Article III of the U.S. Constitution grants federal courts the power to adjudicate certain “cases” or “controversies.” This constitutional case-or-controversy clause provides the foundation for the doctrine of standing, a threshold inquiry plaintiffs must satisfy before a federal court may exercise subject-matter jurisdiction over a claim. Among other requirements, a plaintiff must show that he has suffered an “injury in fact” that is concrete and particularized as well as actual or imminent, not conjectural or hypothetical. These standing requirements ensure that only an individual directly impacted by the violation or imposition of a law may sue to enforce or challenge it. Note, however, that the threshold question of whether a plaintiff has standing is distinct from the merits of the plaintiff’s claim. As such, a plaintiff may have standing to bring a suit but still may not be able to assert a claim successfully on the merits.
As Supreme Court Justice Samuel Alito once quipped, “injury-in-fact is not Mount Everest,” and in many types of litigation the issue of standing attracts little attention. For some plaintiffs alleging violations of privacy rights, however, identifying the requisite injury-in-fact has been challenging—particularly where the plaintiffs’ legal claims are based on alleged misappropriation of personal information. In some cases, the plaintiffs’ allegations fail to give the detail necessary to demonstrate an injury that is concrete and particularized, actual or imminent, and likely to be redressed by a favorable decision.
For example, in a recent Northern District of California case, In re iPhone Application Litigation, the plaintiffs alleged that Apple and other defendants unlawfully allowed third-party software applications installed on users’ mobile devices to collect personal information, such as telephone numbers, for commercial purposes without the users’ consent. The plaintiffs asserted claims for violations of federal and state statutes relating to computer security and consumer protection, as well as common-law claims for negligence and trespass, among others.
The iPhone court found that the plaintiffs lacked Article III standing to assert these claims for two main reasons. First, despite a lengthy complaint, the plaintiffs did not allege injury to themselves, as opposed to mobile device users generally. For example, the complaint did not identify which applications these plaintiffs downloaded onto their devices, or which defendant (if any) supposedly accessed or tracked their personal information. Second, the plaintiffs had “not identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.”
In so holding, the court rejected the plaintiffs’ assertion that they had alleged injury caused by:
- The third-party applications’ alleged misappropriation or misuse of the plaintiffs’ personal information,
- Alleged diminution in value of the plaintiffs’ personal information, or
- Alleged diminution in value of the plaintiffs’ mobile devices because they were “less secure” and “less valuable.”
The court later granted leave to amend the complaint, but dismissed most claims and defendants as a matter of law.
The same court reached a similar conclusion in Low v. LinkedIn Corp. in addressing the plaintiff’s allegations that LinkedIn had disclosed his “personally identifiable [Internet] browsing history,” among other personal information, to third-party advertising and marketing companies via “cookies” installed on the plaintiff’s computer. Asserting legal claims similar to those in the iPhone case, the plaintiff in LinkedIn claimed to have suffered injury in fact in the form of disclosure of his personally identifiable browsing history, which plaintiff asserted was “valuable personal property with a market value”, without compensation. The plaintiff also alleged “embarrassment and humiliation” caused by this disclosure. The court held that both of the plaintiff’s alleged injuries were too abstract and hypothetical to constitute an actual or imminent injury in fact sufficient to establish Article III standing.
As to the plaintiff’s theory of “emotional harm,” the court concluded that the plaintiff had not adequately alleged what personal information had actually been disclosed, how such information could be traced to the plaintiff himself, or how such information had been disclosed to third parties by LinkedIn. The court also rejected the plaintiff’s theory of economic harm, holding that he had not alleged facts demonstrating whether or how he was prevented from capitalizing on the purported value of his personal information. (The court later held that the plaintiff’s amended complaint sufficiently alleged injury in fact, but dismissed the complaint for failure to state a claim.)
Other federal courts have reached similar conclusions, holding that personal information has no inherent compensable value and that its collection or use generally does not constitute economic loss to the plaintiff. For example, in LaCourt v. Specific Media, Inc., the plaintiffs alleged that an online advertising network installed cookies on their computers to track the plaintiffs’ Internet use without their consent. According to the plaintiffs, this caused a “loss” by foreclosing them from conducting “value-for-value exchanges” in which they would apparently trade their personal information for monetary value. The court was not persuaded, and held that the plaintiffs lacked Article III standing because they had not alleged that any named plaintiff was actually harmed by the defendant’s alleged conduct; nor had the plaintiffs alleged any “particularized example” of economic harm to their computers.
In light of these difficulties in demonstrating injury in fact, plaintiffs asserting consumer privacy claims have recently focused on a different potential avenue to establish Article III standing. Some federal courts, relying on language in the Supreme Court’s 1975 opinion in Warth v. Seldin, have stated that the Article III injury-in-fact requirement may be satisfied solely “by virtue of statutes creating legal rights, the invasion of which creates standing.” Under this theory, the court typically inquires whether the allegedly violated statute “properly can be understood as granting persons in the plaintiff’s position a right to judicial relief.” This approach, however, arguably is in conflict with the Supreme Court’s subsequent admonition in Raines v. Byrd that “Congress cannot erase Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.” Similarly, the Supreme Court stated in Summers v. Earth Island Institute that “injury in fact is a hard floor of Article III jurisdiction that cannot be removed by statute.”
Despite this unresolved tension, courts in some privacy cases have held that plaintiffs have standing by virtue of asserting claims under certain statutes, such as those that provide civil relief to persons whose electronic communications are intercepted or accessed without their authorization. Privacy litigators anticipated that the Supreme Court might resolve this tension last year after it granted a writ of certiorari to review the 9th Circuit’s opinion in First American Financial Corp. v. Edwards. Following full briefing and argument, however, the Supreme Court dismissed the writ of certiorari as improvidently granted. Absent clear guidance from the Supreme Court, the extent to which an alleged statutory violation alone is sufficient to establish Article III injury in fact will continue to be litigated in consumer privacy actions.
