SCOTUS Remands to Ninth Circuit in High-Profile Privacy Case
March 25, 2019
In a recent per curiam opinion, the Supreme Court vacated and remanded a much-watch case—Frank v. Gaos—perpetuating uncertainty about privacy litigation. The Court sent the case back to the Ninth Circuit for further consideration of the plaintiffs’ standing to sue for violations of a federal privacy law, the Stored Communications Act (SCA or Act). The outcome of the case will influence whether class plaintiffs can bring actions alleging that companies committed technical violations of statutes without any proof that the plaintiffs actually have been harmed.
The remand in Frank v. Gaos is the latest chapter in a years-long privacy class action. Although the issue before the Court was whether the class action settlement was adequate under Federal Rule of Civil Procedure 23, the Court declined to reach the merits and instead adopted the Solicitor General’s view that the Court should to remand the case to scrutinize whether the plaintiffs had Article III standing in the first place. This is a big deal for those who care what sort of cases can be brought in the privacy area.
The federal SCA establishes protections for certain electronic information held by certain types of entities. It prohibits “a person or entity providing an electronic communication service to the public” from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” The Act provides any “person aggrieved” with a private right of action to sue for such unauthorized disclosures.
The statute has occasionally been used to claim privacy violations from the activities of online service providers. As technology has evolved, so have some of the theories pressed in court, many of which have failed.
In Frank v. Gaos, a class of plaintiffs alleged that Google’s use of “referrer headers” violated the SCA. Essentially, when a person conducts a Google search and selects a website from the results, the user’s web browser tells the website the user’s search terms. Websites can then use that information to better understand how and why consumers are interested in their content. Although they can be a useful tool that helps websites to accommodate their visitors, the plaintiffs argue that the referrer headers violated the SCA by sharing their search terms with third party websites, rendering them “aggrieved” under the statute.
A key barrier to litigation over these sorts of issues is the requirement that plaintiffs have “standing” – that there is a real “case or controversy,” and that the person bringing suit is actually harmed by the actions of the defendant.
To satisfy standing, the plaintiffs here argued that the use of “referrer headers” harmed them via (1) procedural violations of the federal statute; and (2) the possibility that the websites could link the plaintiffs to their search results through either their IP addresses or their names when conducting “vanity searches” (searches for their own names). Plaintiffs argued that these harms were analogous to common law privacy torts, thus satisfying Article III.
Importantly, neither of the alleged “harms” was alleged to have actually harmed the plaintiffs. The plaintiffs did not allege that anyone actually linked their search results to their identities, much less used that information to their detriment. And while the plaintiffs argued that such linking is “implicit in plaintiffs’ description of how easy reidentification is,” Google argued that this allegation is speculative and would require an attenuated series of hypothetical steps. Google argued that relying on these steps would violate Clapper v. Amnesty International’s requirement that alleged future harms must be “certainly impending” to satisfy the Constitution’s standing requirement. (Wiley Rein drafted and filed the only amicus brief on the winning side of the Clapper case.)
Although the case arrived at the Supreme Court for consideration of a technical question about the adequacy of the parties’ class action settlement, the Court declined to reach the merits and instead remanded on standing grounds. The Court pointed out that its Spokeo, Inc. v. Robins decision held that a “bare procedural violation” of a statute was insufficient to establish standing in federal court. But the Frank v. Gaos district court had found standing based on a Ninth Circuit precedent which held that violations of procedural rights could per se constitute “injury in fact,” which was subsequently abrogated by Spokeo. Thus, the Court concluded that “no court in this case has analyzed whether any named plaintiff has alleged SCA violations that are sufficiently concrete and particularized to support standing.” Accordingly, it remanded to the Ninth Circuit to perform this analysis.
It is unclear what will happen on remand. Spokeo notes that “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact,” (emphasis added), but provides little concrete guidance. Consequently, lower courts have come to varying conclusions in determining what constitutes injury in fact under Spokeo. And the majority stressed that “nothing in [the] opinion should be interpreted as expressing a view on any particular resolution of the standing question.” (Although Justice Thomas would have found standing under the theory that plaintiffs alleged an “invasion” of their rights under the SCA, consistent with his concurrence in Spokeo.)
Moving forward, this case will have big implications. As the U.S. Chamber of Commerce points out, allowing “no-injury” actions based on procedural violations of statutes like the SCA would subject American businesses to a flood of frivolous litigation. For example, the Illinois Supreme Court recently allowed plaintiffs to bring suits based on mere procedural violations of the Biometric Information Privacy Act. The danger is that class action plaintiffs will be able to pursue massive judgments against businesses for utilizing innocuous and generally helpful tools. As we’ve written about previously, using this kind of class action bludgeon to attempt to “regulate” privacy will serve only to deter innovation by attempting to pressure businesses into huge payouts. It remains to be seen which way courts will go as Frank v. Gaos continues through the federal judiciary.
The question of remedies and enforcement in the privacy context is hotly debated at the state and federal level. These sorts of decisions and the underlying litigation may inform policymakers concerned about striking the right balance in creating privacy rights.