Two recent decisions suggest that the federal Court of Appeals for the Ninth Circuit is taking a slightly more restrictive approach than some other circuits to standing in privacy and data breach cases.
In what will likely be a widely quoted line, the court stated in one of the cases, "there existed no free-roaming privacy right at common law." And the common law is what unlocks the door to the federal courthouse in privacy and data breach cases brought by consumers.
'Discrete torts' define privacy-related harms
The first of the two cases — and the one with that striking line — is Popa v. Microsoft, handed down 26 Aug. It involved an e-commerce website's use of the "session-replay technology" known as "Clarity," which is owned and operated by Microsoft. The plaintiff alleged she encountered the technology when she visited petsuppliesplus.com, where it collected information about her browser, operating system and activities on the site.
She sued under Pennsylvania's Wiretapping and Electronic Surveillance Control Act and also asserted a common law claim for "invasion of privacy — intrusion upon seclusion."
Recall that, to have a case heard in federal court, consumers must have "standing," meaning they must have suffered an "injury in fact," and that injury must be "concrete." To determine what is concrete, the Supreme Court has said, courts must look to history. Specifically, courts must assess whether the alleged injury has a "close relationship" to a harm "traditionally" recognized as providing a basis for a lawsuit in American courts. An exact match to the 18th century is not required. The question, rather, is whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.
In Popa, the Ninth Circuit noted that other circuits had diverged, to some extent, in applying this rule. Some, including the Eleventh Circuit, have considered whether a plaintiff's harm satisfies each element required to state a common law cause of action. This can matter, for example, if a plaintiff alleges the public disclosure of private facts tort.
A focus on the elements of that tort can lead a court to conclude there was no "public" disclosure of the plaintiff's data, or that the compromised data was not the kind that would cause embarrassment to the average person if disclosed. The Seventh Circuit, for example, has applied this test in holding that driver's license numbers did not constitute the sort of intimate details covered by the common law tort.
Other appellate courts, including the Third Circuit, have adopted a less rigid approach that focuses on whether the harm experienced by a plaintiff is similar in kind to a harm protected by one of the common-law privacy torts.
In Popa's case, the Ninth Circuit said it did not need to choose between these two approaches, but it seemed to apply the elements-based test. The court gave the plaintiff the benefit of the doubt and said she was relying on two common law torts: intrusion upon seclusion and public disclosure of private facts.
To show intrusion upon seclusion, the court said plaintiffs must show an intentional interference with their interest in solitude or seclusion of a kind that would be highly offensive to a reasonable person, emphasizing the element of "highly offensive." Similarly, a claim for public disclosure of private facts requires that a defendant gives publicity to a matter that concerns the private life of another; the Ninth Circuit again emphasized the information must be "highly offensive to a reasonable" person.
The court concluded tracking interactions with the pet supplies website and even collecting the name of the plaintiff's street "are simply not offensive."
The fact that Pennsylvania’s wiretap act may have made illegal the interception of any communications, even inoffensive ones, didn't matter. As in the seminal Fair Credit Reporting Act cases of Spokeo v. Robinsand TransUnion v. Ramirez, the question was still whether the alleged harm has a common law analogue. The plaintiff's "broad theory that the common law protected privacy rights — pitched at a high level of generality — does not align with the analysis adopted in TransUnion,” the Ninth Circuit wrote.
Instead, a closer analysis was necessary. And here, adopting language from the Seventh Circuit, the Ninth Circuit made a quite definitive statement: “at common law an invasion of the right to privacy has traditionally encompassed four distinct torts: intrusion upon seclusion, appropriation of another person's name or likeness, publicity given to another person's private life, and publicity that places one in a false light."
"In short," the Ninth Circuit stated, "there existed no free-roaming privacy right at common law but rather four discrete torts that protected specific kinds of privacy-related harms." As Paul Schwartz has explained, the four discrete torts are actually largely the late 20th century creation of Professor William Prosser, but it is probably too late to worry about that.
No substantial risk of harm, no standing
The second recent opinion was issued 8 Sept. in Kisil v. Illuminate Education. The defendant, a software company serving millions of students nationwide, suffered a data breach compromising data that potentially included grades, socio-economic disadvantaged status and special education information. According to the defendant, Social Security numbers and financial information were not at risk.
The Ninth Circuit concluded there was no standing, relying heavily on its opinion in Popa v. Microsoft. It repeated that there was no "free-roaming common law right to privacy" and firmly restated that both common law and statutory claims based on intangible harm from an invasion of privacy must be "benchmarked" to one of the four distinct privacy torts identified in the Popa case.
In a short opinion, the court rejected arguments based on a claim of imminent and substantial risk of future harm. In the three years since the breach, no plaintiff had suffered actual identity theft. The court concluded that the kind of information at issue, unlike Social Security numbers, was not the kind normally considered sufficient to create a credible threat of identity theft. With that foundation, claims based on the cost of monitoring or emotional distress from the risk were inadequate to establish standing.
In short, the Ninth Circuit's recent decisions add further nuance to the strategy of both plaintiffs and defendants in privacy and data security litigation, with some slight advantage to defendants. Moreover, it seems that dislodging the Ninth and Seventh Circuits' commitment to benchmarking standing against their definition of the four torts they have identified would take some deep historical research.
Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.
