By David F. McDowell, D. Reed Freeman Jr., and Jacob M. Harper, Morrison & Foerster LLP
I. Introduction: Tracking Class Actions Today
As behavioral advertising, mobile device applications, and websites advance, so do general concerns over privacy, as expressed in the press and by regulators, advocates, academics, and the plaintiff's bar. While users flock to Google Maps to check local traffic jams, and social media to see friends' activities and interests, these groups repeatedly express unease about the vague idea that Big Brother is somehow watching. Increasingly, this unease is expressed through class action matters.
The problem for plaintiffs thus far has been articulating a harm that is sufficient to confer standing in federal court. Such lawsuits-in-search-of-an-injury began over a decade ago with In re DoubleClick Privacy Litig., the seminal privacy class action in which desktop computer users sued DoubleClick Inc., a trailblazer in technology-using browser “cookies” to create tailored online advertising, for breaching alleged privacy rights on the theory that the users did not know websites could “see” users' visited web pages or create advertisements tailored based on those website visits.1 DoubleClick ended quietly with a settlement, followed by years of relative silence on the litigation front as tech companies built the internet into the ubiquitous (and generally free) wealth of information it is today. In the last few years, though, as a burgeoning array of technologies has emerged, privacy concerns are again expressed through class action lawsuits.
Indeed, over one hundred new tracking lawsuits have been filed, all falling into one of a handful of factual situations. The desktop “zombie cookie” class actionsfollowed largely the same fact pattern as DoubleClick, though the “cookies” in these cases come in the form of allegedly difficult-to-delete Flash local shared objects (LSOs or Flash cookies), HTML5 coding, and other proprietary coding.2 Mobile device tracking class actions make similar claims about smartphones and mobile apps.3 Yet other suits accuse technology companies of using interactive online maps,4 and even privacy policies,5 to misappropriate private information. One recently filed action—N.J. v. Viacom Inc.6—brings the cases full circle, alleging Viacom uses Google's “doubleclick.net” cookies to identify users—not the adults in DoubleClick, but minors subject to brand new and more stringent privacy standards established just three days earlier in the Federal Trade Commission's Dec. 18, 2012, update to the Children's Online Privacy Protection Act rule.7
While we have seen a new wave of privacy class actions, the issues facing the federal courts are the same: how to reconcile an inarticulable discomfort with data methods asserted in privacy class actions with their constitutional mandate to address only plaintiffs with standing: the requirement that courts remedy only “concrete” and “particularized” injuries.
This article addresses how federal courts are dealing with notions of privacy harm in the online tracking context. While courts have historically told privacy plaintiffs to seek redress elsewhere—Congress, agencies, the states—district judges have been increasingly open to new notions of harm that allow them, rather than other government bodies, to address the growing but amorphous conception that something about the way their gadgets work does not feel right. The U.S. Supreme Court's recent decision in Clapper v. Amnesty Int'l USA, which held that fear of injury in context of government surveillance does not constitute a cognizable injury,8 may cause those courts to reverse once again and dismiss such suits.
Standing has traditionally made it difficult for tracking suits to survive in federal court. To show standing, a plaintiff must allege (1) an “injury-in-fact” that is “concrete and particularized,” and “actual or imminent”; (2) an injury that is “fairly traceable to the challenged action of the defendant”; and (3) likelihood, “as opposed to mere[ ] speculat[ion], that the injury will be redressed by a favorable decision.”9 Many courts have dismissed these lawsuits, at least in their earlier iterations, under the first prong: lack of an injury in fact.
