Supreme Court Finds Concrete Harms Needed for Consumer Privacy Cases to Proceed
On Monday, May 23, 2016, the Supreme Court handed down a partial victory for Spokeo, a company that operates a search engine for personal data. The plaintiff, Thomas Robins, alleged that the company was in violation of the Fair Credit Reporting Act (FCRA) because it had not taken sufficient steps to correct false information about him on its website. The key question in this case was whether a plaintiff who has suffered no concrete injury has constitutional standing to bring suit in federal court merely because of a technical or procedural violation of a federal consumer protection statute. While the Court did not rule on whether Robins had suffered actual injury, it did make clear that courts must establish that a concrete harm has occurred to allow a case to proceed. This ruling has important implications for companies operating in the data economy because it rejects that notion that individuals can bring lawsuits simply because they have some vague and amorphous fears about how companies are collecting and using their data.
Spokeo’s services are used by a variety of users including “employers who want to evaluate prospective employees” and “those who want to investigate prospective romantic partners or seek other personal information.” Robins discovered that the contents of his profile on Spokeo contained inaccurate information. His profile stated he is married, has children, is in his 50’s, has a job, is relatively affluent, and holds a graduate degree, all of which are inaccurate. Robins filed a class-action suit on behalf of himself and similarly situated individuals in federal district court alleging, among other things, that Spokeo violated the FCRA by publishing inaccurate information about him. Under the FCRA, consumer-reporting agencies are required to “follow reasonable procedures to ensure maximum possible accuracy” of consumer reports. Companies that willfully violate the act can be liable for actual damages or statutory damages of per $100-$1,000 per violation, and possible punitive damages.
Robins contended that the inaccuracies in his profile made him appear overqualified for the positions he was seeking, expectant of higher salary than employers were willing to pay, and less available because of responsibilities to his non-existent family. Spokeo argued that the case should be dismissed because Robins suffered no actual, tangible injuries from the misinformation and he therefore lacked standing.
The Federal District Court dismissed Robin’s case on the grounds that he lacked standing because he could not show any actual harm from Spokeo’s publication of inaccurate information about him. The U.S. Court of Appeals for the Ninth Circuit reversed, reasoning that “the violation of a statutory right is usually a sufficient injury in fact to confer standing.” The Court of Appeals held that because Robins alleged that “Spokeo violated his statutory right, not just the rights of other people,” and because his “personal interests in the handling of his credit information are individualized rather than collective,” Robins allegations were sufficient to satisfy the injury in fact standing requirements. Spokeo then petitioned the Supreme Court for review.
In its holding, the Supreme Court explained, to have standing, Robins needed to show an “injury in fact” from Spokeo’s publication of inaccurate information about him. To establish an injury in fact, Robins needed to show that he suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual and imminent, not conjectural or hypothetical.” For an injury to be “particularized” it must affect the plaintiff in a personal and individual way. And a “concrete” injury must be “de facto,” meaning it must actually exist. The Court found that the Ninth Circuit’s injury in fact analysis overlooked the independent concreteness requirement, and failed to address whether the alleged procedural violations entailed a degree of risk sufficient to meet the concreteness requirement.
The Court noted that “concrete” is not necessarily synonymous with tangible, while “intangible injuries can nevertheless be concrete.” And while both history and the judgment of Congress play important roles in determining whether an intangible harm constitutes injury in fact, the injury-in-fact requirement is not “automatically satisfied whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” This does not mean that the risk of real harm cannot satisfy the requirement, it simply means that in the present case, Robins’s allegation of a bare procedural violation failed to meet the injury-in-fact requirement because a violation of one of the FCRA’s procedural requirements may result in no harm.
Although the Supreme Court’s ruling in Spokeo v. Robins focused on the constitutional standing requirement, its opinion underscores the need for data privacy laws and regulations to focus on actual harms rather than potential ones. Regulators who ignore this distinction may cause unintended consequences that actually make consumer worse off and discourage innovation. If companies could be found liable for mere technical violations where no harm exists, then compliance would focus less on protecting consumers and more on avoiding liability. The goal should be to encourage companies to take actions that prevent consumer harm.
Regardless of the outcome in this case with the Court of Appeals, the ruling establishes an important precedent on the need to show actual consumer harm when making claims about potential privacy violations—a welcome development for the growing number of companies making use of data-driven innovation.