Last month, a federal court addressed the kind of harms that need to be included in a plaintiff’s complaint asserting claims under the Fair Credit Reporting Act (“FCRA”) and Fair Debt Collection Practices Act (“FDCPA”) to survive a motion to dismiss.  Magruder v. Capital One, Nat’l Ass’n, 2021 U.S. Dist. LEXIS 94804 (D.D.C. May 19, 2021).  Finding that the plaintiff had “barely” overcome the bar, the court reaffirmed the minimum pleading requirements necessary for such claims.  Read on for more details.

Plaintiff’s initial lawsuit brought claims against several financial institutions and debtor collectors.  Alleging that his attempts to resolve disputes with his credit reports had had him effectively running in circles, Plaintiff brought suit against all the defendants for violations of the FCRA, and against one defendant specifically for violations of the FDCPA.

Prior to going any further with the case, the court ordered Plaintiff to show that he had suffered an “injury in fact” sufficient to satisfy the threshold requirement of Article III standing.  This necessitated that Plaintiff show that he had been harmed in a real sense, that is, that he has personally affected, and the harm was not hypothetical or abstract.  [Note: Injury for purposes of Article III in some instances can include intangible harms, including emotional harms in very specific instances.]

In assessing Plaintiff’s injury claims, the court expressed repeatedly that his claims of a tangible harm were “thin by any measure.”  Plaintiff claimed that he had suffered economic losses, but provided no details explaining the amount of the losses, or how they happened.  Still, the court found that the bar was low enough that Plaintiff’s complaint was sufficient for a number of his claims, at least at this point.

Most notably, the court found that while Plaintiff had not claimed any tangible loss as a result of Trans Union’s alleged violation of FCRA, his emotional harm was enough.  Plaintiff alleged that Trans Union’s failure to follow reasonable procedures to assure maximum accuracy (§ 1681e(b)) and failure to conduct a reasonable investigation” (§ 1681i(a)) had caused him “embarrassment, humiliation and other mental and emotional distress.”

The court found that FCRA was, at least in part, designed with this specific kind of injury in mind.  Plaintiff claimed that his credit reports incorrectly said that he had outstanding debt, when he did not.  That false claim was spread to other parties, causing emotional harms.  “The FCRA was enacted to deter just this.”  The court also extended this to the FDCPA, noting that courts have previously ruled that a plaintiff may have standing in FDCPA cases if the alleged violation “caused anxiety” or “stress and inconvenience.”

Note that in the context of the FCRA and FDCPA, other courts have taken a contrary approach as to whether such damages suffice at the pleadings stage.  This issue is far from settled in this area of data privacy law.  Not to worry, CPW will be there to keep you in the loop.

The deadline is fast approaching for businesses that buy, receive, sell, or share the personal information of 10 million or more California consumers to report their California Consumer Privacy Act (“CCPA”) rights requests metrics. On July 1, 2021, these businesses must report certain data (outlined below) in their privacy policy or elsewhere online accessible via a link in their privacy policy.

Continue Reading First CA Consumer Rights Requests Metrics Reporting Due

In the aftermath of the Supreme Court’s Van Buren decision this month and its resulting impact on data privacy litigation, the Supreme Court ordered the hiQ/LinkedIn data scraping saga to be remanded back to the Ninth Circuit.

Recall that in March 2020, LinkedIn filed a petition for a writ of certiorari, raising the issue of “[w]hether a company that deploys anonymous computer “bots” to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—“intentionally accesses a computer without authorization” in violation of the Computer Fraud and Abuse Act.” [Note: Of course, it is all about framing.  According to hiQ, the question was instead whether a professional networking website, such as LinkedIn), may rely on CFAA’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.]

Well, on June 14, the Supreme Court issued a summary disposition in hiQ Labs, Inc. v. LinkedIn Corp. granting certiorari.  The Court vacated the Ninth Circuit’s previous judgment, and remanding the case for additional consideration in light of the high court’s ruling in Van Buren.  This case is sure to be of interest going forward, as Van Buren’s impact continues to play out in the lower courts.  Stay tuned-CPW will be there to keep you in the loop.

At Security and Privacy Bytes, Alan Friel and Niloufar Massachi have a detailed, must-read analysis of two recent New York biometric laws, both of which set forth requirements when it comes to processing of biometric data that expand consumers’ rights.  As they explain “[r]egulations governing biometric data collection, use, and processing have already been complex and strict with the Illinois’ Biometric Information Privacy Act (“BIPA”) as well as the biometrics laws in Washington and Texas.  BIPA, which has a private right of action, has generated a flood of class action litigation.  New York City has recently added to the mix by passing two new biometrics laws, the Tenant Data Privacy Act (“TDPA”) and an amendment to the New York City Administrative Code (“NYC Administrative Code”).”