In the seminal DoubleClick litigation, plaintiffs sued for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which contains a statutory minimum of $5,000 in harm to raise a viable claim. Plaintiffs claimed they met the $5,000 threshold by alleging injuries under two theories: (1) the cost to remediate damage to computers and (2) the supposed lost value of the information sought.10
The court rejected these ideas. Regarding the first theory—loss to the computer—the DoubleClick court explained that “users may easily and at no cost prevent DoubleClick from collecting information by simply selecting options on their browsers or downloading an ‘opt-out’ cookie from DoubleClick's Web site.”11Regarding the second—lost information value—the court explained that online advertising is no different from a television marketer or ad mailer sending ads or collecting information about its customers:
We do not commonly believe that the economic value of our attention is unjustly taken from us when we choose to watch a television show or read a newspaper with advertisements and we are unaware of any statute or caselaw that holds it is. We see no reason why Web site advertising should be treated any differently. A person who chooses to visit a Web page and is confronted by a targeted advertisement is no more deprived of his attention's economic value than are his off-line peers. Similarly, although demographic information is valued highly (as DoubleClick undoubtedly believed when it paid over one billion dollars for Abacus), the value of its collection has never been considered an economic loss to the subject. Demographic information is constantly collected on all consumers by marketers, mail-order catalogues and retailers. However, we are unaware of any court that has held the value of this collected information constitutes damage to consumers or unjust enrichment to collectors.12
In other words, marketers, advertisers, and broadcasters have used data to tailor their services for decades; no harm arose from those methods, and their expansion to the internet—through “cookies” or otherwise—is no different. With no harm, plaintiffs did not suffer any injury, let alone one totaling $5,000.
In most of the recent tracking cases, DoubleClick’s skepticism about typical but valueless injury claims—harm to computers, or lost value of private information—have translated seamlessly to Article III standing-based dismissals. In LaCourt v. Specific Media Inc., a Flash LSO case, the plaintiffs made no allegation about harm to their computers. Instead, they relied on the notion that deprivation of an amorphous conception of “personal data” constituted an injury. As in DoubleClick, the court did not buy it: “Plaintiffs do not explain how they were ‘deprived’ of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.”13 Plaintiffs instead left the court with a “quasi-philosophical debate about the possible value of consumers' ‘personal information’ on the Internet”—not enough for Article III standing.14
In Low v. LinkedIn Corp., Plaintiffs sued LinkedIn for allegedly sharing browsing histories with third parties; the claimed injuries were the same as in Specific Media. Dismissing with leave to amend, the court observed that “Plaintiff was unable to articulate a theory of what information had actually been transmitted to third parties, how it had been transferred to third parties, and how LinkedIn had actually caused him harm” and “failed to allege facts that demonstrate that he was economically harmed by LinkedIn's practices.”15
For most cases, therefore, articulating a privacy injury has been the major hurdle in allowing these suits to go forward, though it is worth noting that a handful of cases have survived.17 But even in these rare cases where a court finds harm was sufficiently alleged, the injury comes in the form of collateral damage—lost battery life, impaired computer performance—rather than an injury from the purported privacy violation itself.
Still, even for the vast majority that did not survive after amendment, dismissal is not inevitable. Indeed, courts have stated that ‘“[i]t is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven't offered a coherent and factually supported theory of what that injury might be.’”18
The U.S. Court of Appeals for the Ninth Circuit recently opened up federal courts to any cases in which the plaintiff alleges a statutory injury: the violation of statute for which the plaintiff qualifies for protection—regardless of whether the plaintiff has suffered an actual injury from the alleged privacy violation.
