A number of federal privacy laws provide private rights of action, allowing individuals (or class actions) to bring claims alleging violations of certain privacy laws. Some examples of these statutes include the Video Privacy and Protection Act (VPPA), the Telephone Consumer Protection Act (TCPA), and the Fair Credit Reporting Act (FCRA). What is more is that some state privacy laws can be “removed” to federal court in certain circumstances, in which case, Article III standing has to be shown in those cases, too. The most frequent examples of this are federal claims under Illinois’ Biometric Information Privacy Act (BIPA).
However, what it takes to establish Article III standing in these cases is far from crystal clear. And this is notwithstanding the fact that the Supreme Court has attempted to clarify standing in privacy cases twice in the past decade. Unfortunately, while the Supreme Court was given another opportunity to clarify Article III standing in privacy cases in Wakefield v. ViSalus, the Court declined to do so this week.
First, in Spokeo, Inc. v. Robins, in 2016, the Supreme Court considered standing in a case involving a violation of the FCRA. In that case, while the Court acknowledged that Congress sought to curb the dissemination of false information by adopting the procedures of the FCRA, Robins did not satisfy the demands of Article III by alleging a bare procedural violation—i.e., the dissemination of an incorrect zip code. The Court called the FCRA violation that Robins “suffered” (dissemination of a false zip code) a “procedural violation,” and reversed the Ninth Circuit Court of Appeals on grounds that while the Circuit Court correctly looked at whether Robins had suffered an injury, it failed to analyze whether that injury was “concrete and particularized.”
Second, in TransUnion LLC v. Ramierz, in 2021, the Supreme Court considered standing in another case involving a violation of the FCRA. In that case, the majority found that only some of the class members had shown any physical, monetary, or various intangible harms including reputational harm to have Article III standing. The majority found that the remainder of the class members did not sufficiently show concrete harm because even though TransUnion had false information about them, the information was never sent to creditors; thus, no “concrete” harm resulted from the false information. Because all of the class members in TransUnion did not have standing, the Court found that the standing requirement was not met. In TransUnion, the Court further noted that, although Congress’ views on what constitutes a concrete injury could be instructive, Article III was not satisfied just because Congress created a statutory cause of action.
Since Spokeo and TransUnion, it has remained unclear – and an issue of circuit splits – what violations of privacy statutes constitute “intangible harms” (sufficient to confer Article III standing) versus “procedural harms” (insufficient to confer Article III standing). For example, there is also a circuit split regarding whether certain TCPA violations result in a “concrete” harm sufficient to confer Article III standing. In the case of text messages, the 11th Circuit has held that the receipt of a single unsolicited text message is not sufficient to confer standing (see Salcedo v. Hanna, 936 F.3d 1162 (2019)), whereas the 5th Circuit has held that it is sufficient to confer standing (see Cranor v. 5 Star Nutrition, No. 19-51173). The issue presented in Wakefield v. ViSalus, which the Supreme Court declined to hear this week, would have provided the Court an opportunity to clarify when a statutory violation that does not result in physical or monetary harm results in an “intangible harm” sufficient to confer Article III standing as opposed to a mere “procedural harm.” The facts in ViSalus were such that individuals had received allegedly unconsented to robocalls marketing ViSalus’s weight-loss shake mix. However, for at least some of the individuals, the lack of consent is arguably a procedural question because the individuals had voluntarily provided phone numbers and some consent to receive marketing and promotional communications, they just had not provided prior express written consent and the regulations had changed in 2013 to require prior express written consent.
What is the difference between the harms in TransUnion (where false information was collected but not yet disseminated, and the FCRA law is aimed at promoting accurate and fair information) and the harms in ViSalus (where the individuals had provided contact information and consented to marketing communications but the regulations required prior express written consent, and the TCPA law is aimed at protecting consumers from invasive telemarketing practices)?