9th Cir. Says Bald FACTA Violation Was Insufficient to Confer Spokeo Standing

Bassett’s argument that Congress “created a substantive right that is invaded by a statutory violation” is unconvincing because it depends entirely on the framing of the right. One could fairly characterize the “right” granted to Bassett by the FCRA (from most abstract to most specific) as “the right to be free from identity theft,” “the right to be free from disclosure to others of his full credit card information,” or “the right to be free from receiving a receipt showing his credit card expiration date.”³ Only the last “right” was violated in this case. Such a framing-dependent exercise is arbitrary, and thus bears minimally on whether Bassett suffered a concrete injury in fact.  To the extent the FCRA arguably creates a “substantive right,” it rests on nondisclosure of a consumer’s private financial information to identity thieves. See Bateman, 623 F.3d at 717 (describing the FCRA’s card number redaction requirements as “an effort to combat identity theft”). We recently held, for example, that a statute barring video service providers from disclosing knowingly and without consent a consumer’s “personally identifiable information” to third parties establishes a “substantive right to privacy.” See Eichenberger, 876 F.3d at 982–84. But here, Bassett’s private information was not disclosed to anyone but himself, and therefore no such substantive right was invaded. See id. at 983–84 (noting that whereas “the FCRA outlines procedural obligations that sometimes protect individual interests, the [Video Privacy Protection Act] identifies a substantive right to privacy that suffers any time a video service provider discloses otherwise private information” to a third party).  Bassett’s allegations of FCRA procedural violations also do not “entail a degree of risk sufficient to meet the concreteness requirement.” Spokeo, 136 S. Ct. at 1550. In assessing violations of procedural statutory rights, we consider whether “the specific procedural violations alleged … actually harm, or present a material risk of harm to [Bassett’s] interests.” Robins, 867 F.3d at 1113.  Bassett did not allege that another copy of the receipt existed, that his receipt was lost or stolen, that he was the victim of identity theft, or even that another person apart from his lawyers viewed the receipt. See Meyers, 843 F.3d at 727. Nor did he allege that any risk of harm is real, “not conjectural or hypothetical,” given that he could shred the offending receipt along with any remaining risk of disclosure. Lujan, 504 U.S. at 560.  Like the dissemination of an incorrect zip code, it is difficult to see how issuing a receipt to only the card owner and with only the expiration date, “without more, could work any concrete harm.” Spokeo, 136 S. Ct. at 1550. Indeed, Congress found that receipts like Bassett’s that truncate the credit card number but reveal the expiration date “prevent[ ] a potential fraudster from perpetrating identity theft or credit card fraud.” 122 Stat. at 1565. Bassett’s theory of “exposure” to identity theft is therefore “too speculative for Article III purposes.”