Spokeo, Inc. v. Robins

Concerning Whether Courts Have Jurisdiction to Review Cases Brought Based on Violations of Federal Statutory Rights

Summary

At issue in this case is whether a person may bring a lawsuit when a company violates a federal privacy law. In order to invoke the jurisdiction of federal courts under Article III, a plaintiff must have "standing" to sue. The Petitioner Spokeo, Inc., argued that the case should be dismissed because the Plaintiff did not prove that the publication of inaccurate personal information in violation of the Fair Credit Reporting Act was a concrete "injury" under Article III. The U.S. Court of Appeals for the Ninth Circuit disagreed, and denied Spokeo's motion to dismiss the case for lack of jurisdiction.

Questions Presented

(1) Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.

Top News

  • EPIC Complaint Seeks Investigation of Auto "Starter Interrupt Devices": EPIC has filed a complaint with the Consumer Financial Protection Bureau over the use of automobile "starter interrupt devices." The EPIC complaint alleges that companies use these devices to "monitor borrowers' real-time location, limit borrowers' movements to prescribed boundaries via geo-fencing technology, and disable vehicles in remote or dangerous locations" in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, and detailed comments, and letters. EPIC has urged Congress to adopt privacy and safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives. (Mar. 21, 2017)
  • Trump Order Threatens Consumer Protection, Public Safety: The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance. (Jan. 31, 2017)
  • More top news »
  • Supreme Court Remands Consumer Privacy Case for Further Consideration » (May. 16, 2016)
    The Supreme Court has ruled in Spokeo v. Robins, a case brought under the Fair Credit Reporting Act concerning the sale of inaccurate personal data. The Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that remand was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'" EPIC filed an amicus brief, joined by thirty-one technical experts and legal scholars, citing the national epidemic of data breaches. EPIC wrote  this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress."
  • FTC Issues Guidelines for Employment Background Screening » (May. 15, 2016)
    The Federal Trade Commission has issued new guidelines for companies that sell employment background checks.  Under the Fair Credit Reporting Act  companies must ensure “maximum possible accuracy” in reports about job applicants. The FTC warns that a background report incorrectly listing a criminal conviction based on bad records match —for instance, a person with a different middle name than the applicant—could violate FCRA. EPIC recently filed an amicus brief in a case brought by David A. Smith, who was denied employment after a background report incorrectly included the criminal records of David O. Smith.
  • EPIC Files Brief in Suit Over Faulty Background Checks » (Mar. 1, 2016)
    EPIC has filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. A court found that LexisNexis had violated Fair Credit Reporting Act by failing to take reasonable steps to ensure "maximum possible accuracy" in the report. LexisNexis appealed. In the amicus brief, EPIC highlighted the industry practice of selling background reports with inaccurate information. EPIC argued that companies should be strictly liable when they fail to maintain accuracy in these reports. In 2005, EPIC filed a famous FTC complaint about the data broker ChoicePoint, which ultimately led to a $10 million dollar settlement.
  • Supreme Court to Hear Critical Consumer Privacy Case » (Oct. 29, 2015)
    On Monday the Court will hear arguments in Spokeo v. Robins, a Fair Credit Reporting Act case brought on behalf of consumers whose rights were violated by the "people search" website. EPIC, technical experts, legal scholars, 15 other groups, and the U.S. Solicitor General, filed "friend of the court" briefs in support of the plaintiff. Citing the national epidemic of data breaches, identity theft, and financial fraud, EPIC argued to the Court this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC brief was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.
  • Solicitor General to Support Consumers in Supreme Court Privacy Case » (Oct. 5, 2015)
    The Solicitor General will argue in support of consumer privacy in Spokeo v. Robins, a critical case now before the US Supreme Court about the future of federal privacy law. EPIC, and leading technical experts and legal scholars, also filed a brief in support of consumer privacy laws, highlighting the rise of data breaches and identify theft. EPIC urged the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The Court will hear arguments in Spokeo on November 2, 2015.
  • EPIC Defends Privacy Laws in Supreme Court Brief » (Sep. 8, 2015)
    In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.

Background

Spokeo, Inc. operates a commercial website that discloses to the public personally identifiable information, including contact data, marital status, age, occupation, economic health, and wealth. Some of this information is subject to protection under federal privacy laws. Thomas Robins sued Spokeo for willful violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. Robins charged that Spokeo disclosed inaccurate information about him that harmed his employment prospects and violated his rights under the Fair Credit Reporting Act. Spokeo sought to dismiss the case, claiming that that there was no “injury-in-fact.” But a federal District Court rejected that argument, finding that the allegation of the FCRA violation was sufficient for the case to go forward. The U.S. Court of Appeals for the Ninth Circuit affirmed the lower court decision.

