In recent weeks, the Internet Association continued to weigh in on the debate around how best to define consumer harm in privacy and data breach cases. Our first post on this issue one year ago looked at the Federal Trade Commission’s Nomi case. Two Commissioners dissented in that case, both of them citing a lack of evidence of consumer harm resulting from Nomi’s conduct as their basis for voting against the majority. The Nomi case was followed late last year by the FTC Chief Administrative Law judge’s decision in LabMD, in which the judge found against FTC staff in a data security case because the staff had produced insufficient evidence of consumer harm.
Both the Nomi and LabMD cases pointed to the need for some fresh thinking at the FTC about how best to define consumer harm in privacy and data security cases, whether they are brought under the deception or the unfairness prong of the FTC Act.
Since Nomi and LabMD, this issue has broadened and been elevated beyond the FTC. In recent weeks, defining consumer harm in privacy cases has resurfaced in two different contexts, namely the U.S. Supreme Court and the U.S. House of Representatives, both of which seem to be aligned with the FTC minority and the agency’s ALJ in their thinking on the issue.
Last month, the Supreme Court issued its long-awaited opinion in the Spokeo v. Robins case, a class action suit brought against Spokeo alleging breaches of the Fair Credit Reporting Act (FCRA). According to Robins, Spokeo breached the FCRA because the website published inaccurate information about him, including his marital status and academic qualifications. Robins alleged that these inaccuracies made it harder for him to successfully apply for job openings, but he did not provide specific evidence of actual harm supporting this claim. The core issue before the Supreme Court was whether Robins had legal standing to bring the case because – according to Spokeo – he had failed to show concrete harm resulting from the information on the company’s website.
The Internet Association filed an amicus brief with the Supreme Court in support of Spokeo. In our brief, we explained that Internet companies are “frequently targeted by opportunistic lawsuits,” like the one in Spokeo, under various statutes with a private right of action, including the FCRA and the Telephone Consumer Protection Act. In these cases, the alleged harm is “a bare statutory” violation and not a “concrete, actual harm.” We called on the Supreme Court to course correct on this issue since our member companies frequently have to settle these lawsuits despite a lack of concrete harm to the plaintiffs involved.
In its Spokeo decision, the Supreme Court appears to have met us half way. In a six-to-two decision written by Justice Alito, the Court sent the case back the Ninth Circuit to review the standing question again. According to the majority opinion, in order to have standing Robins needed to show an “injury in fact” from Spokeo’s actions. The Court emphasized that this injury needed to be both “concrete and particularized,“ and that the Ninth Circuit had not fully analyzed this issue.
Although some were disappointed that the Supreme Court did not emphatically rule in favor of either party, but rather sent the case back to the Ninth Circuit, the Spokeo case does mark an important milestone in the debate around privacy harms and how to define them. Helpfully, the Supreme Court explained that a plaintiff does not automatically satisfy “the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” In other words, standing to bring a case under a private right of action in a privacy statute “requires a concrete injury even in the context of a statutory violation.”
Beyond the Supreme Court, the U.S. House of Representatives has also shown interest in tackling privacy and data security pleading standards through legislation. Earlier this month, the House Energy & Commerce Committee held a legislative hearing on no fewer than 17 FTC bills, some of which targeted how consumer harm is defined in FTC privacy and data security cases. The Internet Association testified at this hearing. In our testimony, we explained that one bill in particular – the SURE Act – would modernize FTC unfairness cases by creating a stronger role for economic evidence of concrete – and not speculative – consumer harm in privacy and data security cases brought before the Commission. As explained in our testimony, "the SURE Act codifies several of the principles outlined by Judge Chappell in his LabMD opinion,” and while “both the [Energy & Commerce Committee] and Judge Chappell want the FTC to succeed in its work … they also want the FTC to modernize its approach to economics in consumer protection cases.” The SURE Act will be marked up by the committee today.
Our recent testimony began by recognizing the important role the FTC plays in our society and we thanked the agency for the work it does on behalf of American consumers. However – like the truth seekers in the original Wendy’s commercial of old – on this important issue we will keep asking questions. Sometimes – just like Wendy’s competitors in the ads – the agency is focused on the fluffy bun and not on the patty. So long as this is the case we will keep asking the question: “Where’s the Beef?”