Hi friends

Eric J. Troutman here, mythical (or is it mystical?) Czar of the TCPAWorld.

It is no secret that I’ve been excited to expand our offerings beyond the TCPA–and the fact that SCOTUS may strike down the TCPA at any minute has a little something to do with it. Ha.

But in truth, the pursuit of this new legal WORLD to explore was driven by YOU, my esteemed and splendid readers and friends.

How many of you have asked at one of my many, many, many speaking engagements over the years a cross-over question regarding CCPA or data privacy? Indeed every company interested in TCPA is–to some degree or another–interested in data security and applicable law. (I even did a webinar on this once–and I hate webinars.)

How many of my dear clients have sought guidance on the FCRA–noting the complete lack of ANY meaningful internet resource on the subject? (For shame internet!)

And of course BIPA–who had ever even heard of that statute before Jay Edelson’s huge interview on my podcast last year? I don’t see many hands out there. And that’s because the phenomenon of BIPA litigation is taking root right before our very eyes.

All three of these areas of law–along with the alphabet soup of enactments like CIPA, SCA, ECPA, and yes even HIPAA (shy wonderful HIPAA)– are fast-paced and developing. They need attention and meaningful analysis by real privacy lawyers steeped in this stuff and from a firm with the resources to devote to tracking case law developments and spotting trends in real time–as they develop.

Why?

Well, because you’ve asked for it, that’s why. And so we delivered.

For those of you familiar with TCPAWorld.com–and you all are aren’t you?–we take the mission of chronicling and exploring case law and related developments incredibly seriously, but we don’t take ourselves too seriously. Pretense is dull. So are barriers to content. Plus lawyers often hide behind legalese when they don’t really understand what they’re trying to say. (But I’m not telling you anything you don’t already know now am I?)

None of that here.

We’ll review all the case law and give you exactly what you need to know, and we’ll try to do it in a way that is light-hearted and relatable. At times–dare I say–even entertaining (although some of us are better than that than others. Ha.)

Our formula is simple– if something happens out there in the wide world of consumer privacy law, we want to give it to you straight and as immediately as possible. You need to know this stuff right now–not days or *cough* weeks later. And you don’t want gobbledy gook or nonsense. We get it.

More than that, you want  to trust that you can rely on what you read and you want a single resource that will comprehensively cover the law that matters most to you–from all angles.

Ta-da!

Squire Patton Boggs has assembled its truly amazing team of privacy lawyers–I mean look at this team– and spared no resource to assure that consumerprivacyworld is exactly what you need it to be– timely, smart, engaging, analysis you can work with and learn from.

So welcome to your new privacy law wonderland! Please do make it YOUR wonderland. If you have questions or thoughts on how we can improve–reach out. Don’t like an article or disagree with some analysis? Let us know. And of course if you actually do like something you see here–tell us. We want to know how to make your experience on consumerprivacyworld.com as useful as possible.

We sincerely hope you’ll enjoy your stay and take your time to appreciate everything the website has to offer over time (we’ll be rolling out new features shortly–don’t worry if it feels a bit Spartan in the short term, bells and whistles and a merry-go-round will be installed shortly.)

It is great to have you here. Enjoy–and tell a few dozen pals.

Thanks friends. Chat soon.

It has been a year for the record books for data privacy litigation (and we are only into Q2-who knows what Q3 and Q4 will bring!)  CPW has been tracking significant developments in this area of the law—including in regards to the California Consumer Privacy Act (“CCPA”).  While the statute has been in effect for a little over a year, it has already become a battleground for plaintiffs seeking to assert statutory claims against defendants for failing to maintain reasonable security procedures (even if the only harm plaintiffs allegedly suffered is speculative risk of future injury).  In fact, the flood of litigation under the CCPA was cited this week as a reason for the Florida legislature to consider dropping a private right of action from a data privacy bill under consideration.

The underlying reasons for this trend are clear.  First, the number of data breaches continues to rise.  Current estimates place the number of cyberattacks occurring in Q1 in the U.S. as ~320.  This is a slight uptick from Q1 2020.  Most significantly, however, the number of individuals in the U.S. whose information was disclosed in a data event in 2021 is up 500%.  Second, the CCPA is an attractive option for plaintiffs who claim they were “harmed” from the disclosure of their personal information as the statute purportedly provides for significant liquidated statutory damages (even in the absence of proof of identity theft, fraudulent charges on accounts, and the like—although how that actually shakes out in litigation is far from settled).

