When a challenge to an $8.5 million settlement reached in a class action against Google for revealing users’ search history was appealed to the U.S. Supreme Court, the litigants and many court watchers expected the main issue to be whether payment of the settlement to privacy groups instead of the class members was permissible.  The justices, however, had other ideas.  The Supreme Court focused on Article III Standing in light of the alleged privacy violations. Given the ubiquity of businesses storing consumer data and the increasing frequency of major breaches compromising that data, business owners and executives should keep a close eye on cases like these in order to better understand the scope of liability in the event of a data breach.

History of Frank v. Gaos – A Curve-Ball from the Supreme Court

Unlike many privacy cases making headlines, Frank v. Gaos did not stem from a data breach.  Instead, Google had voluntarily disclosed users’ search histories to third parties, which the plaintiff class alleged violated the Stored Communications Act.  In the course of the litigation, the parties reached an $8.5 million settlement.  After attorneys’ fees, costs, and payments were paid to the named plaintiffs, the remaining $5.3 million was to be paid to six different nonprofit groups focused on internet privacy, with no direct compensation to the plaintiff class.  This was largely an issue of practicality, as dividing the monetary award among the one hundred twenty-nine million members of the plaintiff class would have resulted in each person receiving about four cents.  Nevertheless, members of the plaintiff class challenged this settlement as failing to meet the requirements of Federal Rule of Civil Procedure 23(e), which requires such settlements to be “fair, reasonable, and adequate.”

After oral argument, the Court deviated from its normal procedure by ordering the parties to submit additional briefs on the issue of whether the plaintiff class had alleged a concrete enough injury to have standing to sue in the first place.  After receiving the extra briefs, the Court issued a decision saying that the lower courts had not adequately considered whether the plaintiff class had standing, and remanded the case to decide the standing issue before it would rule on the adequacy of the settlement.

Spokeo Holding – Did the Consumers Suffer a Tangible Harm?

As technology has advanced and people have placed more and more of their personal information in the hands of others, the legal question has arisen of what redress is available when that information is misused or leaked.  People are understandably concerned about their privacy, but unless they can show that they suffered a tangible harm, such as identity theft or fraudulent credit card charges, those concerns are somewhat nebulous, to the point where courts have been reluctant to address them.  This tension led to the Supreme Court’s decision in Spokeo Inc. v. Robbins, a 2016 case.

In that case, the Court held that even when there is a statutory violation, the harm to the plaintiff must be “concrete and particularized” in order to establish standing.  Muddying the waters somewhat, the Court further explained that a harm need not be “tangible” to be concrete.  In addressing whether intangible harms are concrete, the Court instructed lower courts to consider whether the harm alleged has a close relationship to a type of harm that could traditionally be the basis for a lawsuit.  The Court also stated that while a directive from Congress is not necessarily sufficient to establish standing, it does merit consideration.  The Court pointed to “the risk of real harm” as the final factor to consider – essentially, whether an intangible harm is likely to become tangible.

Split Amongst Circuit Courts

In recent years, the question of standing has become particularly pressing and contentious in data breach litigation.  With large plaintiff classes generally involved in such litigation, it is impractical to investigate each individual whose data was stolen to determine whether they suffered any tangible harm.  Instead, such cases have relied on the risk of future harm, which must be “actual or imminent, not conjectural or hypothetical” according to Spokeo.  Whether or not data breach cases can meet this standard is a subject of disagreement among the federal appellate courts.  The D.C. Circuit, as well as the Sixth, Seventh, and Eleventh Circuits have all addressed this issue and found that the increased risk of future harm from personal data being exposed in a breach is sufficient to support standing.  On the other side, the Second and Fourth Circuits have held that it is not.
A significant circuit split on a controversial issue is often one of the surest signs that a Supreme Court decision on a topic is imminent, and that appears likely in this case given the Court’s recent directive in the challenge to Google’s settlement to focus on standing issues.