EPIC - Gubala v. Time Warner Cable

Gubala v. Time Warner Cable

Whether consumers can sue for violations of the Cable Communications Policy Act

Background|
EPIC's Interest|
Legal Documents|
News|
Resources|

Summary

Gubala v. Time Warner Cable, Inc., No. 16-2613, currently pending before the U.S. Court of Appeals for the Seventh Circuit, concerns whether consumers have standing to sue companies for violating the Cable Communications Policy Act (“CCPA”). The CCPA requires cable operators to destroy personally identifiable information (“PII”) of consumers if the “information is no longer necessary for the purpose for which it was collected.” 47 U.S.C. § 551(e). Gubala alleges that even though he cancelled his Time Warner Cable service in 2006, TWC still retaines his personal information, including his name, address, Social Security Number, phone numbers, and credit card information. The lower court dismissed Gubala’s claim for lack of standing and for failure to state a claim.

Top News

Supreme Court Won’t Disturb Data Breach Decision: The Supreme Court today declined to review Zappos.com, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges. (Mar. 25, 2019)
Appeals Court Revives Data Breach Suit Against Zappos: A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Mar. 9, 2018)

More top news »

Supreme Court Leaves Data Breach Decision In Place » (Feb. 20, 2018)

The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation.

EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing' » (Nov. 29, 2017)

The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

Federal Appeals Court Rules Data Breach Case May Proceed » (Aug. 30, 2017)

A federal appeals court has ruled that a major data breach case concerning Supervalu can move forward, rejecting the grocery chain's attempt to have the lawsuit dismissed. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. However, the court held that only a consumer who could demonstrate actual financial fraud could proceed with legal claims. EPIC regularly files amicus briefs defending consumers' right to sue companies that violate their privacy, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and Spokeo v. Robins.

Senators Introduce Bill to Remove Personal Data from Cargo Manifests » (May. 4, 2017)

Senators Steve Daines (R-MT) and Gary Peters (D-MI) have introduced a bill that would remove personally identifiable information from shipping manifest sheets that are released to the public. According to the bill's sponsors, the Moving Americans Privacy Protection Act seeks to protect people who make international moves from "identity theft, credit card fraud and unwanted solicitations." EPIC maintains a page on identity theft and launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC Defends Consumers' Right to Sue Cable Providers for Illegal Data Retention » (Oct. 13, 2016)

EPIC has filed an amicus brief urging a federal appeals court to preserve consumers' right to sue cable providers that illegally retain their data. A former Time Warner Cable subscriber brought a privacy lawsuit alleging that Time Warner held onto his personal information long after he had canceled the service, a clear violation of a provision in a federal privacy law. But a lower court wrongly dismissed the suit, concluding that there had been no "injury." In the amicus brief, EPIC said that the lower court confused "injury" with "harm." When a company violates a federal law, EPIC explained, that is a "legal injury" and the reason that the court must hear the case. EPIC filed an amicus brief in a similar case in July and regularly files briefs defending consumer privacy.

Court Misunderstands Internet Tracking in Video Privacy Case » (Jun. 27, 2016)

The Third Circuit today rejected claims brought against Nickelodeon under the Video Privacy Protection Act, holding that IP and MAC addresses are not “personally identifiable information.” The opinion contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the VPPA. The circuit split increases the possibility of U.S. Supreme Court review. The Court did find that plaintiffs could sue under state privacy law. EPIC filed an amicus brief, arguing that Congress defined PII as “purposefully broad to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.”

EPIC to OPM: "If You Can't Protect It, Don't Collect It" » (May. 25, 2016)

In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.

EPIC to Defend Privacy Statute in Federal Appellate Case » (Dec. 8, 2015)

EPIC appears in court today in In re Nickelodeon, a case concerning the Video Privacy Protection Act. The privacy law bars companies from disclosing personally identifiable information about users of Internet video services. Children who watch videos on Nick.com believe that Viacom disclosed their viewing records to Google for adverting purposes. The companies dispute this, claiming that cookies and IP addresses are not personally identifiable. EPIC's "friend of the court" brief argues that the definition of personal information in the privacy law is "purposefully broad to ensure that the underlying intent of the Act--to safeguard personal information against unlawful disclosure--is preserved as technology evolves." EPIC Senior Counsel Alan Butler will represent EPIC before the court.

EPIC Defends Privacy Laws in Supreme Court Brief » (Sep. 8, 2015)

In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.

Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015)

The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.

Pew Survey: Vast Majority of Americans Feel Strongly About Privacy, Want Control Over Personal Information » (May. 20, 2015)

The Pew Research Center has published a new privacy poll on Americans' Views About Data Collection and Security. According to the Pew survey, 74% of Americans believe control over personal information is "very important," yet only 9% believe they have such control.Americans also value having the ability to share confidential matters with another trusted person. The vast majority of Americans want limits on how long companies retain records about their activities. And 65% of American adults believe there are not adequate limits on the telephone and internet data that the government collects.

EPIC Defends Privacy of Nickelodeon Viewers » (May. 5, 2015)

EPIC has filed an amicus brief in In re Nickelodeon, a case involving the Video Privacy Protection Act. The Act protects the privacy of a consumer's personally identifiable information ("PII"). Viacom, which offers Nickelodeon and other cable channels, claimed that personal identifiers such as IP addresses and unique device IDs are not PII and could be routinely disclosed to Google for commercial purposes without any restriction. EPIC filed in opposition to Google/Viacom and explained that the definition of PII in the Act is "purposefully broad to ensure that the underlying intent of the Act– to safeguard personal information against unlawful disclosure– is preserved as technology evolves."