We are going to dig into what this all means and where things may be headed.  But first, let’s go back to the basics for any CCPA newbies out there.

A quarter into 2021, our review confirms that the slew of lawsuits filed under the CCPA remains concentrated in the area of data events.  But there should be no surprise there.  Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

So what do most of the CCPA cases filed in 2021 look like?  Good question.

Over one third of the CCPA litigations filed thus far are related to the account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards issued through Bank of the America.  In case you missed it, a number of individuals had the balances on their EDD debit cards wiped out (without any prior notice or security alert).  On January 14, 2021, the first class-action lawsuit related to this event was filed against Bank of America, claiming the bank did not do enough to stop the scammers.  Since then, over 13 other similar lawsuits have been filed, which may be consolidated down the road.

In these litigations, plaintiffs raise claims under the CCPA concerning Bank of America’s alleged “failure to secure” private account information.  To put it differently, Bank of America allegedly breached its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of individuals personal information, including “issuing EDD debit cards to plaintiff and class members with magnetic stripes but without EMV chip technology.”  Most of the filed complaints allege the lack of chip technology enabled scammers to access the funds in the debit cards resulting in accounts being frozen and many individuals being left without payments for weeks (and some to date).

Bank of America is not the only institution that has been a victim of recent cyber theft.  Accellion’s File Transfer Appliance was also recently compromised, resulting in a number of CCPA class action lawsuits filed this year relating to—you guessed it—its alleged failure to maintain reasonable security procedures.  As alleged in one of the complaints:

Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information

Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70.

Another major data breach this year involving a large number of CCPA suits related to Automatic Funds Transfer Services, Inc. (“AFTS”).  On February 17, 2021, the California Department of Motor Vehicles announced that AFTS had been the subject of a “security breach” and ransomware attack that may have compromised “the last 20 months of California vehicle registration records that contains the names, addresses, license plate numbers and vehicles identification numbers” of California drivers.  Not surprising to those in the consumer privacy space, this resulted in numerous class action lawsuits being filed under the CCPA.  In those litigations, plaintiffs allege “AFTS violated the CCPA by subjecting Class Members’ PI to unauthorized access and exfiltration, theft, or disclosure as a result of AFTS’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.”  Atachbarian v. Automatic Funds Transfer Services, Inc., Case No. 2:21-cv-02645, Dkt. #1 at 61¶.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.  See, e.g., Tesha Gamino v. Flo Health Inc., Case No. 5:21-cv-00198-JWH-SHK, Dkt. #1.  This is something we have noticed in a handful of other lawsuits filed this year–listing the CCPA without asserting a direct cause of action or under the statute.

So there you have it.  A quarter into 2021, CCPA cases continue to fill the docket, and occupy our attention.  Stay tuned while we continue to break the latest developments for you.  It is going to be a wild 2021 but CPW will be there.

 

 

As you know at CPW, we’re all about covering developments in data privacy litigation.  Florida is one of the states currently contemplating new privacy legislation with a broad private right of action for consumers (check out our “final four” coverage discussing it here and an earlier overview of the bills here).  Well, this week Florida’s privacy bills (SB 1734 and HB 969) hit an unexpected bump with a “strike all” Senate Rules Committee amendment proposed to SB 1734.  This “friendly” amendment would the replace SB 1734 with a new version—notably one that drops the private right of action provision.

In support of the amendment, concerns were expressed that the previously proposed private right of action with statutory damages would make Florida a “cottage industry for plaintiffs’ attorneys with gotcha lawsuits,” as seen from recent litigation activity in Illinois (over 1,000 lawsuits filed under BIPA) and California (76 class action lawsuits filed under CCPA since start of 2020).  For the proceedings before the Senate Rules Committee check it out here (discussion of private right of action starts at 56 minutes in).

For more on this, stay tuned.  CPW will be there.

Readers of CPW know that our very own Lydia de la Torre has been selected to be an inaugural board member of the new California Privacy Protection Agency.   Listen to what Lydia and Alan Friel, Deputy Chair of SPB’s Data Privacy group have to say in a must-listen to podcast.  They discuss the history of privacy policy, the growing influence of European privacy principles, and the new privacy laws we are seeing, or can expect, at the state and federal levels here in the United States.  Absolutely essential stuff for anyone working in an industry impacted by this growing body of law.  Listen to it at Tech Freedom here.

