Ninth Circuit Gives The Green Light to Novel Privacy Claims
On Thursday, April 9th, the Ninth Circuit issued an opinion in In re Facebook, Inc. Internet Tracking Litigation refusing to dismiss numerous claims alleging novel privacy violation theories. In so doing, the court doubled down on its decision from August in Patel v. Facebook finding standing for privacy plaintiffs that did not suffer damages. Moving forward, this opinion will increase the liability risk for companies that collect and utilize consumer data.
In re Facebook concerned a website that used “plug-ins to track users’ browsing histories when they visit third-party websites[.]” The website “compiled these browsing histories into personal profiles which are sold to advertisers to generate revenue.” Plaintiffs brought numerous privacy claims under the federal Wiretap Act; the Stored Communications Act; the California Invasion of Privacy Act; and a mishmash of common law claims. The court found that the plaintiffs had standing for every claim. This holding continues a trend in the Ninth Circuit of broadly permitting privacy-based lawsuits, as the Supreme Court has declined to wade in and clarify its last major opinion on Article III standing, Spokeo v. Robins.
First, the court addressed the statutory claims. To assert standing, plaintiffs must show that they (1) suffered a concrete and particularized injury, (2) caused by the defendants, (3) that can be redressed by the court. Here, there was no allegation that plaintiffs suffered any tangible harm—physical, financial, or otherwise. However, the court found that the plaintiffs had standing because they sufficiently alleged a “procedural violation.” In making this determination, the court performed a two-step analysis that asked whether (1) the legislature “enacted the statute[s] at issue to protect a concrete interest that is akin to a historical, common law interest,” and (2) “the alleged procedural violation caused real harm or a material risk of harm to these interests.”
The court found that the “harms” alleged by the plaintiffs were sufficient under this statutory standing test. On the first inquiry, the court cited Patel v. Facebook for the proposition that privacy violations are akin to a historical, common law interest. The court then found that the statutes invoked by the plaintiffs were intended to protect that interest, relying predominantly on the legislative history of the statutes. On the second inquiry, the court found that the plaintiffs “adequately alleged harm to these privacy interests.” The court found that the website’s collection of large amounts of consumer data risked harm to plaintiffs’ “interest in controlling their personal information.” Accordingly, the court concluded that plaintiffs had standing to assert their statutory claims.
Second, the court addressed the common law claims, which included trespass to chattels, fraud, statutory larceny, and the Computer Data Access and Fraud Act. The defendant argued that plaintiffs did not have standing because they did not allege economic loss. The Ninth Circuit accepted the premise but not the conclusion. The court held that “California law recognizes a right to disgorgement of profits resulting from unjust enrichment, even where an individual has not suffered a corresponding loss.” Noting that plaintiffs alleged that the defendant was “unjustly enriched through the use of their data,” the court found that plaintiffs had standing on their common law claims.
The Ninth Circuit’s standing analysis will likely make it easier for plaintiffs to survive motions to dismiss in future privacy lawsuits. For one, the court doubled down on its finding that “procedural violations” of privacy statutes are generally sufficient to confer standing. Perhaps more troubling, the court’s common law standing analysis appears to permit lawsuits over freestanding allegations that companies have used consumer data in unexpected ways—even where that data usage has not caused any harm to plaintiffs. Combined with the state’s decision to move forward with California Consumer Privacy Act enforcement later this year despite the COVID-19 pandemic, the Ninth Circuit’s decision will likely expand liability risks for organizations doing business in California.
Three parties can rein in this expansion in privacy liability. First, states can pass privacy laws that place responsible limits on liability and private rights of action. The U.S. Chamber Institute for Legal Reform’s guide—Mapping a Privacy Path—provides recommendations on how states can do so. Second, Congress could pass comprehensive privacy legislation that preempts state privacy laws. While progress has been slow on this front, Congress has recently shown renewed interest in privacy, spurred on by geolocation tracking of the spread of COVID-19. Third, the Supreme Court could enforce its standing jurisprudence. The Court’s last major standing case—Spokeo v. Robins—held that “a bare procedural violation, divorced from any concrete harm” was insufficient to confer standing. Since then, however, the Supreme Court has refrained from taking cases that have arguably broadened Article III standing.
Unless and until these parties take action, companies should remain prepared to litigate their privacy practices—particularly in California.
 The court also discussed the merits of the claims in concluding that most of them survived the motion to dismiss, but this post focuses on the court’s standing inquiry.
 The court claimed that both “the legislative history and the statutory text” stood for this proposition, but it cited the statutory text of only the California Invasion of Privacy Act—not the Wiretap Act or the Stored Communications Act.