The U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act. The plaintiffs alleged Fourth Amendment privacy violations among other things, and injury from the likelihood that the government was recording their conversations with clients and sources overseas. But the plaintiffs could not say with certainty whether any eavesdropping occurred, giving rise to the standing issue before the Court.
Clapper involves standing in the context of constitutional privacy, but the same general standing requirements apply in consumer privacy actions. Standing is one of the initial hurdles of any would-be plaintiff, and the first element of standing is injury-in-fact. In the developing area of consumer privacy litigation, recent cases reflect uncertainty in the federal courts as to what constitutes injury-in-fact sufficient to confer standing.
In the data breach context, for example, courts have routinely dismissed cases for lack of injury-in-fact, but, on the other hand, there are recent cases holding that data hacking alone can be a cognizable harm, even if there is no economic injury. In Krottner v. Starbucks and Pisciotta v. Old National Bancorp, the Ninth and Seventh Circuits found that in the absence of actual identity theft, the threat of future identity theft can be sufficient to confer standing. In a case involving actual identity theft, the Eleventh Circuit held earlier this year in Resnick v. AvMed, Inc., that the plaintiffs had standing to sue a health insurance company after a company laptop with unencrypted data was stolen and the plaintiffs were the victims of identity theft.
These decisions can be compared with Reilly v. Ceridian Corporation, in which the Third Circuit held in 2011 that there was no standing where the plaintiffs “alleged no misuse [of the stolen data], and therefore, no injury.” Similarly, this year in Katz v. Pershing, the First Circuit held that the plaintiff failed to allege sufficient injury to confer standing where there was no allegation that the plaintiff’s personal information was not actually accessed by any unauthorized person.
Standing is also often an issue in other, non-data-breach privacy actions. In a case challenging a mobile app’s collection of geo-location data without consent, the Western District of Washington in Goodman v. HTC America, Inc. held this year that the putative plaintiff class members had sufficiently plead injury to have standing. The court accepted as cognizable injuries overpayment for phones (because the plaintiffs would have paid less if they knew their location was to be collected as alleged) and diminution in value of the phones because of reduced battery life caused by the collection of geo-location data. Still, the court held the collection of the data alone did not constitute an injury for standing purposes.
In another geo-location privacy action, the Northern District of California in In re iPhone Application Litigation, found standing in a case against Apple and other mobile industry companies alleging improper collection and disclosure of user data, including geo-location information. The court found that alleged violations of the Stored Communications Act could serve as a concrete injury for standing, as could allegations that the defendants’ actions consumed finite bandwidth and storage space on the devices and that the transmission of personal data was done without encryption, exposing plaintiffs to “unreasonable risks” of interception. More recently, in Hernandez v. Path, Inc., the plaintiff was found to have standing where he alleged that removing a mobile app’s tracking software would cost up to $12,250.
Despite recent cases finding standing, standing remains a significant hurdle for plaintiffs in privacy actions. The Northern District of Illinois in Sterk v. Best Buy Stores held last month that the plaintiff failed to allege any injury-in-fact in a suit challenging Best Buy’s data retention practices. The plaintiff’s theory was that Best Buy’s practices reduced the value of the plaintiff’s personal information and that the plaintiff would not have paid Best Buy the same price if he had known of Best Buy’s data retention practices. However, the court held that the plaintiff failed to allege a concrete injury because he did not allege that he was not able to sell or otherwise derive adequate value from his personal information and because defendants charged the same price whether or not customer information was retained.
With this landscape of standing decisions, some may say we are on the precipice of change with respect to standing requirements for actions based on violations of privacy, but there is much uncertainty. It remains to be seen whether the Supreme Court decision in Clapper will change current standing doctrine, and we will continue to monitor relevant cases as this area develops.