The Ninth Circuit found that Congress’s "creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right.” It also said that the violation of a statutory right is usually sufficient injury in to confer standing. The Court explained that when a cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages. The court rejected Spokeo’s appeal.

EPIC's Amicus Brief

In its brief, EPIC advised the Supreme Court that this is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC argued that plaintiffs can sue in federal court whenever a company misuses their personal information contrary to federal law. The violation of a congressionally created right constitutes the constitutional injury a plaintiff needs to pass through the courthouse door. To require that plaintiffs also prove consequential harm caused by the misuse of personal information would undermine the ability of consumers to prevent misuse of their personal information under FCRA and other privacy and consumer protection laws.

EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. The risk of identity theft and fraud are amplified by data brokers, which collect and store tremendous amounts of sensitive consumer data. Data brokers sell this data, often without verifying its accuracy or completeness, and inaccurate data can have dramatically negative effects on individual consumers.

Because the potential harms are so serious, EPIC urged the Court to maintain the ability of consumers to use privacy and consumer protection laws to hold data collectors accountable for misuse of personal data. Spokeo’s proposed rule “would not only effect a dramatic narrowing of the FCRA, it would undermine the ability of individuals to prevent the misuse of many types of sensitive personal information.” "Were the Court to accept Spokeo’s argument,” EPIC concluded, “the Court would severely limit the deterrent effect of federal privacy laws and contribute to the growing problem of data breach and identity theft in the United States."

Legal Documents

United States Supreme Court, No. 13-1339

Merits Stage Petition Stage

United States Court of Appeals for the Ninth Circuit, No. 11-56843

United States District Court for the Central District of California, No. 10-5306

Relevant Publications

  • Mark Walsh, Supreme Court weighs the right to sue an Internet data site, ABA Journal (Nov. 1, 2015)
  • Karen Levy, Alice Marwick, danah boyd, Privacy Harm in a Networked Society (2014)
  • Ryan Calo, Privacy Harm Exceptionalism, 12.2 Colo. Tech. L.J. 361 (2014)
  • Danielle Keats Citron & David Gray, Addressing the Harm of Total Surveillance: A Reply to Professor Neil Richards, 126 Harv. L. Rev. F. 262 (2013)
  • A. Michael Froomkin, “PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, Ohio State L. J. Symposium on “The Second Wave of Global Privacy Protection” (2013)
  • Rebecca MacKinnon, Consent of the Networked: The Worldwide Struggle for Internet Freedom (2012)
  • Ryan Calo, The Boundaries of Privacy Harm, Indiana Law Journal, Vol. 86, No. 3 (2011)
  • More resources »
  • Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (2010)
  • M. Ryan Calo, People Can Be So Fake: A New Dimension to Privacy and Technology Scholarship, 114 Penn St. L. Rev. 809 (2010)
  • A. Michael Froomkin, Government Data Breaches, 24 Berkeley Tech. L.J. 1019 (2009)
  • Danielle Keats Citron, Cyber Civil Rights, 89 B.U. L. Rev. 61 (2009)
  • Julie Cohen, Privacy, Visibility, Transparency, & Exposure, 75 U. Chi. L. Rev. 181 (2008)
  • Ann Bartow, A Feeling of Unease About Privacy Law, 155 U. PA. L. Rev. 52 (2007)
  • Francesca Bignami, Towards a Right to Privacy in Transnational Intelligence Networks, 28 Mich. J. of Int'l L., 3 (2007)
  • Gary Marx, Seeing Hazily (But Not Darkly) Through the Lens, 30 Law & Soc. Inquiry 339 (2005)
  • Francesca Bignami, Transgovernmental Networks vs. Democracy: The Case of the European Information Privacy Network, 26 Mich. J. Int’l. L. 807 (2005)
  • Gary Marx, What's New About the New Surveillance, 1 Surveillance & Soc'y 9 (2005)
  • Colin J. Bennett & Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective 106 (2003)
  • Julie Cohen, Privacy, Ideology, and Technology: A Response to Jeffrey Rosen, 89 Geo. L.J. 2029 (2001)
  • Jeffrey Rosen, The Purposes of Privacy: A Response, 89 Geo. L.J. 2117 (2001)
  • Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 STAN. L. REV. 1373 (2000)
  • Michael Froomkin, The Death of Privacy?, 52 Stan. L. Rev. 1461 (2000)
  • Anita L. Allen, Coercing Privacy, 40 WM. & Mary L. Rev. 723 (1999)
  • Jerry Kang, Info. Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193 (1998)
  • Antonin Scalia, The Doctrine of Standing as an Essential Element of the Separation of Powers, 17 Suffolk U.L. Rev. 881 (1983)

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy

EPIC Bookstore

Robot Law

Robot Law
by Ryan Calo, A. Michael Froomkin,
Ian Kerr