And for more on all developments data privacy related, stay tuned.  CPW will keep you in the loop.

In a recent Driver’s Privacy Protection Act (“DPPA”), 18 U.S.C. § 2721, et seq. case, a federal court in North Carolina denied plaintiffs’ motion for relief after the Court entered summary judgment in favor of several law office defendants who sent advertisements marketing legal services.

In Hatch v. Demayo, 2021 U.S. Dist. LEXIS 55601 (M.D.N.C. Mar. 24, 2021), the plaintiffs—after being involved in car accidents—provided information from their driver’s licenses to law enforcement for the completion of DMV accident report forms.  Shortly thereafter, plaintiffs claimed they received unsolicited marketing materials from various law offices.  Plaintiffs then filed suit alleging that several law office defendants violated the DPPA by obtaining their information from the accident reports for the purpose of using the information to advertise legal services.

As the court noted, “[t]he DPPA holds liable certain parties for the misuse of a driver’s information if that data has been collected from a ‘motor vehicle record’.”  A motor vehicle record means “any record that pertains to a motor vehicle operator’s permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles.”  18 U.S.C. § 2725(1).  In deciding defendants’ motion for summary judgment, the court noted that plaintiffs failed to allege that the DMV form was a motor vehicle record.  When denying plaintiffs’ motion for relief, the Court further reasoned that plaintiffs’ argumentthat the DMV form was essentially a motor vehicle record because it relied on information taken from a driver’s license or DMV database—was insufficient.  The court declined to leniently construe the allegations, stating that “Plaintiffs could have easily made the straightforward contention that DMV-349s were in fact motor vehicle records and chose not to do so.”

The Court also acknowledged plaintiffs’ reliance a decision out of the Western District of North Carolina (Gaston v. LexisNexis Risk Sols. Inc., 2020 U.S. Dist. LEXIS 160012 (W.D.N.C. Sep. 2, 2020)), but concluded that the “single, non-controlling case” reaching a different conclusion was not sufficient to support plaintiffs’ argument of clear error.  The Court therefore denied plaintiffs’ motion for relief from judgment.

For more developments in the area of data privacy litigation, stay tuned.  CPW will be there.

After advancing steadily in their respective legislatures the first few months of 2021, the Oklahoma Computer Data Privacy Act has seemingly died (at least for the time being), and the Washington Privacy Act may run into similar roadblocks it faced in prior years.  CPW’s Kyle Fath covers this development and its broader implications in a detailed analysis here.  As he notes “[t]his year marks the third year that a version of the Washington Privacy Act (WPA) has been introduced in the state’s legislature. Prior versions from 2019 and 2020 died due to disagreement over consumer private right of action, mostly along party lines. The 2021 WPA, as introduced in January, included a private right of action with statutory damages of $7,500 per violation. The private right of action was ultimately removed from the bill and was not included in the version of the bill passed by the Senate in early March.”

Be sure to check it out.  And for developments in this area, continue to stay tuned.  CPW will be there.

A recent decision from the Supreme Court of New York confirms that to survive dismissal, plaintiffs in data breach actions must establish injury-in-fact through a showing of actual or imminent harm.  In evaluating whether an alleged harm arising from a data breach is actual or imminent, New York courts apply a five-factor balancing test.  Under this test, even if a plaintiff’s personal information is exfiltrated during a hack, mere speculation about the prospect of future harm is insufficient to confer standing.

In Keach v. BST & Co. CPAs, LLP, 2021 N.Y. Slip Op 50273(U) (Sup. Ct., Albany County 2021), plaintiffs brought suit against BST & Co. CPAs, LLP (“BST”), an accounting and consulting firm, and Community Care Physicians, P.C. (“CCP”), a large medical practice, following a data breach, in which hackers obtained access to BST’s client data, which included the personal information of 170,000 current and former patients of CCP.  Plaintiffs asserted nine causes of action, alleging that theft of their names, dates of birth, and medical billing and health insurance information exposed them to a “heightened and imminent risk of fraud and identity theft.”

