Atlas Data Privacy Corp., et al. v. We Inform LLC, et al.

Question Presented

Whether a privacy law regulating the disclosure of private information (a person’s home address and unpublished telephone number) is facially unconstitutional under the First Amendment.

Background

After a judge’s son was murdered and husband shot by a disgruntled lawyer at their home in response to the judge’s ruling, New Jersey and other states passed “Daniel’s Law” to protect the safety of officials involved in the legal system. The law responds to growing rates of threats and violence against judges and other court officials nationwide. Among other protections, Daniel’s Law gives covered persons the right to request that websites not disclose their home addresses and unpublished telephone numbers.

One main target for Daniel’s Law enforcement has been the data broker industry. Data brokers are companies that collect enormous amounts of data about people to sell to the highest bidder. As EPIC has noted time and again, data brokers are among the most dangerous privacy violators in the modern economy. By collecting, aggregating, and selling enormous amounts of personal information without meaningful privacy, accuracy, and bias safeguards, they endanger a variety of important values and interests.

This case involves two important legal questions: how to balance privacy and free speech, and when are litigants able to bring disfavored “facial challenges” to privacy regulations under the First Amendment?

Claims that a data protection law violates the First Amendment raise important and long-running questions about how to properly balance the values of free speech and privacy. One of these questions is what the proper level of First Amendment scrutiny to apply to a privacy law is: strict scrutiny, intermediate scrutiny, commercial speech scrutiny, or no scrutiny at all?

Whether a law is evaluated under strict scrutiny or a lower tier of scrutiny matters because few laws are able to withstand strict scrutiny. It requires the government’s interest to be “compelling” and requires the government to have used the least restrictive means available to achieve that interest, meaning the best fit between means and ends. Strict scrutiny is usually reserved for laws that evince an intent to suppress certain viewpoints or topics.

This case also involves a facial First Amendment challenge to a privacy law. Facial challenges are disfavored by courts because they rely on guesswork and hypotheticals and have the potential to strike down an entire law that might be unconstitutional in certain applications but not in others. For years, facial challenges have been one of the tech industry’s favorite tools because they have succeeded in using them as powerful deregulatory tools, casting constitutional laws as dangerous censorship regimes because of a remote chance of a few unconstitutional applications. Luckily, the Supreme Court recently dealt a major blow to this strategy in its Moody v. NetChoice decision, but lower courts are still working to understand the decision.

The Case

This case stems from data brokers’ refusal to abide by Daniel’s Law privacy protections, claiming that the First Amendment means the law is unconstitutional. Thousands of New Jersey residents who qualify for Daniel’s Law protections have assigned Atlas Data Privacy Corp. as their agent to request non-disclosure of their addresses and phone numbers. After Atlas requested that many of the largest data brokers not disclose their clients’ information, and the data brokers refused to abide by the request, Atlas sued.

In the district court, the data brokers moved to dismiss Atlas’s claims, arguing that the lawsuit must fail because Daniel’s Law is facially unconstitutional under the First Amendment.

They argue that Daniel’s Law is facially unconstitutional because it is a content-based restriction on speech that triggers, and fails, strict scrutiny. They argue that under a case called Sorrell v. IMS Health, that Daniel’s Law regulates speech because the creation and dissemination of information is always protected speech. Because of this, they argue, Daniel’s Law is a content-based regulation because it specifically applies to home addresses and phone numbers instead of other types of data. This makes it presumptively unconstitutional and subject to strict scrutiny.

Finally, they argue that Daniel’s Law fails strict scrutiny for a variety of reasons that boil down to the argument that the law isn’t perfectly fit to the interests it seeks to advance. For instance, they claim the law is unconstitutionally overbroad because it regulates all disclosures of the protected information instead of only regulating disclosure to people that the data brokers know are intending to harm judges, and they argue that it is unconstitutionally under-inclusive because it permits a person to request that data brokers not sell their information while permitting the same person to publicize their own home address.

The district court ruled that Daniel’s Law is constitutional. While it did label Daniel’s Law as a content-based regulation of speech, it noted that privacy laws have long coexisted with the First Amendment and that the Supreme Court has repeatedly said that such laws must be analyzed on a careful case-by-case basis.

Instead of applying strict scrutiny, the court applied a test it derived from some of the Supreme Court’s precedent, asking (1) whether the information is lawfully obtained and is of public significance, (2) whether the law in question serves “a need to further a state interest of the highest order,” and (3) whether the statute serves “the significant interests” which the state purports to advance and is not underinclusive.

The court upheld Daniel’s Law because: 

• It restricts only a small, non-essential portion of covered persons’ information
• Protecting public officials represents a compelling state interest
• While not comprehensive, the law targets the most common method strangers use to obtain restricted information, with no evidence of discriminatory intent in its limited scope.

The court also noted that, to the extent that any specific applications of Daniel’s Law infringed on speech, such as by restricting the flow of newsworthy information, a plaintiff would be free to bring a narrow as-applied First Amendment challenge to challenge that application.

The data brokers appealed this order to the Third Circuit, making many of the same arguments they did below.

EPIC’s Brief

EPIC filed an amicus brief in this case because it is concerned that the data brokers’ overbroad First Amendment arguments, if successful and adopted widely, would threaten the entire regime of data protection as we know it. There are few if any limiting principles to their legal theories, which could be applied to invalidate nearly any legal protections for personal information.

EPIC’s amicus brief seeks to aid the Third Circuit by explaining its views on how to properly balance free speech and privacy and informing the court about how this case may affect challenges to other important data protection laws.

EPIC’s brief re-emphasizes to the court why data protection laws should be evaluated case-by-case rather than through broad facial challenges. First, the Supreme Court has consistently said to evaluate First Amendment challenges to privacy laws narrowly given the important interests at stake and the quickly changing nature of technology. Second, the Court’s Moody decision recently reiterated the many problems with facial First Amendment challenges and the narrow situations in which they can and should be used, which do not fit this case.

Next, EPIC’s brief explains why it is wrong to cite Sorrell v. IMS Health for the argument that any law regulating the creation and dissemination of information automatically receives First Amendment scrutiny. Sorrell v. IMS Health only established that viewpoint-discriminatory restrictions on information trigger First Amendment scrutiny, not that all data dissemination is protected speech. Unlike the law in Sorrell, Daniel’s Law doesn’t discriminate among speakers or viewpoints.

The brief further argues that courts typically apply intermediate scrutiny, not strict scrutiny, to laws regulating commercial disclosure of personal information, especially when that information concerns private matters and is shared for profit. The brief cites numerous cases where courts have upheld data protection laws under this standard.

Finally, the brief warns that requiring strict scrutiny for all data protection laws would effectively invalidate virtually every privacy regulation in America, from HIPAA to the Video Privacy Protection Act, since all such laws necessarily regulate some categories of data and not others. Labeling this appropriate legislative tailoring as “content discrimination” that triggers strict scrutiny would almost inevitably result in all of these laws being stricken down. This would leave Americans without meaningful privacy protections and create regulatory chaos across industries.

Litigation Documents