You can review their assessment here.  And stay tuned-CPW’s Kristin Bryan will be providing an overview of changes on the horizon for New York data privacy litigation as a result of this development.

Regulations governing biometric data collection, use, and processing have already been complex and strict with the Illinois’ Biometric Information Privacy Act (“BIPA”) as well as the biometrics laws in Washington and Texas. BIPA, which has a private right of action, has generated a flood of class action litigation. New York City has recently added to the mix by passing two new biometrics laws, the Tenant Data Privacy Act (“TDPA”) and an amendment to the New York City Administrative Code (“NYC Administrative Code”), both of which set forth requirements when it comes to processing of biometric data that expand consumers’ rights and impose obligations on processing biometric data.

Continue Reading New Laws on Biometric, RFD and Other “Sensitive” Data Collection and Use

As covered in greater detail at the Security & Privacy Bytes blog, on June 11, 2021, the US House introduced five antitrust bills aimed at Big Tech. At the same time, across the Atlantic, a meeting in Cornwall, England, of the Group of Seven world leaders ended with a joint communique calling for cooperation on a number of digital matters.  These developments represent the latest attempts by governments and competition agencies around the world at “rethinking” traditional antitrust and consumer protection tools of analysis and enforcement to adapt to the challenges posed by digital markets, with a particular focus on digital platforms’ alleged “gatekeeper” role and the collation of, and access to, data.  You can read the full analysis here.

On June 11, 2021, the US House introduced five antitrust bills aimed at Big Tech. At the same time, across the Atlantic, a meeting in Cornwall, England, of the Group of Seven world leaders ended with a joint communique calling for cooperation on a number of digital matters.

Continue Reading New Competition Regulations Aimed at Big Tech

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

Van Buren Reviewed: The Potential Litigation Impact of SCOTUS’ Decision Narrowing CFAA’s Scope | Consumer Privacy World

What The Pennsylvania Consumer Data Privacy Act May Mean For Data Privacy Litigation In The State | Consumer Privacy World

Breaking: Colorado House Passes Colorado Privacy Act | Consumer Privacy World

Europe Update: New Standard Contractual Clauses for the Transfer of Personal Data Outside the EEA | Consumer Privacy World

Breaking: President Biden Issues Executive Order Protecting Americans’ Sensitive Data | Consumer Privacy World

Settlement Over Disclosure of Driver’s Information Receives Final Court Approval | Consumer Privacy World

Last week the Supreme Court’s decision in Van Buren v. United States resolved a decade-long circuit split concerning the “exceeds authorized access” clause of the Computer Fraud and Abuse Act (“CFAA”).  Taking up the issue of whether an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose violates the CFAA, the Court ultimately found that such a use was not a violation of the statute.  Significantly, the decision in Van Buren endorses the narrower reading of CFAA adopted by the Second, Fourth, and Ninth Circuits,[1] while rejecting the more expansive reading of CFAA that had been the law of the land in the First, Fifth, Seventh, and Eleventh Circuits.[2]

One of the circuit splits that Van Buren appears to resolve, or provide guidance for resolving, is the question of whether violating a website’s terms of service constitutes a CFAA violation.  Prior to Van Buren, several courts within the Third, Fourth, Fifth, Eighth, and Ninth Circuits had found that terms of service violations could implicate the CFAA,[3] while other courts within the Fourth, Seventh, Tenth, and D.C. Circuits had found that individuals were not subject to criminal liability under CFAA by violating terms of service.[4]  The majority opinion in Van Buren, authored by Justice Amy Coney Barrett, adopts the latter reading.  Opining on the Government’s broad interpretation of the statute, the Court noted: “Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.” Op. at 18 (emphasis supplied).  This language appears in the Court’s broader analysis expressing concern over the scope of the Government’s interpretation of the statute, which the Court found “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”  Op. at 17.

This language, as well as the policy concerns articulated by the Court supporting the narrower interpretation of CFAA, are anticipated to make it challenging to assert claims under CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that would likely have constituted “exceed[ing] authorized access” under prior precedent.  However, companies seeking vindication for terms of service violations may still pursue other, previously available legal remedies.  This will be circumstance-dependent on the violation involved, including potential causes of action for copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy.