In response, defendants argued that plaintiffs did not establish injury-in-fact, as they “rely exclusively on the speculative possibility of harm that could occur in the future.”  Like Article III standing, the Court held that to establish injury-in-fact, the claimed injury must be “actual or imminent” and cannot be “tenuous;” “ephemeral;” or based on mere conjecture or speculation.  “In evaluating whether plaintiffs in a data breach case have alleged an actual injury or the imminent prospect thereof, the New York courts have looked to five principal factors: (1) the type of personal information that was compromised; (2) whether hackers were involved in the data breach or personal information otherwise was targeted; (3) whether personal information was exfiltrated, published and/or otherwise disseminated; (4) whether there have been any incidents of, or attempts at, identity theft or fraud using the compromised personal information; and (5) the length of time that has passed since the data breach without incidents of identity theft or fraud.”

With regard to the first factor, the Court held that while the personal information at issue can be misused, the risk is not as high as in situations involving theft of social security numbers; financial account information; or of data associated with classes of persons at higher risk of identity theft, such as police officers.  Next, the Court held that in ransomware attacks such as this, the information itself is not ordinarily the object of the hackers’ attack.  Third, plaintiffs do not allege any particulars demonstrating that the information was published or otherwise disseminated.  Fourth, plaintiffs failed to allege any incidents of identity theft or fraud using the compromised data and Defendants offered free credit monitoring services to those impacted to mitigate such risk.  Lastly, the Court held that 16 months since the hacking without incident of identity theft “counsels against finding injuries that are imminent or substantially likely to occur.

Thus, while recognizing that some federal and state courts in other jurisdiction have found standing on similar facts, the Court concluded that under NY law, the named plaintiffs failed to allege particularized and concrete injuries that are impending, imminent or substantially likely to occur.  The Court further concluded by advocating a cautious approach to standing, citing to a quote from a federal judge from six years ago: “There are only two types of companies left in the United States, according to data security experts: those that have been hacked and those that don’t know they’ve been hacked.”  Storm v. Paytime, Inc., 90 F. Supp 3d 359, 360 (M.D. PA 2015).

For more on this developing area, stay tuned.  CPW will be there.

Today the CPW team expanded with a three-lawyer, bi-coastal team from BakerHostetler, based in the firm’s Los Angeles, New York and Miami offices.  Their arrival comes on the heel of the firm welcoming Alan L. Friel as Deputy Chair of the Data Practice from BakerHostetler.

The new team comprises: counsel Kyle R. Fath (New York); senior associate Kyle R. Dull (New York and Miami); and associate Niloufar Massachi (Los Angeles).

“Speaking from personal experience, this is a dynamic team that will give clients a powerful advantage in creating and implementing data privacy compliance programs, commercializing data, assessing cybersecurity risk and responding to incidents and addressing regulatory changes and enforcement actions,” said Mr. Friel.  “Kyle, Kyle and Nilou, collectively, bring an enriched perspective to the table, blending industry and public sector experiences that complement the complex work the Data Practice is handling.  The team also counsels clients on advertising and sales practices, and has substantial experience with digital advertising and AdTech matters.”

Mr. Fath, CIPP/US, has developed a practice that offers a unique blend of deep experience in counseling companies through compliance with data privacy laws such as the CCPA, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of M&A and other corporate transactions.  His practice has a particular focus on the ingestion and sharing of data, the implications of digital advertising (as companies look toward the so-called “cookieless future”), and assisting clients through the build out of e-commerce and other global online platforms.

Mr. Dull, CIPP/US, draws on extensive experience investigating and prosecuting privacy and advertising law violations to advise clients on their own data privacy, cybersecurity, and advertising risks.  As a former assistant attorney general, he has a solid understanding of consumer protection laws, as well as domestic and international privacy laws, enabling him to counsel clients on technical, contractual, intellectual property and regulatory issues while balancing commercial and consumer interests.  Additionally, Mr. Dull has experience defending and resolving privacy and advertising enforcement actions throughout the country.