In Jewel v. Nat'l Sec. Agency, the plaintiff alleged that the federal government used surveillance devices attached to AT&T's network to intercept the communications of class members, thereby violating three federal surveillance statutes, all of which explicitly create private rights of action for claims of unlawful surveillance: the Foreign Intelligence Surveillance Act, 50 U.S.C. § 1801, the Electronic Communications Privacy Act (ECPA, also known as the Federal Wiretap Act), 18 U.S.C. § 2510, and the Stored Communications Act, 18 U.S.C. § 2710.20 Although the plaintiff claimed no particular injury from the use of surveillance, the court concluded that the plaintiff alleged concrete injury sufficiently because “a concrete ‘injury required by Art. III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.’”21
Likewise, in Edwards v. First Am. Corp., a home purchaser alleged that her agent unlawfully referred her title insurance business to First American pursuant to an exclusive agency agreement in violation of anti-kickback provisions of the Real Estate Settlement Procedures Act, 12 U.S.C. § 2607.22 Finding standing, Edwards relied again on the principle that “[t]he injury required by Article III can exist solely by virtue of statutes creating legal rights, the invasion of which creates standing”—even though (1) the plaintiff did not suffer a concrete injury; and (2) the statute does not itself require injury.23
Jewel and Edwards are not traditional tracking class actions, nor are they controlling outside the Ninth Circuit. But as one case put it in refusing to dismiss a tracking case against Pandora Media Inc., these cases portend an opening up of tracking suits to federal litigation “without a showing of actual damages.”24 Two reasons suggest Jewel and Edwards will have broad implications for privacy class actions.
First, after initially granting certiorari in Edwards (and thereby raising hope within the defense bar that the U.S. Supreme Court would reaffirm the requirement of actual harm to state a claim), the U.S. Supreme Court withdrew certiorari as improvidently granted following oral argument.25 Since then, district courts appear to have read the certiorari withdrawal as implicit affirmation that actual injury is no longer required. It will obviously be important to watch how this plays out in other cases.
Second, some district courts are applying the standing-through-statute theory to tracking actions (which, given their technology-oriented defendants, tend to arise more frequently in California than elsewhere). Thus, Judge Lucy H. Koh in the U.S. District Court for the Northern District of California refused to dismiss the amended complaints in the LinkedIn case based in part on Edwards and Jewel—notwithstanding that cases do not articulate an independent tangible harm.26
Limits do exist, however; Jewel and Edwards, even read broadly, do not provide a free ticket to federal court for just any no-injury complaint.
Injury Requirement in Underlying Statute. Defendants should be on the lookout for underlying statutes that require a showing of injury—a common requirement where plaintiffs depend on a private right of action provision. For example, in Boorstein v. Men's Journal LLC, no-injury plaintiffs sued Men's Journal for allegedly disclosing personal information to third parties in alleged violation of California's Unfair Competition Law (UCL), Cal. Bus. & Prof. Code § 17200, and “Shine the Light” Law, Cal. Civ. Code § 1798.83; plaintiffs premised standing on private right of action provisions under these statutes.27 The court dismissed the action for lack of standing because private rights of action under the Shine the Light Law and UCL “expressly require[ ] an injury resulting from a violation. Thus, a violation of the statute[ ], without more, is insufficient” to establish standing, and plaintiffs failed to establish such an injury.28
Likewise, in Sterk v. Best Buy Stores LP, a case decided after certiorari was withdrawn in Edwards, a no-injury plaintiff sued Best Buy for allegedly disclosing his DVD purchase history to a corporate affiliate in purported violation of the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, which prohibits such disclosures.29 To assert a private right of action under the VPPA, however, the plaintiff must have been “‘aggrieved,’ meaning the individual has suffered an Article III injury-in-fact.”30 Thus, ruled the court:
[A] plaintiff must plead an injury beyond a statutory violation to meet the standing requirement of Article III. Plaintiff argues that a statutory violation is adequate to meet this requirement. However, while Congress is permitted to expand standing to the extent permitted under Article III, Congress cannot abrogate the basic standing requirement that an individual suffer an actual redressable injury in fact.31
Here, because the plaintiff did not allege any damage as a result of the alleged disclosure, he was not “aggrieved,” could not satisfy the underlying statutory requirements for the VPPA, and lacked standing.
Application of Statute to Defendants. Defendants should also pay attention to whether the underlying statute applies to them as opposed to the plaintiffs. The ECPA is a common statute plaintiffs assert in tracking actions, but a growing line of cases holds that it does not apply to internet service providers accessing data in the ordinary course of business, including by making data available to “trackers.”33 If an ISP finds itself on the defensive end of a tracking suit, and plaintiffs premise standing on an ECPA violation, that claim should therefore fail.
