On February 4, 2014, in Robins v. Spokeo, Inc., the Ninth Circuit reversed a district court and held that a plaintiff had standing to pursue a claim for damages under the Fair Credit Reporting Act (FCRA).
Spokeo is a data broker that operates a “people search” website that allows users to obtain information about other individuals, including contact information, marital status, age, occupation, economic health, and wealth level. The complaint asserted that Spokeo violated a number of provisions of the FCRA, such as the requirement that the company, as an alleged “consumer reporting agency,” did not follow reasonable procedures to assure the requisite accuracy of information about consumers or provide notices to providers and users of information. With respect to harm, the named plaintiff, bringing the action on behalf of a putative class, asserted that Spokeo had provided inaccurate information about him – namely, that he had a graduate degree and was wealthy – which diminished his employment prospects and led to anxiety and stress about his damaged ability to obtain work.
The Ninth Circuit easily dispensed with the challenge to standing as a statutory matter. The court reasoned that because the FCRA provides a private right of action that does not require proof of actual damages, so, too, the statute does not require a plaintiff to plead actual damages to have standing.
As for Article III injury-in-fact, the Ninth Circuit required no more in the way of pleading actual damages. The court explained that, first, a plaintiff must allege that his statutory rights have been violated. Second, the statutory rights at issue must protect against “individual, rather than collective, harm.” The plaintiff alleged that he personally was injured by Spokeo’s provison of inaccurate information about him. And his “personal interests in the handling of his . . . information are individualized rather than collective,” and therefore constitute “concrete de facto injuries.” As for causation and redressability, once again, the statutory cause of action controlled: the alleged violation of a statutory provision “caused” the violation of a right conferred by that provision. Likewise, the court reasoned that statutory damages are presumed to redress the alleged injury.
The Ninth Circuit’s Spokeo decision follows the reasoning of Beaudry v. TeleCheck Services, Inc., 579 F.3d 702 (6th Cir. 2009). At the same time, such statutory cases stand in contrast to the many – but by no means all – class actions where plaintiffs have struggled to plead injury-in-fact to pursue state common law claims seeking damages following the loss of personal information in a data breach. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (dismissing complaint for lack of standing); Key v. DSW Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006) (same); but see, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) (holding plaintiff demonstrated standing).