CCPA Privacy Lawsuits Implicated in United States Challenge to Injury Standing in Frank v. Gaos
The Supreme Court will hear from the Solicitor General of the United States in the challenge to the settlement of a privacy lawsuit against Google at the end of October. In its amicus curiae brief supporting neither party, the United States questioned whether the plaintiffs articulated a sufficient injury to support Article III standing. If it is decided that the Article III standard has not been met, the case could have important ramifications on the right to a cause of action provided in the California Consumer Privacy Act (CCPA or CaCPA) – eliminating federal courts as a potential place to litigate such claims if they involve solely statutory damages.
Article III of the U.S. Constitution limits the power of the federal courts to cases and controversies. If there is not an actual and concrete dispute between the parties, it is not within the jurisdiction of the federal courts to decide the matter. The standard articulated by the Solicitor General in its brief is that there is a requirement for an “injury in fact” which is both “concrete” and “particularized”.
The question is an interesting one for privacy class action litigation where an individual’s personal injury has been distributed but they have not suffered a clear monetary loss resulting from it.
The underlying lawsuit centers around the transmission of referral headers, including the user’s search terms, between Google (where they were typed in as part of its search engine), to the destination website. The named plaintiff conducted vanity searches for her own name on the Google search engine and clicked on the results links, which she contends resulted in a violation of the Stored Communications Act (with a statutory damage provision for at least $1,000 per violation). The lawsuit was filed in 2010 and the appeal to the Supreme Court primarily relates to the question of whether a cy pres settlement resulting in the payment of funds to charities (rather than the class) is permitted. Nevertheless, the Solicitor General’s arguments could become an important aspect of the future of the case if the Supreme Court decides to remand based on them.
The United States argued in its brief that the Plaintiffs did not identify a particular injury resulting from Google’s use of referrer headers. The brief is carefully worded not to take a position on the question, recommending that the lower courts address whether there was Article III standing due to a “risk of real harm”. Nevertheless, the impact of such an argument could be substantial in privacy litigation.
The California Consumer Privacy Act recently authorized California consumers to bring a cause of action for statutory damages of between $100 and $750 per person per incident for data breaches where the business did not take reasonable security measures. If the Supreme Court remands the case and it is ultimately decided that there is not Article III standing in Frank v. Gaos, it will be strong precedent that violations of the CaCPA seeking statutory damages are also not entitled to be brought in the federal courts.
Ultimately, many other issues will decide whether privacy lawsuits are successful under the California Consumer Privacy Act, as state courts are not bound by the Article III standard in the U.S. Constitution. It is not clear that such a decision would be good for companies – corporations sued as defendants generally prefer to litigate in federal court rather than state court. As a result, individuals may ultimately benefit from the inability of companies to remove their lawsuits. It is simply too soon to say. However, it is an issue that we will be following closely within the larger case involving a third-party challenge to the fairness of the settlement in the class action litigation.
Federal Privacy Laws
– Pending Congress Bills
– Clarip Blog