Ms. Massachi, CIPP/US, focuses her practice on data privacy and protection, advertising, sales and digital media practices counseling, technology transactions, cybersecurity and breach response, and consumer protection law.  Her experience includes substantive research and analysis on and application of data privacy laws, including the CCPA, CPRA, the California Shine the Light Act, the California Online Privacy Protection Act (CalOPPA), the Video Privacy Protection Act (VPPA), and the Children’s Online Privacy Protection Act (COPPA).  Ms. Massachi draws on her experience to counsel clients on the development and implementation of information governance and compliance programs, including on conducting data inventory and mapping.  She regularly drafts policies and procedures for providing consumer data privacy transparency and choice as well as drafts and negotiates privacy and data security provisions for various types of multiparty agreements.  Ms. Massachi also advises clients on digital media and advertising consumer protection programs, such as enhanced notice requirements for cross-device interest-based advertising and the collection of precise location data.

Welcome all!

Privacy at the state level can get messy and confusing—particularly in the current moment with the record number of proposed bills under consideration.  So let’s face it: it is great to read about all those proposed bills but what US privacy professionals really want to know is which bills will pass and which bills will fail.  Law firms are internally creating “2021 State Comprehensive Privacy Bill Brackets” but none are publishing them since predictions are hard and, candidly, we attorneys do like to be proven wrong.

That ends today.

The new deputy chair of SPB’s Privacy, Cybersecurity practice Alan Friel is not only a veteran of the many privacy legislation battles of the past but also a fearless leader who believes publishing our predictions will add real value to our readers (and clients).

As a reminder, SPB privacy blogs were granted the 2020 Go to Thought Leadership Award by National Review.  This year we were the first major law firm to predict the Virginia Consumer Data Protection Act (VCDPA) would pass.  Incidentally, our talented colleague Glenn Brown has posted great content explaining VCDPA’s requirements and even analysis comparing the right to delete under VCDPA and CCPA/CPRA  (including a handy chart that you should definitely bookmark).

So, without further delay, here are the 2021 SPB’s State Comprehensive Privacy Bill predictions.

Our 2021 Final Four: Connecticut, Florida, Oklahoma and Washington

No.1: Connecticut’s Act Concerning Consumer Privacy (SB 893)

Arguably it is too early to predict the outcome of SB 893.  After all, the bill is still stuck in Committee, and there were several comments filed in opposition during the February 25 public hearing.  Why are we bullish on Connecticut then?  The bill has the support of the Connecticut ACLU (although it is worth noting that the private right of action was removed after the ACLU expressed its support).  More importantly, the Connecticut’s Attorney General Office and the Connecticut’s Senate Majority Leader strongly support the bill and Connecticut (like Virginia) is a democratic trifecta where the DNC has full control of the governorship, the state senate, and the state house.  As currently drafted, Connecticut’s Act Concerning Consumer Privacy is very similar to the Virginia VCDPA (see our posting on the requirements under the VCDPA here.) The Connecticut legislature has time to reach consensus (it does not adjourn until June 9th) and we plan on keeping a close eye on developments in the state.

No 2: Florida’s Consumer Privacy Acts (SB 1734 and HB 969)

It has been reported that an unknown activist is behind the progress of these two Florida bills.  Not surprising-this is consistent with a trend seen these past couple of years of other privacy activists similarly reshaping states’ legislative agendas.  These bills are inching closer and closer to California’s CPRA in an indisputably red state, which is a remarkable development in and of itself.  Florida is also the third most populous state in the nation, which means any privacy legislation enacted in the state will likely have significant sway in any future talks about federal privacy legislation.  Although the Florida legislature is adjourning on April 30th, the fact that very closely aligned bills are progressing in tandem through the Senate and the House fairs well for a potential opportunity to compromise leading to enactment.  We will find out soon the outcome in Florida but, in the meanwhile, here is our most recent posting on the Florida developments.

No. 3: The Oklahoma Computer Data Privacy Act (HB 1602)

Nobody seems to be paying attention to this bill but it is well-positioned to become the 2021 Cinderella Story. HB 1602 significantly differs from already enacted comprehensive privacy bills with the current version including no private right of action but featuring an opt-in consent requirement across the board before collecting, using or selling any personal information. The bill sailed through the Oklahoma house with overwhelming bi-partisan support (Ayes: 85 Nays: 11.)  Oklahoma was our number one until we heard last week the chair of the Oklahoma Senate Judiciary Committee (through which the bill must pass before being brought to the floor of the Senate) may not be willing to take it up.  That said, there is enough time left in the legislative calendar to build consensus and get it to the finish line (the Oklahoma legislature will not adjourn until May 28th).  Oklahoma is currently a Republican trifecta, which should help avoid a governor veto.  If enacted, it will be the first comprehensive privacy bill to become the law of the land in a republican controlled state and could become a viable model for other republican controlled state legislatures.  For more details read our post here.

