Richard Raysman is a Partner in our New York office

Although acceding to the terms of its privacy policy is now seemingly part and parcel of using almost every website, such ubiquity does not seem to have increased anyone's desire to read them. Generally lengthy and couched in legalese, most users loathe to investigate the terms and conditions contained therein. True, some industrious users do take in the entirety of the policies. In addition, some even more motivated users have in recent years taken an additional step and begun to sue based on supposed violations of the policies. For example, one such user recently brought a claim against the advocacy organization AARP based on purported violations of its use of the personally identifiable information of its users. See Austin-Spearman v. AARP and AARP Services Inc., --- F. Supp. 3d ----, 2015 WL 4036206 (D.D.C. June 30, 2015), amended, 2015 WL 4555098 (D.D.C. July 28, 2015). The conclusions reached by the court discussed below indicate that although the plaintiff claims to be a scrupulous reader of privacy policies, she may not in fact really understand both the terms of AARP's privacy policy, much less the theories behind any injury deriving from a claimed violation of the policy.

Facts

As characterized by the court, plaintiff Ethel Austin-Spearman (Austin-Spearman) is an internet savvy woman, despite not being in a demographic (over age 50) generally considered well-versed in online life. To wit, Austin-Spearman joined Facebook in 2007, and is a frequent user of its site, as well as many others. Whenever she registers for a new online service, she fastidiously reads the website's Terms of Service and Privacy Policy.

In 2010, Austin-Spearman navigated to the website of AARP, an organization which provides litigation and lobbying efforts on behalf of its members, as well as myriad discounts to "shopping, dining, and travel as well as financial and insurance-related products and services." In order to qualify for membership in AARP, the applicant must be 50 years or older. Austin-Spearman purchased a three-year AARP membership for $43, and in order to derive benefits from this membership, then created an online AARP account. To establish this account, she entered the required registration information and viewed and agreed to AARP's Privacy Policy.

Section 4 of the Privacy Policy, which is the provision at the center of the dispute, is labeled Information We Collect From You and reads:

We may allow third-party analytics companies, research companies or ad networks to collect nonpersonally identifiable information on our website. These companies may use tracking technologies, including cookies and Web beacons, to collect information about users of our site in order to analyze, report on or customize advertising on our site or on other sites. For information about how to opt-out of the customization of advertising from many ad networks, you can visit here.

This assurance is limited by a number of caveats elsewhere in the Policy. For instance, a separate paragraph of Section 4 informs the user that "[i]f you stay logged on to your social media accounts  ... while visiting our website [,] those social media companies may collect information from you." (emphasis added). Likewise, Section 5 of the Policy notifies the user that AARP may share information, including personally identifiable information (PII), with services that help the organization improve advertising services.

Notwithstanding these disclosures, Austin-Spearman alleged that the AARP website expressly violated the terms of the Privacy Policy because its website was configured to permit Facebook and Adobe to collect members' PII. The gravamen for this allegation was sentence 1 of the Privacy Policy, which according to Austin-Spearman's complaint, assured AARP members that third parties would be culling only nonpersonally identifiable information from its site. Austin-Spearman also cited to another sentence in Section 4, which provides a hyperlink to another page that, among other things, lists the specific third party companies that collect data from the AARP website. Adobe and Facebook were not listed on this page.

Austin-Spearman then sued AARP and its wholly owned subsidiary, AARP Services Inc. (collectively, AARP) based on this alleged privacy violation. She filed a putative class action alleging breach of contract, unjust enrichment, intentional misrepresentation, fraud by omission, and violation of the District of Columbia Consumer Protection Procedures Act (DCPPA).  Specifically, Austin-Spearman asserted that such purported violation of the Privacy Policy lessened the value of her membership with AARP, as such compliance she believed to be an element of her membership contract. AARP filed a motion to dismiss, in relevant part, on grounds that Austin-Spearman lacked Article III standing to bring her claims, insofar as she could not plead the existence of the injury-in-fact essential to possessing this type of standing.

Legal Analysis/Conclusions

As with many others that confront alleged violations of privacy policies, this case was decided on the threshold ground of standing. Specifically, the court had to first determine whether Austin-Spearman had pled the necessary injury-in-fact so as to push her claims into the purview of federal court jurisdiction. See Lujan v. Defenders of Wildlife, 504 U.S. 550 (1992) (observing that a showing of standing is an "essential and unchanging predicate" to an exercise of federal court jurisdiction).  Injury-in-fact is an invasion of a protected interest that is both (1) concrete and particularized, (2) and actual or imminent. Mere conjecture or a hypothetical is insufficient to meet the second prong. As for the nature of the injury, while economic harm is a unquestioned example of a sufficient injury-in-fact, a mere request for money is not generally considered such an injury. Rather, there must be some evidence of overpayment relative to what the complainant bargained for, and what was actually received. As applied to this case, Austin-Spearman alleged that she would not have paid $43 for her membership but for her belief that her PII gleaned by AARP from her use of its website was not distributed to third parties.

