The following post, written by Shawna English and Laura Lange, was first published on McGuireWoods’s Password Protected blog.  We’ve paid a lot of attention this year to how district and circuit courts have applied Spokeo, and welcomed the opportunity to reprint it here.

Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had an impact on class actions involving data privacy.

Procedural Violations of Data Privacy Statutes Do Not Satisfy Article III Following Spokeo

Given that many data privacy statutes provide for statutory damages and attorneys’ fees, they have become prime targets for class action attorneys. The class action claims, however, typically stem from technical or procedural violations of these statutes without any actual harm suffered by the plaintiffs, subjecting these lawsuits to fresh attacks following Spokeo. The various Courts of Appeals that have faced such challenges in data privacy actions in the wake of Spokeo have consistently found standing lacking under Article III.

Most recently, on December 13, 2016, the Seventh Circuit examined Spokeo in the context of the Fair and Accurate Credit Transactions Act (FACTA) in Meyers v. Nicolet Restaurant of de Pere, LLC.  FACTA prohibits businesses from printing more than the last five digits of a customer’s credit card number or the expiration date on a receipt, providing a private right of action with statutory damages up to $1,000 for any violation. In Meyers, the plaintiff alleged that a restaurant violated FACTA by printing the expiration date of his credit card on his sales receipt. In analyzing whether the plaintiff suffered a concrete harm in accordance with Spokeo, the Court noted that the plaintiff discovered the violation immediately, nobody else saw the non-compliant receipt, and thus it was “hard to imagine” how the expiration date could have increased the risk that the plaintiff’s identity would be compromised. Accordingly, the Court held that the plaintiff failed to establish any concrete harm, nor any appreciable risk of harm, to satisfy the injury-in-fact requirement for Article III standing under Spokeo.

The D.C. Circuit similarly held that a data privacy class action could not even “get out of the starting gate” with respect to standing following Spokeo. The plaintiffs in Hancock v. Urban Outfitters, Inc. alleged violations of D.C.’s Use of Consumer Identification Information Act, which prohibits retailers from asking for a customer’s address in connection with a credit card transaction. The Court held that the plaintiffs failed to allege that they suffered any cognizable injury as a result of defendants requesting their zip codes, noting that the plaintiffs did not allege any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury.  Instead, the claim rested upon a bare violation of the statute—the very theory of standing that the Supreme Court rejected in Spokeo.

These cases suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo.  Instead, plaintiffs will need to show that a violation caused harm, likely through the actual disclosure to a third party or some evidence of emotional injury.

Data Breaches Likely Satisfy Article III Standing

Spokeo, however, has had less of an impact on standing in data breach class actions. This is because, as the Supreme Court in Spokeo acknowledged, an alleged violation of a procedural statutory right can establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Sixth Circuit recently held that a data breach creates a sufficient “risk of real harm” to satisfy Article III. In Galaria v. Nationwide Mutual Insurance Company, some hackers allegedly broke into an insurance company’s computer network and stole personal identifying information of the customers. The plaintiffs brought a class action alleging violations of the Fair Credit Reporting Act for the company’s alleged failure to adopt procedures to protect against the wrongful dissemination of its customers’ data.  In evaluating standing, the Court found that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for fraudulent purposes—creating a “risk of real harm” to support standing.The plaintiffs also alleged that they had to expend time and money to monitor their credit, check their bank statements, and modify their financial accounts because of the data breach. Thus, in addition to the substantial risk of harm, the plaintiffs had reasonably incurred mitigation costs sufficient to establish standing under Article III.

Looking Ahead to Future Standing Challenges

Cases involving data privacy claims arguably have seen the greatest impact from the Supreme Court’s ruling in Spokeo.  Although the line drawn between standing and the absence of standing seems clear at the moment, plaintiffs’ attorneys are sure to create new theories of harm to attempt to satisfy Article III’s standing requirement.