No 4: Washington Privacy Bills (HB 1433 and (SB 5062)

Washington certainly deserves “an A for effort.”  The state legislature has been trying to enact the Washington Privacy Act (SB 5062) for 2 years and counting.  Last year it actually enacted regulations affecting the public sector handling of personal information but consensus on enforcement effectively brought legislative progress for the private sector to a halt.  In 2021 the ACLU decided to back a new bill (the People’s Privacy Act – HB 1433) and has published a chart comparing its bill to the WPA here.  Why are we still optimistic on Washington?  In a surprise move, on March 26 SB 5062 was amended to add a private right of action allowing state residents to sue over alleged violations. Significantly, however, the private right of action does not include a provision for monetary damages—leaving residents with the exclusive option of seeking injunctive relief (or alternatively filing a complaint with the consumer protection division of the attorney general’s office).  Will this suffice to swing enough votes to get WPA through the finish line?  On April 1st it passed the Civil Rights & Judiciary Committee and is now heading for the floor of the house.  We will find the ultimate outcome soon (the Washington legislature is set to adjourn April 25th). Just like last year this promises to be a real nail-biter.  For more information see our posting here.

How about the rest of the States?

If your favorite state privacy bill did not make it to our final four, not to worry.  There are many close calls that we had to make to come up with our final four bracket and we predict many last minute twists and turns.  And never forget the still possible comprehensive federal privacy law.  With those developments, we will continue to keep you informed of what you need to know in this rapidly developing area.  Stay tuned!

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

CPW’s Kristin Bryan Provides Live and Unscripted Analysis of TransUnion SCOTUS FCRA Class Action Oral Argument | Consumer Privacy World

Eighth Circuit Orders New Trial for Unauthorized Data Access Under Driver’s Privacy Protection Act | Consumer Privacy World

Oklahoma Considering Comprehensive Privacy Legislation | Consumer Privacy World

Does A Plaintiff Have Standing To Sue Based On A Purely Technical Violation Of The FCRA’s “Employment Purposes” Protections? | Consumer Privacy World

CPW Live Blogs Ramirez v. TransUnion SCOTUS Oral Argument TOMORROW at 10 am EST | Consumer Privacy World

In Hood v. Action Logistix, LLC, 2021 U.S. Dist. LEXIS 569974, the Eastern District of Missouri considered everyone’s favorite FCRA issue: standing for procedural violations!  The plaintiff applied for a job with defendant, which ran a background check on the plaintiff after extending a tentative offer of employment.  Following receipt of the background check, the defendant informed the plaintiff that he was no longer eligible for employment due to information in the report.  Under § 1681b(b)(3)(A) of the FCRA, anyone who obtains a consumer report for employment purposes is required to provide both an FCRA Summary of Rights and a copy of the report to the consumer before adverse action is taking.

The plaintiff sued, claiming that he was not provided with the FCRA Summary of Rights, and was not permitted to review the report and address any information in it before his offer of employment was withdrawn.  He did not, however, claim that any information in the report was inaccurate, or that his review would have resulted in him obtaining employment.

The defendant moved to dismiss, claiming that the court lacked subject matter jurisdiction because the plaintiff lacked a concrete injury, and therefore lacked standing to sue.  The court, relying on Spokeo, Inc. v. Robins, as well as the Third and Seventh Circuits, found that a procedural violation of the FCRA in instances like this could give rise to a concrete injury.  Interestingly, however, the court also noted that the Ninth Circuit disagreed with the Third and Seventh Circuits.  Reviewing the language and legislative history of the FCRA, along with other legal authority regarding standing, the court determined that the plaintiff had standing to bring suit for this procedural violation of the FCRA.

As these standing cases develop, time will tell whether the Ninth Circuit sticks by its position that these sorts of technical violations do not constitute injuries, or whether there is a developing consensus in courts across the country that these kinds of violations do give plaintiffs standing to sue.  And of course, this all may change depending on how the Supreme Court rules later this year.  CPW will be there as this area of the law continues to develop.  Stay tuned.