The Court’s narrow interpretation of the CFAA is also likely to impact individuals and companies engaging in data scraping, or the process of using a program to extract data from a codebase or another program. Many public-facing websites include provisions in their terms of service that limit both their own customer’s and third-parties’ use of the data contained on those websites.  Prior to Van Buren, some courts had found that data scraping constituted a violation of CFAA, particularly when the data being scraped was protected by some form of access permissions, such as a username or password requirement.[5]  This interpretation afforded entities with a remedy under the CFAA to protect the data against being scraped, as those entities could arguably assert claims under CFAA relying on that favorable precedent that data scraping “exceeds authorized access” of the website because the data was intended to be protected using access authorizations.  Some privacy advocates had also favored this broader interpretation of the CFAA as better protective of individual privacy.  [6]

While Van Buren does not affirmatively allow for data scraping, the Supreme Court’s narrower reading of CFAA in the decision will likely limit the legal remedies that may be available for data scraping.  As a result, companies engaged in data collection may wish to develop more stringent contractual policies for potential consumers, or take additional action to revoke authorization to their websites for parties violating the terms of service.  To afford the same protections previously available under CFAA, these companies may want to consider, to the extent they do not already have them, liquidated damages and injunction relief provisions in their contracts with other businesses.  This, of course, will not remedy violations committed by third parties that access their information by other means.  For that, a legislative fix may be necessary.

*Thomas J. Lloyd also contributed to this article as a co-author.

[1] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854, 856-63 (9th Cir. 2012) (en banc).

[2] See EF Cultural Travel B.V. v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); United States v. John, 597 F.3d 263, 271 (5th Cir. 2010); Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).

[3] See, e.g., America Online v. LCGM, Inc., 46 F. Supp. 2d 444, 451 (E.D. Va. 1998); United States v. Nosal, 844 F.3d 1024, 1033-38 (9th Cir. 2016); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066-69 (9th Cir. 2016); Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004); Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001); United States v. Lowson, No. 10-114 (KSH), 2010 U.S. Dist. LEXIS 145647, at *11-18 (D.N.J. 2010).

[4] See, e.g., Sandvig v. Barr, 451 F. Supp. 3d 73, 76 (D.D.C. 2020);  Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-34 (E.D. Va. 2010); Koch Indus., Inc. v. Doe, No. 2:10CV1275DAK, 2011 U.S. Dist. LEXIS 49529, at *19-25 (D. Utah. May 9, 2011); Bittman v. Fox, 107 F. Supp. 3d 896, 900-01 (N.D. Ill. 2015).

[5] See, e.g., HiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 999-1004 (9th Cir. 2019); Explorica, 274 F.3d at 582-84.

[6] See, e.g., HiQ Labs, Inc., 938 F.3d at 1003 (noting that CFAA is violated when an individual scrapes data by “circumvent[ing] a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer” as that data has been marked as “private”); see also id. at 1001-03 (discussing legislative history of CFAA and intent to increase privacy protections for online information).

In the continuing absence of comprehensive federal law regulating data privacy and protection, the states have continued to pursue their own agenda.  Pennsylvania recently became the most recent state to throw its hat into the ring with its legislature’s introduction of HB-1126, the Consumer Data Privacy Act (“CDPA”).  If passed, the CDPA would make Pennsylvania the third state to enact its own data privacy and protection laws, following California and Virginia.  CPW is here to tell you what you need to know about the CDPA and how it will likely influence litigation.  Hint: if passed, expect swelling dockets.

The CDPA creates a duty for businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information”.  Sounds familiar, right?  To encourage compliance, the CDPA would create private consumer causes of action and leave civil enforcement to the state attorney general.  In this respect, the CDPA draws more inspiration from the California Consumer Privacy Act (“CCPA”), which also created a private right of action, than Virginia’s recently enacted Consumer Data Protection Act, which left enforcement solely to the state attorney general.

Under the CDPA’s private right of action, consumers may obtain statutory damages of not less than $100 but not more than $750 per consumer per incident, actual damages, and injunctive or declaratory relief.  Before filing suit, however, consumers must provide a business with 30 days’ written notice.  The notice must specifically identify which provisions of the CDPA the business allegedly violated.  If the noticed business cures the violation within 30 days and provides the consumer with an “express written statement” detailing that the violations have been cured and affirmed that further violations will not occur, then that business is precluded from liability under the CDPA for those violations.  Should the noticed business continue the alleged violations, however, then the consumer may file suit for the underlying violations.  The CDPA also states that should a noticed business issue an “express written statement” but continue violating the statute, then the notifying consumer will also have an additional cause of action for breach of the statement.

A private right of action in a consumer privacy bill is often a prelude to a surge in litigation.  As CPW has previously reported, over 1,000 lawsuits and at least 76 class action lawsuits have been filed under the Illinois Biometric Information Protection Act and the CCPA, respectively.  With its private right of action, the CDPA promises similar numbers.  Notably, if passed, that surge could begin immediately because the CDPA becomes effective immediately.

HB-1126 has 16 co-sponsors and is currently sitting in the Consumer Affairs Committee.  CPW will continue to monitor this bill for developments.