional provisions limiting Article III standing.
Is privacy endangered?
Courts do recognize the ability of Congress to establish new rights, however, and those new rights may then be violated, but this still requires a particularized injury. This was addressed in the case Lujan v. Defenders of Wildlife, where a group of environmental activists tried to sue the government over its interpretation of the Endangered Species Act, which they believed would lead to the extinction of certain endangered species abroad. They did so under a citizen-suit provision written into the law, expressly allowing citizens to seek judicial intervention against any perceived violation of the Endangered Species Act, even against the government. Basically, Congress tried to give every citizen standing.
Yet the Supreme Court denied the plaintiff’s claim for failing to allege an injury. “Affidavits of members claiming an intent to revisit project sites at some indefinite future time, at which time they will presumably be denied the opportunity to observe endangered animals, do not suffice, for they do not demonstrate an “imminent” injury.” This requirement for an “imminent injury” isn’t necessarily very high, however, as the concurring opinion of Justice Kennedy suggested that simply showing a plane ticket to the affected region might be sufficient (i.e. because you wouldn’t get to see the endangered animal). Justice Kennedy also suggested that while mere interest in the affected animals was probably insufficient, something more concrete, like a whale-watching group bringing a claim under a whale hunting law, may suffice.
As such, I suspect that the Court’s decision will necessarily rely on its opinion of the “concreteness” of privacy harms, or at least those in the FCRA. I’m actually not sure how the Supreme Court will approach this issue, as their views on privacy can be difficult to predict. On the one hand, it wouldn’t be difficult to trivialize the harm here, as there are countless sites that aggregate and publish information online, and they are notoriously inaccurate. Yet the FCRA established these statutory relief mechanisms because so often it is difficult for an individual to know how data about them is being used. Being denied a job would certainly be a concrete injury, but would you even know that it was the publication of inaccurate data that caused you to not be hired? Just because you can’t quite tell the doctor where you hurt doesn’t mean you haven’t been hurt, and indeed doesn’t mean the doctor cannot help.
But these potentially speculative privacy harms must be weighed against the very concrete damages the corporations will have to pay. While this case deals specifically with the FCRA, the principles apply to a wide variety of cases, most notably data breaches, which can literally bankrupt companies. The recent data breach suffered by Anthem has estimated liability in the billions, and this is primarily from class action lawsuits alleging violations of statutory consumer protections. Considering the massive impact of these lawsuits, it doesn’t seem too burdensome for the plaintiffs to allege a non-speculative injury.
But pushing too far in the other direction might leave companies relatively unscathed for shoddy cybersecurity, and it is not clear that consumer protection agencies alone will be able to shoulder the burden of penalizing this bad behavior. (Maybe if we had a cybersecurity specific agency, but I digress.) The financial incentives for the government are there, but consumers tend to be more litigious than the government, so its hard to tell if taking these claims out of the hands of the consumers will leave some data breaches unpunished.
To add a further complication, the second standing requirement, “causation,” may present its own challenges. If the Court requires a separate allegation of injury, the plaintiffs will be forced to also prove that that injury was caused by the defendant. Even assuming you can prove that, say, your identity was stolen, how can you be sure which data breach was the cause? We have all probably had our personal data compromised by at least two breaches recently, and proving that any one injury was caused by a specific breach is nearly impossible. It is the classic case of two assassins shooting the same victim: how do we know which one was “the killer”? Was it Target, Home Depot, JP Morgan, Anthem, (I could go on) that caused your injury? Or what if you were separately hacked, and none of the data breaches is responsible?
This may be resolved by differentiating which privacy harms do and do not meet this “injury” requirement. Maybe the publication of false information requires a separate allegation of injury, whereas a data breach is an injury in itself. Many statutory injuries like those in the FCRA have transparency provisions requiring companies to tell the consumer if data was used to, say, deny a loan, and have built in mechanisms to challenge false or irrelevant data. So proving injury and causation in these cases is facilitated. But something like a data breach has no built-in transparency measures, (hackers aren’t known for their transparency), so those may be deemed intrinsically injurious. The Court may also punt on this issue, requiring a separate allegation of injury, but letting lower courts decide which privacy claims are intrinsically harmful and which ones are not.
I’m actually pretty conflicted about this case. On the one hand, I have repeatedly emphasized that I think privacy should focus on harms, and this case rests squarely within that mindset. Yet information privacy harms can be extremely difficult to catch, even for the most educated consumers, so penalizing more easily recognized behavior that may lead to harms makes some sense. And it also satisfies the unease these non-injury privacy claims often cause. Hearing your data was compromised is troubling, particularly to the average consumer, who may not understand exactly what that entails, and being able to punish corporations for their bad cybersecurity provides a sense of justice. Yet courts are also pretty firm in not basing legal liability on just a sense of unease, and rightly so.
Ultimately I’m not sure either outcome is particularly good. Apart from clarifying how lower courts should handle these cases, (which isn’t nothing), neither outcome addresses the underlying problems that make these information privacy cases so challenging. And while I tend to think the Spokeo argument is right (you need to allege a separate injury), a ruling that hinders these consumer lawsuits isn’t a desirable outcome without assurances that something else will take their place.
As always, no easy answers. Until next time.