You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Spokeo, Inc. v. Robins

Concerning Whether Courts Have Jurisdiction to Review Cases Brought Based on Violations of Federal Statutory Rights
  • EPIC Defends Privacy Laws in Supreme Court Brief: In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board. (Sep. 8, 2015)
  • More top news »
  • Supreme Court Limits Standing to Sue in Credit Reporting Case » (Jun. 25, 2021)

    The U.S. Supreme Court issued a decision today in TransUnion LLC v. Ramirez, an important case about the ability of individuals to bring privacy cases in federal court. The Court, in a controversial 5-4 decision authored by Justice Kavanaugh, held that proof of "concrete harm" is required to establish standing to sue under Article III of the U.S. Constitution. The jury in this case found that TransUnion had willfully violated the Fair Credit Reporting Act (FCRA) when it falsely flagged the credit reports of thousands of individuals for being "Specially Designated Nationals" under the Office of Foreign Asset Controls list that includes terrorists, drug trafficers, and other sanctioned individuals. The Supreme Court held that the group of individuals who could prove that these false credit reports had been disclosed to third parties had standing to sue, but the group who did not provide evidence that their reports had been disclosed did not meet the burden under Article III.

    This decision will have significant implications for individuals seeking redress in federal court for privacy violations that do not involve the improper disclosure of personal information. EPIC filed an amicus brief in TransUnion, urging the Court to hold that people can sue when their privacy rights are violated, regardless of whether they allege that the violation led to other harms. Justice Thomas, joined by three other members of the Court, agreed and would have ruled that standing exists in any case brought by an individual to vindicate a violation of their private rights. EPIC's Executive Director, Alan Butler, said that "the Supreme Court's decision in TransUnion does not close the door on all privacy claims, but it certainly makes it more difficult for individuals to seek redress in privacy cases that don't involve improper disclosure of information." EPIC previously filed an amicus briefs on this issue with the Supreme Court in Spokeo v. Robbins and frequently files amicus briefs in cases interpreting standing under a variety of privacy laws.

  • Supreme Court Won’t Disturb Data Breach Decision » (Mar. 25, 2019)
    The Supreme Court today declined to review Zappos.com, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges.
  • Federal Appeals Court Rules Data Breach Case May Proceed » (Aug. 30, 2017)
    A federal appeals court has ruled that a major data breach case concerning Supervalu can move forward, rejecting the grocery chain's attempt to have the lawsuit dismissed. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. However, the court held that only a consumer who could demonstrate actual financial fraud could proceed with legal claims. EPIC regularly files amicus briefs defending consumers' right to sue companies that violate their privacy, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and Spokeo v. Robins.
  • EPIC Amicus - Ninth Circuit Upholds Consumers’ Right to Sue for Privacy Violations » (Aug. 15, 2017)
    A federal appeals court ruled today that consumers have the right to file suit when companies report inaccurate credit information about them. Spokeo, the “people search” website, argued that it couldn’t be sued for publishing false information because there was no “concrete" harm. The case went to the Supreme Court, where EPIC filed an amicus brief urging the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." On closer consideration, the Ninth Circuit U.S. Court of Appeals concluded that companies can’t duck the legal consequences when they violate laws that “protect consumers’ concrete interests”—including their right to privacy. “[G]iven the ubiquity and importance of consumer reports in modern life—in employment decisions, in loan applications, in home purchases, and much more—the real-world implications of material inaccuracies in those reports seem patent on their face,” the Court wrote. “[I]t makes sense that Congress might choose to protect against such harms without requiring any additional showing of injury.” EPIC regularly files amicus briefs defending consumer privacy, and filed several amicus briefs after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.
  • Supreme Court Remands Consumer Privacy Case for Further Consideration » (May. 16, 2016)
    The Supreme Court has ruled in Spokeo v. Robins, a case brought under the Fair Credit Reporting Act concerning the sale of inaccurate personal data. The Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that remand was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'" EPIC filed an amicus brief, joined by thirty-one technical experts and legal scholars, citing the national epidemic of data breaches. EPIC wrote  this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress."
  • Supreme Court to Hear Critical Consumer Privacy Case » (Oct. 29, 2015)
    On Monday the Court will hear arguments in Spokeo v. Robins, a Fair Credit Reporting Act case brought on behalf of consumers whose rights were violated by the "people search" website. EPIC, technical experts, legal scholars, 15 other groups, and the U.S. Solicitor General, filed "friend of the court" briefs in support of the plaintiff. Citing the national epidemic of data breaches, identity theft, and financial fraud, EPIC argued to the Court this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC brief was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.
  • Solicitor General to Support Consumers in Supreme Court Privacy Case » (Oct. 5, 2015)
    The Solicitor General will argue in support of consumer privacy in Spokeo v. Robins, a critical case now before the US Supreme Court about the future of federal privacy law. EPIC, and leading technical experts and legal scholars, also filed a brief in support of consumer privacy laws, highlighting the rise of data breaches and identify theft. EPIC urged the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The Court will hear arguments in Spokeo on November 2, 2015.
  • EPIC Defends Privacy Laws in Supreme Court Brief » (Sep. 8, 2015)
    In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.

Summary

At issue in this case is whether a person may bring a lawsuit when a company violates a federal privacy law. In order to invoke the jurisdiction of federal courts under Article III, a plaintiff must have "standing" to sue. The Petitioner Spokeo, Inc., argued that the case should be dismissed because the Plaintiff did not prove that the publication of inaccurate personal information in violation of the Fair Credit Reporting Act was a concrete "injury" under Article III. The U.S. Court of Appeals for the Ninth Circuit disagreed, and denied Spokeo's motion to dismiss the case for lack of jurisdiction.