Even while affording Austin-Spearman's factual claims the presumption of truth and the benefit of all reasonable inferences deriving therefrom, as mandated by Federal Rule of Civil Procedure 12(b)(1) and (b)(6), the court did not find that a sufficient injury-in-fact existed which would warrant a grant of standing. See also Browning v. Clinton, 292 F.3d 235 (D.C. Cir. 2002) ("legal conclusions cast in the form of factual allegations" are insufficient to survive a motion to dismiss). In fact, for two reasons, the court cast such claims as "entirely implausible."

Absence of a Privacy Policy Violation

First, the court determined that, no matter how outraged Austin-Spearman may claim to be, AARP had not actually committed any violation of the plain terms of its Privacy Policy.  In a number of separate provisions, the Privacy Policy informed the user that the website did in fact collect PII, and on some occasions, disseminated it to third parties. Additionally, if the user visited AARP's website while remaining logged into any social media accounts, the Privacy Policy stipulated that those social media companies could collect data and information as they saw fit.  Ergo, reading the document as a whole, it informed a user that member data gleaned from a decision to browse the website, including PII, would be accessible by third parties.

The court also noted that, given Austin-Spearman's dual admissions that she had both read the Privacy Policy in its entirety, and remained logged into social media accounts while browsing the AARP website, it strained credulity to think that she could thereafter feign surprise when AARP simply did what the Policy said they could do.

Accordingly, no reasonable inference existed to show that a violation of the Privacy Policy had actually occurred, and thus Austin-Spearman had suffered no injury.

Assuming Arguendo that the Privacy Policy was Violated, No Legally Redressable Injury-in-Fact Arose as a Result

The court also held that even if it granted that the Privacy Policy had been violated, no economic injury sufficient to confer standing on Austin-Spearman had materialized therefrom.

For one, even though Austin-Spearman alleged that her membership fee was paid in part in consideration for the perceived promise in the Privacy Policy to keep her PII private, AARP showed that Austin-Spearman did not even view the Policy until after she had already become a paid member of AARP. Second, the court concluded that Austin-Spearman had in fact received the benefit of her bargain with AARP. The rights to use AARP's website, and to thus gain access to online-only discounts, was but one part of the benefits that accrue to its members. The court found that the complaint did not show that such a benefit could be construed as a primary benefit of AARP membership, nor is it even an essential part of the "bundle of rights" conferred by such membership. (emphasis in original).

Further, although Austin-Spearman repeatedly claimed that the usage of the website was subjectively important, the court did not credit such a claim as a cognizable harm sufficient to support an "overpayment" injury. Such an injury based on this theory must be demonstrated as "objectively essential" to the AARP membership agreement. Her subjective belief that her privacy had been violated by the Privacy Policy, as merely a single right afforded her under the membership agreement, did not thus mean that AARP had failed to substantially perform on its obligations under that agreement. A finding that AARP had failed to substantially perform was essential to Austin-Spearman's theory of economic harm, and without it, her broader standing claim failed. See also In re S.A.I.C., 45 F. Supp. 3d 14 (D.D.C. 2014) (plaintiffs that were victims of a data breach at insurer who had previously bargained for health and dental insurance, and who received such benefits, could not articulate sufficient economic harm to confer standing even if part of their premiums may have gone towards the insurer's expenditures on security services).

Conclusion

Consequently, the court granted AARP's motion to dismiss. As for Austin-Spearman, this is the second reported decision since April 2015 involving privacy issues in which she is the named plaintiff. In Austin-Spearman v. AMC Network Entertainment LLC, --- F. Supp. 3d ----, 2015 WL 1539052 (S.D.N.Y. Apr. 7, 2015), she sued a television network for alleged Video Privacy Protection Act (VPPA) violations after the network disclosed her personal information to Facebook. Unlike the AARP case, Austin-Spearman was found here to have standing based on the specific language of the VPPA. However, as Austin-Spearman had not paid to view any content,  nor had she registered for an account on AMC's site, she was not deemed to be a "consumer" protected by the VPPA.

What is most notable about AARP is that it exemplifies how courts distinguish between data sharing cases and data breach cases. In the former, given that there is less of downstream harm, courts are hesitant to confer standing. In the latter, given that hackers often seize data in order to create harm in the future, courts are much more likely to conclude that plaintiffs' have been the victim of a cognizable injury so as to confer Article III standing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.