Overall, although Edwards and Jewel may be interpreted by at least some courts to permit some privacy suits without injury where an independent statute creates a private right of action without injury, some valid allegation of harm is still necessary, at least when the underlying statutes require it. And even when the statute does not require an injury, statutory limitations will also undermine dubious standing claims. Those limits aside, Jewel and Edwards offer new tools for privacy plaintiffs to use in trying to bypass, in some cases, the injury in fact requirement that traditionally undermined such lawsuits.
Another emerging theory is that mere fear of privacy harm, however indescribable or amorphous, by itself may constitute sufficient injury for Article III standing.
As an initial matter, the fear-as-injury theory had been rejected repeatedly since the U.S. Supreme Court initially addressed that notion in Laird v. Tatum.34 In Laird, plaintiffs challenged a government surveillance system that, by secretly collecting and analyzing personal information about plaintiffs, allegedly injured them by so offending their sensibilities that it had a “chilling effect” on their First Amendment expressive activities.35 The court dismissed the claim for lack of an injury in fact: “[T]heir claim, simply stated, is that they disagree” with the “very existence” of the data-gathering system, as well as the “the type and amount of information” gathered.36 The plaintiffs' vague notions of discomfort and claims that their speech activities were “chilled” were not an “adequate substitute for a claim of specific present objective harm or a threat of specific future harm.”37
Circuit courts have followed Laird for decades. In Vernon v. City of Los Angeles, the Ninth Circuit dismissed a similar claim in which the plaintiff, a police officer, lamented an “investigation” into whether his religious views affected his policing duties.38 The court held that the plaintiff lacked standing because any perceived harm did not amount to a “substantial” injury.39
More recently in Am. Civil Liberties Union v. Nat'l Sec. Agency, plaintiffs sued to enjoin the NSA from listening to phone calls based on perceived fear of privacy violations.40 Again, the court held that fear of privacy violation is not a viable injury. “[T]he plaintiffs do not want the NSA listening to their phone calls or reading their emails. That is really all there is to it. . . . The problem with asserting only a breach-of-privacy claim is that, because the plaintiffs cannot show that they have been or will be subjected to surveillance personally, they clearly cannot establish standing.”41
Laird and its progeny were revisited in 2011, however, at least in the U.S. Court of Appeals for the Second Circuit. In Amnesty Int'l USA v. Clapper, plaintiffs, on behalf of lawyers, journalists, and researchers in routine communications with foreign individuals identified as terrorists, sued the U.S. government for invasions of privacy resulting from secret surveillance activity over communications with foreign terrorism suspects.42 In 2011, against precedent, the Second Circuit held that a “reasonable fear of future injury” does meet Article III's standing requirements, and the plaintiffs may therefore go forward with their suit against the United States. Held the court:
Because standing may be based on a reasonable fear of future injury and costs incurred to avoid that injury, and the plaintiffs have established that they have a reasonable fear of injury and have incurred costs to avoid it, we agree that they have standing.43
After a fractured Second Circuit denied en banc review,44 the U.S. Supreme Court granted certiorari earlier in 2012.
Clapper does not address tracking suits directly, but its impact on standing certainly has implications for them. As Amnesty International's brief put it, plaintiffs believed they had standing because of a “substantial risk that their communications will be monitored” under the act and because this substantial risk has effectively “compelled them to take costly and burdensome measures to protect sensitive and privileged information from the risk of inception.”45 In other words, the plaintiffs hoped the court would interpret privacy “harm” as any action that carries a “substantial risk” of requiring plaintiffs to change their behavior so as to avoid the threat—whether actual or merely perceived.
