Recent Privacy Cases Regarding Article III Standing from the 9th Circuit and Northern District of California
Article III standing – or lack thereof – continues to confound litigants especially in privacy cases. In Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016), the U.S. Supreme Court firmly established that a plaintiff cannot satisfy the injury-in-fact requirement of Article III by alleging “a bare procedural violation, divorced from any concrete harm.” Id. at 1549. A series of 2020 decisions in data privacy cases in the Ninth Circuit, however, have signaled a willingness to interpret broadly the “concrete and particularized” injury requirement and to allow plaintiffs to assert privacy claims even on what would appear to be bare procedural violations. We summarize those decisions in turn below.
In Campbell v. Facebook, Inc., the Ninth Circuit found that the plaintiffs, who alleged that Facebook scanned their private messages for URL and used that information without consent in violation of the Electronic Communications Privacy Act (ECPA) and the California Invasion of Privacy Act (CIPA), had established Article III standing. 951 F.3d 1106, 1118 (9th Cir. 2020). Parsing the principles established in Spokeo, the Ninth Circuit held that while a plaintiff cannot satisfy the “concreteness” requirement by merely pointing to a “bare procedural” violation of a statute, a plaintiff bringing a claim under a statutory provision that identifies “a substantive right that is infringed any time it is violated . . . need not allege any further harm to have standing.” Id. at 1117 (internal quotation marks omitted). The Ninth Circuit explained that because the harm at issue was an intangible harm linked to a statutory violation, both the history and judgment of the legislature played an important role in determining whether the alleged injury was “concrete.” Id. at 1116-17. Specifically, the court found that (1) the ECPA and CIPA provisions at issue—which target “substantive intrusion” of private communications “rather than merely setting out a procedure for handling data”—protect against harms that bear a “close relationship” to ones that have “traditionally been regarded as providing a basis for a lawsuit” (in this case, actionable common law right to privacy); and (2) the legislature had intended that these provisions “reflect statutory modernizations of the privacy protections available at common law.” Id. at 1117-18. As such, the court concluded that these provisions, which “codif[y] a context-specific extension of the substantive right to privacy,” “protect concrete interests” and the plaintiffs need not allege any additional harm to have standing. Id. at 1117.
Not long after Campbell, the Ninth Circuit likewise found that the plaintiffs in In re Facebook, Inc. Internet Tracking Litigation had standing to pursue their privacy claims under the Wiretap Act, the Stored Communications Act (SCA), and CIPA because they had “sufficiently alleged a clear invasion of the historically recognized right to privacy.” 956 F.3d 589, 599 (9th Cir. 2020). The plaintiffs specifically alleged that Facebook improperly tracked logged-out users’ browsing histories and compiled that information to create personal profiles that were sold to advertisers. Id. at 596. Following an analysis similar to the one in Campbell, the Ninth Circuit found that (1) violations of the right to privacy, which “encompass[es] the individual’s control of information concerning his or her person,” have long been actionable at common law; and (2) the legislature had “intended to protect these historical privacy rights” when it enacted the Wiretap Act, SCA, and CIPA. Id. at 598. Thus, the court concluded that “these statutory provisions codify a substantive right to privacy, the violation of which gives rise to a concrete injury sufficient to confer standing.” Id.
The district courts in the Northern District of California, relying on these Ninth Circuit decisions, have similarly found standing in other privacy cases. For example, following the guidance in Campbell, the district court found that the plaintiffs in In re Google LLC St. View Elec. Commc’ns Litig., who alleged that Google intercepted and stored users’ private electronic communications, had standing to bring their Wiretap Act claim. 2020 WL 1288377, at *3 (N.D. Cal. Mar. 18, 2020). Likewise, in In re Google Referrer Header Privacy Litigation, the court found that the plaintiffs, who alleged that Google improperly disclosed users’ search terms to third party servers in violation of the ECPA, had standing to bring their claim because the Ninth Circuit has recognized that the ECPA is among “these statutes that codify a context-specific extension of the substantive right to privacy, the violation of which is a concrete harm.” 2020 WL 3035796, at *6 (N.D. Cal. June 5, 2020) (internal quotation marks omitted).