NIST Seeks Comments on De-identification Report » (Apr. 20, 2015)

The National Institute of Standards and Technology has released a draft report on "De-Identification of Personally Identifiable Information." The agency is requesting comments by May 15. The NIST report reviews de-identification techniques and research, including work by EPIC Advisory Board members Cynthia Dwork and Latanya Sweeney. Last year, in response to a similar request for comments, EPIC recommended Privacy Enhancing Technologies that "minimize or eliminate the collection of personally identifiable information." EPIC also expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights.

Questions Presented

Does the plaintiff have standing to sue Time Warner Cable for violating the Cable Communications Policy Act?

Background

Factual & Procedural Background

The lead plaintiff, Derek Gubala, signed up for cable services from Time Warner Cable (“TWC”) in December 2004. When registering, TWC “required Plaintiff to provide TWC with various forms of PII, including his date of birth, address, home, and work telephone numbers, social security, and credit card information.” He cancelled his service in September 2006. Gubala learned that all of his personally identifiable information (“PII”) remained in TWC’s billing records when he called TWC in 2014. Upon learning this, he filed this putative class action suit on September 3, 2015.

The first complaint sought injunctive relief, attorneys’ fees, costs, and damages—actual, liquidated, and punitive. TWC sought enforcement of the binding arbitration clause in the Residential Services Subscriber Agreement, which Gubala agreed to when signing with TWC. To avoid binding arbitration, Gubala subsequently amended the complaint—twice—to remove any prayer for damages.

Gubala alleges TWC violated his rights conferred to him by the Cable Communications Policy Act of 1984, 47 U.S.C. §§ 521-573. Specifically, Gubala alleges TWC violated 47 U.S.C. § 551(e), which requires a cable operator to destroy “personally identifiable information if the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (d) of this section or pursuant to a court order.” Gubala argues that TWC’s failure to destroy [his] PII, as required [by] 47 U.S.C. § 551, constitutes injury in the form of a direct invasion of their federally protected privacy rights.”

TWC moved the court to dismiss the complaint for failure to state a claim upon which relief can be granted. Specifically, TWC claimed “the plaintiff had failed to plead the elements of a claim for injunctive relief, and because the request for injunctive relief was allegedly vague.” The District Court heard oral arguments on this motion the same day Spokeo v. Robins, 136 S. Ct. 1540 (2016), was decided. Following the Supreme Court’s opinion in Spokeo, the District Court granted the parties’ request to brief on whether Spokeo had any impact on this case.

Lower Court Opinion

The District Court granted TWC’s motion to dismiss on two grounds: lack of standing to invoke federal court jurisdiction and failure to state a claim.

First, Judge Pamela Pepper agreed with TWC that Gubala “cannot prove the ‘concrete harm’” supposedly required by the Supreme Court in Spokeo v. Robins. The court found that Gubala alleged a set of facts similar to those alleged by Robins in Spokeo:

[T]he plaintiff alleges that Congress has identified and elevated an intangible harm—the risk to subscribers’ privacy created by the fact that cable providers have an enormous capacity to collect and store personally identifiable data about each cable subscriber. He has identified the statutory protection Congress has provided—the requirement in the CCPA that cable providers destroy personally identifiable information when it is no longer required for the purposes which it was collected.

The court concluded that although these allegations satisfy the particularity prong of standing, they fail to satisfy the concreteness prong. In conducting the concreteness analysis, the court looks entirely at harms: Gubala did not allege that TWC disclosed the PII to a third party; even if TWC did disclose the data, Gubala hadn’t alleged that disclosure caused harm, such as being contacted by marketers or being the victim of fraud or identity theft. The court found the that allegations in Spokeo were slightly more concrete than those made by Gubala, because Gubala has failed to allege that TWC was retaining and publishing inaccurate records.

The court also found that Gubala had failed to state a claim. To receive injunctive relief, a plaintiff must not have an “adequate remedy at law” and will “suffer irreparable harm if the court does not grant the injunctive relief.” The court distinguished Sterk v. Redbox Automated Retail, LLC, which found that the Video Privacy Protection Act did not create a private right of action for damages against a company that failed to timely destroy PII. Instead, the court found that “[u]nlike it did with the VPPA, Congress provided a damages remedy for violation of the information destruction requirement in the CCPA.” As a result, Gubala was not seeking monetary damages only to avoid the arbitration clause, not because the CCPA barred a damages claim. In other words, “it is not that the plaintiff does not have a remedy at law; it is that he does not want to avail himself of that remedy at law, because to do so, he would have to eschew federal court and submit himself to a binding arbitration award.”

The lower court granted TWC's motion to dismiss. Gubala filed a timely appeal in the U.S. Court of Appeals for the Seventh Circuit on June 22, 2016. Judge Richard Posner authored a panel opinion affirming the lower court decision on January 20, 2017.

Legal Background

Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.

EPIC's Interest

EPIC has a long history of advocating for consumer privacy.

In August 2016, EPIC filed an amicus brief in Cahen v. Toyota Motor Corp, warning the Ninth Circuit that connected cars pose serious risks to consumer safety and privacy. EPIC also argued that the lower court misapplied the Article III standing test, focusing incorrectly on consequential harm. In July 2016, EPIC filed an amicus brief in Perry v. CNN, arguing that the privacy protections in the Video Privacy Protection Act apply to mobile apps that provide video service. Earlier that month, EPIC also filed an amicus in In re SuperValu Customer Data Security Breach Litigation, defending the rights of consumers to sue companies that mishandle personal consumer information. In April 2016, EPIC filed an amicus brief in the Third Circuit case Storm v. Paytime, Inc., which involved a very similar question as In Re SuperValu. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.

In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.

In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court.

In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.

EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.