On March 9, the Supreme Court rejected plaintiff's claim for harm and reversed the Second Circuit.46 In a majority opinion by Justice Samuel Alito (and joined by Justices Anthony Kennedy, John G. Roberts, Antonin Scalia, and Clarence Thomas), the court issued two primary holdings that promise to dampen the plaintiffs' bar's enthusiasm for no-injury privacy suits.
Holding 1: Fear of Future Privacy Injury Insufficient. The court reaffirmed prior precedent to hold that Article III requires a tangible injury, not a speculative threat of one. While a possible future injury could, in some cases, pass muster under Article III, the plaintiff must allege facts showing such an injury was “certainly impending.”47Without the possibility of only speculative injury satisfying the injury in fact requirement, most of the privacy class actions still making their way around the country face a new hurdle.
Holding 2: Spending Money to Prevent Future Privacy Injury Insufficient. To the extent plaintiffs would claim an injury based on money spent avoiding such an injury, the court foreclosed that possibility as well.48 As noted above, tracking plaintiffs often premise standing on the expenditure of money on a product in reliance on a given statement, and have therefore suffered an economic injury sufficient to confer standing. Clapper holds, however, that such a notion would “improperly water[ ] down the fundamental requirements of Article III.”49 Such a theory of injury:
improperly allow[s] respondents to establish standing by asserting that they suffer present costs and burdens that are based on a fear of surveillance, so long as that fear is not “fanciful, paranoid, or otherwise unreasonable.” This improperly waters down the fundamental requirements of Article III. Respondents' contention that they have standing because they incurred certain costs as a reasonable reaction to a risk of harm is unavailing—because the harm respondents seek to avoid is not certainly impending. In other words,respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.50
The Clapper plaintiffs' attempts to “manufacture standing” by spending money to prevent future privacy injuries is remarkably similar to efforts in tracking lawsuits.
Notwithstanding the court's clear stance on these issues, it is not clear district courts will apply it to all tracking matters. After all, 24-hour government surveillance of attorney communications with foreign clients is a far cry from the social-media-might-have-been-tracking-my-browser-history civil lawsuits that defendants are facing today.
Establishing standing in tracking class actions could be on the way to becoming a lower impediment for plaintiffs, though we are only in the early stages of emerging trends that allow plaintiffs' counsel new room to argue for standing. Even if courts are ultimately more willing in some cases to recognize a privacy harm without actual injury, the other two standing prongs—causation (prong two, requiring an injury that is “fairly traceable to the challenged action of the defendant”) and redressability (prong three, requiring a likelihood, “as opposed to mere[ ] speculat[ion], that the injury will be redressed by a favorable decision”)—prove formidable threats to privacy suits.51
Thus, plaintiffs will need to allege specific facts showing the defendant's actions caused the plaintiffs' particular harm (whatever that may be), a difficult proposition in light of the cookie-cutter complaints frequently making broad accusations without allegations specific to the plaintiffs. And they will need to show that the court can redress whatever harm occurs—a particularly difficult feat because, once the data have been shared (as typically alleged), nothing a court can do can take the data back.
We will see how the rest of 2013 plays out on standing, but the current uncertainty makes clear that the cases will keep coming. Even if decisions out of the federal courts continue an emerging trend toward loosening of the standing requirements, however, defense counsel still have strong tools to fight back. All we know for sure right now is that 2013 will be an important year for the direction of privacy class actions in the United States.
David F. McDowell, a partner at Morrison & Foerster LLP's Los Angeles office, is a member and former co-chair of the firm's Consumer Litigation and Class Action Practice Group. D. Reed Freeman Jr., a partner in Morrison & Foerster's Washington office, is a member of the firm's Privacy and Data Security Practice Group. Jacob M. Harper, an associate with the firm's Los Angeles office, is a member of the firm's Class Action, Privacy, and Appellate and Supreme Court Practice Groups.
© 2013 Morrison & Foerster LLP.
DisclaimerThis document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.
To view additional stories from Bloomberg Law® request a demo now