Questions Presented

(1) Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.

Background

Spokeo, Inc. operates a commercial website that discloses to the public personally identifiable information, including contact data, marital status, age, occupation, economic health, and wealth. Some of this information is subject to protection under federal privacy laws. Thomas Robins sued Spokeo for willful violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. Robins charged that Spokeo disclosed inaccurate information about him that harmed his employment prospects and violated his rights under the Fair Credit Reporting Act. Spokeo sought to dismiss the case, claiming that that there was no “injury-in-fact.” But a federal District Court rejected that argument, finding that the allegation of the FCRA violation was sufficient for the case to go forward. The U.S. Court of Appeals for the Ninth Circuit affirmed the lower court decision.

The Ninth Circuit found that Congress’s "creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right.” It also said that the violation of a statutory right is usually sufficient injury in to confer standing. The Court explained that when a cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages. The court rejected Spokeo’s appeal.

EPIC's Amicus Brief

In its brief, EPIC advised the Supreme Court that this is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC argued that plaintiffs can sue in federal court whenever a company misuses their personal information contrary to federal law. The violation of a congressionally created right constitutes the constitutional injury a plaintiff needs to pass through the courthouse door. To require that plaintiffs also prove consequential harm caused by the misuse of personal information would undermine the ability of consumers to prevent misuse of their personal information under FCRA and other privacy and consumer protection laws.

EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. The risk of identity theft and fraud are amplified by data brokers, which collect and store tremendous amounts of sensitive consumer data. Data brokers sell this data, often without verifying its accuracy or completeness, and inaccurate data can have dramatically negative effects on individual consumers.

Because the potential harms are so serious, EPIC urged the Court to maintain the ability of consumers to use privacy and consumer protection laws to hold data collectors accountable for misuse of personal data. Spokeo’s proposed rule “would not only effect a dramatic narrowing of the FCRA, it would undermine the ability of individuals to prevent the misuse of many types of sensitive personal information.” "Were the Court to accept Spokeo’s argument,” EPIC concluded, “the Court would severely limit the deterrent effect of federal privacy laws and contribute to the growing problem of data breach and identity theft in the United States."

Legal Documents

United States Supreme Court, No. 13-1339

Merits Stage Petition Stage

United States Court of Appeals for the Ninth Circuit, No. 11-56843

United States District Court for the Central District of California, No. 10-5306

Relevant Publications

  • Mark Walsh, Supreme Court weighs the right to sue an Internet data site, ABA Journal (Nov. 1, 2015)
  • Karen Levy, Alice Marwick, danah boyd, Privacy Harm in a Networked Society (2014)
  • Ryan Calo, Privacy Harm Exceptionalism, 12.2 Colo. Tech. L.J. 361 (2014)
  • Danielle Keats Citron & David Gray, Addressing the Harm of Total Surveillance: A Reply to Professor Neil Richards, 126 Harv. L. Rev. F. 262 (2013)
  • A. Michael Froomkin, “PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, Ohio State L. J. Symposium on “The Second Wave of Global Privacy Protection” (2013)
  • Rebecca MacKinnon, Consent of the Networked: The Worldwide Struggle for Internet Freedom (2012)
  • Ryan Calo, The Boundaries of Privacy Harm, Indiana Law Journal, Vol. 86, No. 3 (2011)
  • More resources »
  • Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (2010)
  • M. Ryan Calo, People Can Be So Fake: A New Dimension to Privacy and Technology Scholarship, 114 Penn St. L. Rev. 809 (2010)
  • A. Michael Froomkin, Government Data Breaches, 24 Berkeley Tech. L.J. 1019 (2009)
  • Danielle Keats Citron, Cyber Civil Rights, 89 B.U. L. Rev. 61 (2009)
  • Julie Cohen, Privacy, Visibility, Transparency, & Exposure, 75 U. Chi. L. Rev. 181 (2008)
  • Ann Bartow, A Feeling of Unease About Privacy Law, 155 U. PA. L. Rev. 52 (2007)
  • Francesca Bignami, Towards a Right to Privacy in Transnational Intelligence Networks, 28 Mich. J. of Int'l L., 3 (2007)
  • Gary Marx, Seeing Hazily (But Not Darkly) Through the Lens, 30 Law & Soc. Inquiry 339 (2005)
  • Francesca Bignami, Transgovernmental Networks vs. Democracy: The Case of the European Information Privacy Network, 26 Mich. J. Int’l. L. 807 (2005)
  • Gary Marx, What's New About the New Surveillance, 1 Surveillance & Soc'y 9 (2005)
  • Colin J. Bennett & Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective 106 (2003)
  • Julie Cohen, Privacy, Ideology, and Technology: A Response to Jeffrey Rosen, 89 Geo. L.J. 2029 (2001)
  • Jeffrey Rosen, The Purposes of Privacy: A Response, 89 Geo. L.J. 2117 (2001)
  • Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 STAN. L. REV. 1373 (2000)
  • Michael Froomkin, The Death of Privacy?, 52 Stan. L. Rev. 1461 (2000)
  • Anita L. Allen, Coercing Privacy, 40 WM. & Mary L. Rev. 723 (1999)
  • Jerry Kang, Info. Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193 (1998)
  • Antonin Scalia, The Doctrine of Standing as an Essential Element of the Separation of Powers, 17 Suffolk U.L. Rev. 881 (1983)

News

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security