The recent data breach of Equifax, one of the “Big Three” credit reporting agencies, throws into stark relief the risks inherent in major compilations of consumer data. Given the renewed national focus on consumer data harms, it is worthwhile to take a closer look at a case that may be central to the future of how harm is seen by the courts. On Aug. 15, 2017, the United States Court of Appeals for the 9th Circuit released its latest opinion in the Spokeo Inc., v. Robins case, holding, on remand from the U.S. Supreme Court, that plaintiff Thomas Robins had alleged violations of the Fair Credit Reporting Act that were sufficiently “concrete” to give Robins standing to sue Spokeo, possibly setting the stage for a second appeal to the Supreme Court.

The 9th Circuit opinion’s intensive focus on the specific facts alleged by Robins is the key take-away of the case. The court’s fact-specific approach signals its growing willingness to recognize the validity of intangible harms as actionable privacy violations. Its readiness to find a privacy harm even when the allegedly incorrect information is "complimentary" to the data subject is particularly telling. 

Spokeo’s data practices

Spokeo runs a website that “compiles consumer data and builds individual consumer-information profiles,” parts of which can be accessed for free, “including the subject’s age, contact information, marital status, occupation, hobbies, economic health, and wealth.” Spokeo explicitly markets its services to businesses as “a good way to learn more about prospective business associates and employees.”

In his complaint, Robins alleged that Spokeo harmed him by publishing a consumer information profile about him that was inaccurate in almost every respect. The profile allegedly included incorrect information on Robins’ “age, marital status, wealth, education level, and profession, and … included a photo of a different person.”

According to Robins, Spokeo’s actions violated FCRA’s procedural requirements, particularly a duty requiring consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” when compiling consumer reports about individuals. FCRA provides a private cause of action to consumers who are affected by a regulated company’s violation of the statute. Robins alleged that the errors in Spokeo’s profile of him “harmed his employment prospects at a time when he was out of work … that he continues to be unemployed and suffers emotional distress as a consequence.”

The case takes a trip to the Supreme Court

Before any examination of the merits of Robins’ allegations — such as whether Spokeo actually acts as a consumer reporting agency under FCRA — Spokeo asked the trial court to dismiss Robins’ case for lack of standing, arguing that Robins had not suffered a harm sufficient to satisfy basic constitutional limitations on the jurisdiction of federal courts. The lower court granted the motion.

Robins appealed to the 9th Circuit, which reversed the lower court and permitted the case to proceed. Spokeo then appealed the 9th Circuit’s decision to the Supreme Court, which vacated and remanded the 9th Circuit’s decision in an opinion issued on May 16, 2016, determining that the 9th Circuit had not sufficiently examined the requirement that an injury be “concrete,” as well as “particularized.”

On remand last month, the 9th Circuit upheld its original reversal of the trial court and determined that Robins’ injury was “concrete,” as well as “particularized.” 

Valuing data accuracy as a privacy right

In its most recent Spokeo ruling, the 9th Circuit struck a middle ground between the positions advocated by the parties. On the one hand, it cautioned that not all statutory violations are sufficient to generate standing: Contrary to Robins’ claims, not just “any FCRA violation premised on some inaccurate disclosure of … information” would suffice. On the other hand, the 9th Circuit found the specific profile inaccuracies Robins alleged in his complaint were sufficient to show that Robins had suffered harm, disregarding Spokeo’s claims to the contrary.

The court’s acceptance that the specific inaccuracies alleged by Robins were demonstrative of a “real” harm is a significant signal.

The court noted FCRA “was crafted to protect consumers from the transmission of inaccurate information about them” and observed that “given the ubiquity and importance of consumer reports in modern life … the real-world implications of material inaccuracies in [consumer] reports seem[s] patent on their face.” According to the court, “the threat to a consumer’s livelihood is caused by the very existence of inaccurate information in his credit report and the likelihood that such information will be important to one of the many entities who make use of such reports.”

The court’s acceptance that the specific inaccuracies alleged by Robins were demonstrative of a “real” harm is a significant signal, since the thrust of the Supreme Court’s opinion was to clarify that the violation of a plaintiff’s statutory rights need generally be accompanied by “real” harm for the plaintiff to have the standing to sue.

According to the court, Spokeo’s publication of an inaccurate report about Robins in violation of its responsibilities under the FCRA was “enough to show harm to the statute’s underlying concrete interests.” However, while it concluded that the alleged violations of the FCRA were sufficient to provide standing, the court limited the breadth of its holding by emphasizing the importance of Robins’ specifically alleged facts. Spokeo misrepresented Robins’ age, education, marital status, and wealth level, such a “broad range of material facts about Robins’ life” that little imagination was required to see the real harm, and it was “clear … that Robins’ allegations relate[d] facts … substantially more likely to harm his concrete interests than the Supreme Court’s example of an incorrect zip code.”

The court’s opinion articulates — albeit not explicitly — some of the values reflected in the Fair Information Practices, particularly the data quality, use limitation, and accountability principles.

The FCRA right at issue hews closely to the globally accepted FIPs values. Under 15 U.S.C. § 1681e(b), reporting agencies must “follow reasonable procedures to assure maximum possible accuracy” of consumer reports, which closely tracks the normative goal that consumer data be accurate, complete, and kept up-to-date if necessary for the purpose of its collection, as exemplified in the data quality FIP. The court’s willingness to find the publication of a dossier created in violation of this requirement a sufficiently “real” harm to grant standing suggests its recognition of the importance of placing limitations on the untrammeled public disclosure of consumer data central to use limitation.

9th Circuit’s harm analysis reveals a shared recognition that the publication or dissemination of inaccurate personal information is itself a harmful event to the data subject.

The new opinion also demonstrates growing common ground between American privacy jurisprudence and the European regulatory framework, as reflected in the GDPR. Article 5(1)(d) requires that “[p]ersonal data shall be … accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes from which they are processed, are erased or rectified without delay.” Additionally, Article 16 gives the data subject an affirmative “right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.” The GDPR omnibus regulation does not perfectly map onto the FCRA’s enforcement framework, but comparing it to the 9th Circuit’s harm analysis reveals a shared recognition that the publication or dissemination of inaccurate personal information is itself a harmful event to the data subject.

Lessons for privacy pros

The Spokeo case will for many years be known as another milestone in Article III–standing jurisprudence. But for privacy professionals, the 9th Circuit’s opinion on remand signals an openness to data quality and accuracy principles that have long been the staples of global privacy policy.

Organizations that collect, analyze and provide personal data profiles for use by others are now on notice that errors in those reports — even those that to some may seem flattering or inconsequential — may be harmful to data subjects and create legal liability. This should increase organizations’ responsibility to verify data accuracy, allow data subjects the opportunity to correct — or rectify — inaccuracies, and evaluate the privacy consequences of using personal data for profiling.