Zappos and the Supreme Court’s Reluctance to Address Privacy Harms Under Article III Standing
March 27, 2019
On Monday, the Supreme Court denied cert in Zappos.com, Inc. v. Stevens, signaling that the Court remains reluctant to address privacy harms under Article III standing. The petition for certiorari in Zappos asked the Court to resolve a circuit split over whether individuals have standing where their personal information is held in a database breached by hackers, even if they have not actually suffered an injury from that data breach. In declining to answer the question, the Supreme Court has avoided the hotly-debated privacy harm issue for the third time this year. The Court may be waiting for a better vehicle, or it may be hoping that Congress resolves some of these issues in comprehensive legislation. In the meantime, companies and lawyers face uncertainty and substantial litigation risk.
Zappos was the Ninth Circuit’s latest foray into Article III standing and privacy litigation. The facts are straightforward. Zappos—an online retailer—maintained a database of customers’ information. Despite the company taking steps to secure that database, hackers breached Zappos’ systems and accessed the personal identifying information of 24 million customers. Some of those customers then filed a class action against Zappos, even though none of the plaintiffs suffered identity theft or fraud as a result of the data breach. The district court dismissed the case on “standing” grounds, concluding that the plaintiffs did not allege that they incurred or were imminently likely to incur harm from the breach. The Ninth Circuit reversed, holding that plaintiffs who allege that their data has been stolen satisfy standing because they face an “imminent risk of identity theft.” Zappos petitioned the Supreme Court to hear the case and reverse the appeals court.
The Supreme Court decided not to hear the case, declining again to provide lower courts with guidance to implement the high Court’s two seminal standing decisions: Spokeo, Inc. v. Robins and Clapper v. Amnesty International. In Spokeo, the Supreme Court held that a “bare procedural violation” of a statute did not necessarily constitute a concrete injury but that it could satisfy standing in “some circumstances.” In Clapper, the Supreme Court held that harms must be “certainly impending” to satisfy Article III standing and rejected attenuated, multi-step theories of harm. (Wiley Rein filed the only amicus brief on the winning side of the Clapper case). After Spokeo and Clapper, some courts remain confused about what constitutes a concrete, non-speculative harm.
Many have called on the Court to remind the lower courts that Clapper and Spokeo confirm the Constitution’s serious barrier to litigation over possible privacy harms. But the Supreme Court has avoided doing so. In January, the Supreme Court declined to take up FCA v. Flynn—a case in which consumers sued FCA after an article came out describing how two cybersecurity researchers were able to hack a Jeep Cherokee—despite the fact that there was no evidence of any FCA vehicles being hacked outside of a controlled environment. (Wiley Rein filed a brief on behalf of CTIA-The Wireless Association). Last week, the Supreme Court vacated and remanded Frank v. Gaos, directing the Ninth Circuit to determine whether the disclosure of search terms—without alleging that the search terms were linked back to a plaintiff—could constitute a concrete harm under Article III. The Supreme Court provided no opinion on the standing question, despite directing supplemental briefing on the issue. (Our full article on Gaos is here). Zappos is the third in a trifecta of cases in which the Supreme Court has avoided addressing privacy-related harms under Article III’s standing requirement.
While the Court lets the issue percolate, class action suits are piling up against companies by legions of plaintiffs that have not incurred any harm. The Illinois Supreme Court just gave the green light on suits for violating the state’s Biometric Information Privacy Act (“BIPA”) without “[p]roof of actual damages.” The underpinnings of these suits are usually procedural violations of the BIPA, such as not providing written notice that the defendant is collecting information, even where the plaintiff is deliberately providing the information. And in a recent decision, the Northern District of Georgia allowed plaintiffs to sue Equifax for a data breach—not because the data breach led to identity theft or fraud but because the data breach caused investors to lose money when Equifax’s share price dropped. As we noted at the time, this kind of theory risks opening the floodgates for suits that attempt to impose a de facto cybersecurity requirements.
It is unclear why the Supreme Court is hesitant to enforce Spokeo and Clapper, but failing to do so will continue to impose costs on businesses facing litigation and litigation risk.
 A handful of plaintiffs did allege that they suffered actual fraud or identity theft, but their suits were not part of the class action in Zappos.com, Inc. v. Stevens.