9th Cir. Finds that Privacy Statutes Confer Spokeo Standing

In Campbell v. Facebook, Inc., __ F.3d __, 2020 WL 1023350, The Court of Appeals for the 9th Circuit held that violations of the federal Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq. (ECPA) and the California Invasion of Privacy Act, Cal. Pen. Code § 630, et seq. (CIPA) are, in and of themselves sufficient, without further allegations of injury, to state a concrete and particularized injury in fact for purposes of establishing a “case or controversy” under Article III of the United States Constitution.  The decision is significant, as standing is a frequent defense asserted by defendants in privacy-related litigation in the Ninth Circuit.

Campbell arose out of a lawsuit filed by two class representatives alleging that Facebook, Inc. had viewed and recorded links in private messages sent between Facebook users, using mentions of websites in private messages to increase statistics regarding website popularity.  Plaintiffs alleged that the interception of private communications violated ECPA, CIPA and constituted an unfair business practice under California Business & Professions Code Section 17200.  After the District Court dismissed the UCL claim and certified a class on the remaining ECPA and CIPA claims, the parties reached a settlement.  An objector appealed.

Before reaching the substance of the objector’s arguments, the Ninth Circuit considered whether the District Court had jurisdiction under Article III over the ECPA and CIPA claims.  In order to establish an Article III case or controversy sufficient to confer standing, a plaintiff must demonstrate that he or she suffered an “injury in fact” that is “fairly traceable” to the alleged misconduct and that will likely be redressed by a favorable decision.  An injury in fact must be “concrete and particularized” in order to meet Article III’s case or controversy requirement.

The issue addressed by the Ninth Circuit in Campbell was whether the violation of ECPA and CIPA, without more, was “concrete” for standing purposes.  Citing Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), the Court noted that aninjury is concrete “if it ‘actually exist[s],’ meaning it is ‘real, and not abstract’ – but not necessarily ‘tangible.’”  The court was guided, it stated, “by ‘both history and the judgment of Congress,’ or the legislature that enacted the statute . . . [h]istorical practice is ‘instructive’ as to ‘whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.’”  The ultimate question in the standing inquiry, as framed by the court, was as follows:

When a legislature has enacted a “bare procedural” protection, a plaintiff “cannot satisfy the demands of Article III” by pointing only to a violation of that provision, but also must link it to a concrete harm. When, however, a statutory provision identifies a substantive right that is infringed any time it is violated, a plaintiff bringing a claim under that provision “need not allege any further harm to have standing.”

The Ninth Circuit then examined the private rights of action granted in ECPA and CIPA, ultimately determining that unlike the statutory violation at issue in Spokeo, the violations of ECPA and CIPA did infringe a “substantive right” and, accordingly, plaintiffs “need not allege any further harm to have standing.”  The court noted that “[t]he harms protected by these statutes bear a ‘close relationship’ to ones that have ‘traditionally been regarded as providing a basis for a lawsuit.’”  This was because “‘[v]iolations of the right to privacy have long been actionable at common law.’”  There is “a straightforward analogue,” the court concluded, “between those traditional torts and the statutory protections codified in ECPA and CIPA against viewing or using private communication.”  The Ninth Circuit concluded that bare violations of ECPA and CIPA constituted “concrete” injury sufficient to satisfy Article III’s case and controversy requirement; no further “link . . . to a concrete harm” was required.

The Campbell decision is particularly significant for two reasons.  First, federal data breach and other privacy litigation has thus far been concentrated in the Ninth Circuit (in particular, the Northern District of California).  Standing issues have been at the forefront of privacy-related litigation, as it is particularly difficult for plaintiffs to allege harm in privacy-related cases.  Second, and perhaps more significant, plaintiff’s counsel will no doubt attempt to extend the logic of the Campbell decision to other privacy-related statutes, including, perhaps, the California Consumer Privacy Act, which provides for a private right of action in the event of the unauthorized acquisition of a consumer’s personal information by third parties.  

It will remain to be seen how far the courts in the Ninth Circuit will take the Campbell decision.  Nonetheless, Campbell is a significant case that may have far reaching effects in privacy-related litigation in the Ninth Circuit.

Joseph W. Guzzetta is a privacy lawyer at Severson & Werson.  He is the author of The Rutter Group’s California Practice Guide: Privacy Law, published by Thomson Reuters.  For further information relating to privacy-related litigation in general or the Campbell decision in particular, please contact him at jwg@severson.com or 415-677-5622.