November 23, 2020

Volume X, Number 328


November 20, 2020

Subscribe to Latest Legal News and Analysis

Robins v. Spokeo: Opening the Door to Standing on Privacy Lawsuits?

In ruling that is likely to have significant impact on privacy litigation, the Ninth Circuit determined on Tuesday that a plaintiff’s claim that the Fair Credit Reporting Act (FCRA) had been violated was sufficient “injury” for the case to proceed. Nearly 15 months after the United States Supreme Court asked the Ninth Circuit on remand to determine whether plaintiff Thomas Robins suffered a concrete injury sufficient to justify Article III standing, the Ninth Circuit ruled 3-0 in favor of the plaintiff. See Robins v. Spokeo, Inc. No. 11-56843 (9th Circuit, Aug. 15, 2017). While this decision appears limited in scope to lawsuits specifically alleging violations of FCRA, it is likely that a plaintiff’s counsel will argue that the rationale of this opinion should be extended to other privacy statutes in an effort to dilute the “concrete and particularized” injury requirements to bring a claim under those laws.


Initially Robins’ case was dismissed at the district court in 2010 for lack of standing, which was later overturned by the Ninth Circuit in 2014 and then appealed to the Supreme Court. While ultimately remanding the case, the Supreme Court’s May 2016 opinion emphasized that a plaintiff must allege a statutory violation that causes him to suffer some harm that “actually exist[s]”; an injury that is “real” and not “abstract” or merely “procedural.” 136 S. Ct. at 1548-49. However, the Court also noted the importance of congressional judgement in the concreteness inquiry, stating that “Congress may elevate to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id. at 1549 (internal citations omitted).

Ninth Circuit Opinion: “Concrete Interest” and “Material Risk of Harm” Analysis

Drawing a distinction between Clapper v. Amnesty International USA, 133 S. Ct. 1338, 1147-48 (2013), which explained that a plaintiff cannot show injury-in-fact unless the “threatened injury [is] certainly impending”, the Ninth Circuit held that “in the context of FCRA, this alleged intangible injury is itself sufficiently concrete.” slip op. at 20. Finding that FCRA’s procedures are designed to protect consumers’ “concrete interest in accurate credit reporting about themselves,” the Ninth Circuit turned its focus to whether the alleged FCRA violation created a “material risk of harm” to the concrete interest. slip op. at 11, 15.

Echoing the Supreme Court’s sentiment that not every minor inaccuracy reported in violation of FCRA will cause any material risk of real harm, the Ninth Circuit concluded that there must be “some examination of the nature of the specific alleged reporting inaccuracies to ensure that they cause a real risk of harm to the concrete interests.” Id. at 16-17. However, the Ninth Circuit also declined to “conduct a searching review for where that line should be drawn,” concluding that Robins’ allegations that Spokeo falsely reported his marital status, age, employment, education, and wealth level are “substantially more likely to harm his concrete interests than the Supreme Court’s example of an incorrect zip code” and are not a “mere technical violation” of FCRA. Id. at 17-18.


In sum, the latest decision in the Spokeo progeny seems to suggest that at least in the Ninth Circuit, a violation of FCRA suffices to demonstrate a concrete injury – however, a court will still weigh the specific nature of the violation to determine if there has been a material risk of harm. Allegations that only rise to the level of “mere technical violation” may not survive the Article III inquiry. Following the Supreme Court, the Ninth Circuit also declined to comment or provide any guidance as to “what varieties of misinformation should fall into the harmless category, beyond the example of an erroneous zip code,” meaning that there is no bright line test. Id. at 17.

The Ninth Circuit’s decision comes on the heels of a recent decision in the D.C. Circuit finding that a plaintiff’s heightened risk of future identity theft is sufficient to show standing at the pleading stage. See Attias v. CareFirst, Inc., Case No. 16-7108. Armed with these recent decisions, companies will have a more difficult time challenging their standing in data breach actions and potentially other privacy litigation, which may increase a plaintiff’s ability to survive the motion to dismiss phase and move more quickly to class certification and discovery. This, in turn, will result in such actions becoming more expensive to defend.

© 2020 Foley & Lardner LLPNational Law Review, Volume VII, Number 229



About this Author

Julia Kadish, Foley Lardner Law Firm, Technology Drafting Attorney

Julia (Julie) Kadish is an associate with Foley & Lardner LLP where her practice focuses on drafting and reviewing technology agreements across a variety of industries, and counseling clients on privacy and data security matters, including data breach response and preparedness. She also has experience implementing corporate compliance programs from an initial risk assessment to implementation, training, and annual audits. Ms. Kadish is a Certified Information Privacy Professional (CIPP/US).

Eileen R. Ridley, Foley Lardner, Arbitration Lawyer, High Tech Litigation Attorney

Eileen R. Ridley is a partner and litigation lawyer with Foley & Lardner LLP. Ms. Ridley has extensive experience in litigating, arbitrating and trying complex commercial matters for a variety of industries including the high-tech, oil and gas, telecommunications, construction, insurance and health care industries. She is the firm’s Chief Diversity Partner, a role in which she is a catalyst for and leader in carrying out the firm’s commitment to diversity. Ms. Ridley serves on the firm's national Management Committee and is vice chair of the Litigation Department....