On February 4, 2014, the U.S. Court of Appeals for the Ninth Circuit held that plaintiffs need not allege actual injury to demonstrate constitutional standing for a willful violation of the Fair Credit Reporting Act (the “FCRA”). Judge Diarmuid F. O’Scannlain, writing for the three-judge panel, reversed the lower court’s dismissal of the action and held that an alleged violation of statutory rights was sufficient to demonstrate injury in fact under Article III of the United States Constitution. The decision against Spokeo, Inc. (“Spokeo”), a website operator that compiles and sells information about individuals, comes at a time when plaintiffs in data privacy and data security breach actions frequently have faced dismissal on injury grounds.
The action against Spokeo began in July 2010, when Thomas Robins filed a lawsuit claiming that the website operator disseminated false information about him, including with respect to his employment status, marital status, age, educational background, and “wealth level.” Although Robins was unable to show that he suffered any actual harm as a result of the allegedly inaccurate report, he asserted that Spokeo committed a willful violation of the FCRA by failing to exercise its responsibilities under the statute.
Spokeo moved to dismiss the suit on the ground that Robins was unable to demonstrate an injury in fact sufficient to confer constitutional standing. The Central District of California denied the motion, concluding that Spokeo’s “marketing of inaccurate consumer reporting information” constituted injury in fact under Article III. Spokeo then filed a motion to certify the decision for an interlocutory appeal. However, rather than granting the motion, the district court reconsidered its prior order and granted Spokeo’s motion to dismiss on Article III standing grounds. Robins appealed the latter decision to the Ninth Circuit, arguing that the district court’s initial ruling was correct and the dismissal was in error.
The Ninth Circuit sided with Robins, observing that Congress’ creation of a private cause of action to enforce a statutory provision “implies that Congress intended the enforceable provision to create a statutory right.” Furthermore, the court explained, the violation of a statutory right “is usually a sufficient injury in fact to confer standing.” In support of this conclusion, the court cited its 2010 ruling in Edwards v. First Am. Corp., which held that plaintiffs need not show actual harm under the kickback provision of the Real Estate Settlement Procedures Act to demonstrate Article III standing.
The Ninth Circuit further reasoned that, despite constitutional limits on its authority, Congress could create legally cognizable injuries in circumstances where: 1) the defendant is alleged to have violated the plaintiff’s statutory right as an individual; and 2) the right at issue protects against individual harm, rather than collective harm. After concluding that Robins met both tests – he was “among the injured” and his personal interests in his credit information were “individualized rather than collective” – the court held that his allegation that Spokeo committed a willful violation of the FCRA was sufficient to confer Article III standing.
The decision against Spokeo likely will be welcomed by plaintiffs in data privacy and data security actions who have struggled to show injury and frequently faced dismissal on that ground. However, the Edwards decision, on which Spokeo relied, stands in some tension with case law in other courts, suggesting the decision may have limited force outside the Ninth Circuit. Indeed, the United States Supreme Court initially accepted Edwards for review, portending a potential reversal, but the high court later dismissed the petition and allowed Edwards to stand. It remains to be seen whether the Supreme Court will accept another case in an effort to provide guidance to the lower courts, who have disagreed on the limits of Congressional power to confer Article III standing by creating statutory rights.
The Spokeo decision also is likely to spark renewed interest in the FCRA for plaintiffs in data privacy and data security actions. Because plaintiffs in such actions generally are limited by the definition of a “consumer reporting agency” (“CRA”) under the FCRA, further litigation should be expected as a result of plaintiffs’ efforts to expand the universe of entities that fall within the statutory scope. Indeed, the Ninth Circuit explicitly stated in Spokeo that its decision had no bearing on the question of whether the website operator qualified as a CRA under the FCRA, indicating the lower court ultimately may be required to rule on this issue.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
