The New Year: Important privacy cases to track in 2019

The coming year is likely to see important legal decisions on one of the central issues in cybersecurity law: Can plaintiffs pursue damage claims for technical violations of data privacy requirements when they have suffered no actual harm?

In order to have standing to sue in federal court, a plaintiff must have a concrete and particularized injury. In 2016, the U.S. Supreme Court ruled in Spokeo Inc. v. Robins that a mere technical violation of a statute might not be sufficient to establish such injury. The ramifications of Spokeo have been hotly litigated, and there are several pending cases in which courts will address this issue during 2019.

Most important, the U.S. Supreme Court is expected to issue a decision in Frank v. Gaos (17-961), which involves claims against Google for violation of the Stored Communications Act.18 U.S.C. Section 2707(c). When a user enters terms into Google's search engine, the service returns a webpage listing the results of the search. Each of these search results pages has a unique address -- known as a "Uniform Resource Locator," or "URL" -- that contains the user's search terms. When a user clicks on one of the search results, the user's web browser typically transmits a "referral header" containing the URL of the search results page -- with the user's search terms -- to the destination website.

This is not unique to Google. Clicking any links on the internet will cause referral headers to be sent, unless the user has disabled them. Websites, in turn, use this referral information to inform editorial decisions and marketing efforts.

In October 2010, Paloma Gaos filed a putative class action against Google in the federal court for the Northern District of California, seeking damages for the disclosure of her search terms via referral headers to third-party websites. Gaos alleged she used Google's search engine for "vanity searches" that included her name and other personal information. The lawsuit sought statutory damages on behalf of all class members of $1,000 per violation under the provisions of the Stored Communications Act.

Gaos' claims were initially dismissed for failure to plead an injury that would support Article III standing. An amended complaint was filed, and the claims were ultimately included in a proposed class action settlement involving more than 120 million Google users. Under the terms of the settlement, Google would obtain a release from class members for all privacy-related claims. The company agreed to pay $8.5 million into a settlement fund and to revise its "Frequently Asked Questions" webpages to explain referral headers. The settlement provided that Google "will not be required or requested to make any changes to ... the practices or functionality of Google Search." The attorneys for the class were awarded 25 percent of the settlement fund ($2,125,000) for legal fees and costs. Each named plaintiff was to receive "incentive awards" of a few thousand dollars, while class members would receive no compensation at all. The rest of the settlement fund would be donated as a cy pres award "to promote public awareness and education, and/or to support research, development, and initiatives, related to protecting privacy on the Internet."

After the lower courts approved the settlement, the Supreme Court granted certiorari to address the following issue: "Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class members must be 'fair, reasonable, and adequate.'" Then, on Nov. 6, 2018, the court asked the parties and the solicitor general to file supplemental briefs "addressing whether any named plaintiff has standing such that the federal courts have Article III jurisdiction over this dispute." This request for additional briefing suggests the court will consider whether plaintiffs have adequately alleged an Article III injury beyond a technical violation of the statute -- giving the court an opportunity to expand or clarify its decision in Spokeo.

The standing issue will also be addressed by the Illinois Supreme Court in another significant data privacy case. Rosenbach v. Six Flags Entertainment Corporation involves claims under the Illinois Biometric Information Privacy Act (BIPA), which requires companies to obtain a consumer's written consent to collect biometric information and to disclose "the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used." Violations of BIPA carry steep statutory penalties -- a $1,000 for each negligent violation and $5,000 for each reckless violation.

The plaintiff in Rosenbach alleged that Six Flags violated BIPA by scanning and storing fingerprints of park visitors without their written consent. Six Flags contended that the plaintiff was not "aggrieved by" the alleged violation of BIPA because she did not suffer an injury, and therefore had no standing to pursue a claim. The intermediate court of appeal ruled in Six Flags' favor, finding that the law requires a plaintiff to have suffered "actual harm" from the statutory violation. A separate Illinois intermediate appellate decision (Sekura v. Krishna Schaumburg Tan, Inc.) came to the opposite conclusion. The issue will now be decided by the Illinois Supreme Court, and its ruling will impact scores of pending cases filed under BIPA.

A related standing issue is before the court in Flynn v. FCA US LLC (3:15-cv-00855), pending in the federal court for the Southern District of Illinois. Plaintiffs filed a class action complaint claiming the navigation system in their vehicles were "excessively vulnerable" to hacking. No class member's vehicle had ever actually been hacked. The district court nonetheless held that plaintiffs had Article III standing and certified statewide classes of more than 220,000 consumers claiming $440 million in damages. In a series of rulings, the 7th U.S. Circuit Court of Appeals allowed this class action to proceed and denied defendant's request for an interlocutory appeal on the standing issue.

On Jan. 7, 2019, the Supreme Court denied the defendants' petition for writ of certiorari. The Supreme Court thus opted not to address whether the hypothetical risk of a future data breach gives plaintiffs standing to pursue claims in federal court. But there are similar cases pending in other jurisdictions, and it is likely that these courts will provide guidance on this issue over the course of 2019.

The views and opinions set forth herein are the personal views or opinions of the author; they do not necessarily reflect views or opinions of the law firm with which they are associated.