As our society moves increasingly online, more and more information about our private lives is shared with companies, many of which pass the information along to third parties without our knowledge. Occasionally, the information shared is personal or sensitive, and results in frustration from consumers that their privacy is being violated. Historically, these consumers have turned to the courts as a way to right these wrongs.
Unfortunately, the Supreme Court, in sending Frank v. Gaos back to the lower court is a bad sign for privacy advocates hoping to retain a valuable tool to protect consumer privacy. The issue presented to the Court in Gaos was “whether a class action settlement that provides a cy pres award but no direct relief to class members satisfies the requirement that a settlement binding class member be ‘fair, reasonable, and adequate.’”
Cy pres is a funny phrase, but it provides an important tool for privacy advocates. This is because many class actions involve hundreds of thousands of people banding together to sue a bad actor. But in a case with hundreds of thousands – or even millions – of plaintiffs, the payment to individual members at the end of a case can be miniscule – as low as a few cents. Instead of providing individual class members with meaningless relief, courts have instead historically allowed the damages awards to be distributed to charitable organizations working to advance the relevant interests of the class. This includes organizations like CDT that advocate for the privacy rights of all consumers.
In declining to hear the merits of the case in Gaos the Court missed an opportunity to stand up for consumers in the digital age. The Court sent the case back to the lower courts to make their determination, which will likely result in further limiting the ability of Americans to file lawsuits when their privacy is violated. The Supreme Court ordered the case be considered in light of the Court’s decision in Spokeo v. Robbins, where it found that a violation of a statutory harm was insufficient to hold a company accountable, and that plaintiffs needed to prove they suffered an “injury in fact.”
The problem is that it can be really difficult to prove an injury in fact or “concrete” harm from a privacy violation. Just last week, I learned that my email addresses, geographic locations, IP addresses, name, passwords, social media profiles, and usernames were breached by Houzz, an online home decorating website. Despite my intense anger at having this sensitive information made public, it is hard to prove a “concrete” injury from it. I spent an hour changing various passwords and confirming that my credit cards had not been breached. Can I send a bill for my time to Houzz?
Beyond the annoyances, the larger harm is the emotional toll caused by wondering whether people will use this information to determine where I live, and that is a harm that is challenging to quantify. For example, I have a restraining order against a drug dealer who stalked and terrorized me several years ago for being part of the opposing legal team. Is he savvy enough to track me down using this breached data? In my case I think – and fervently hope – it is unlikely. But as a consumer I should not have to wait for a bad actor to use this information to open new lines of credit in my name, harass me online, show up at my house, or otherwise cause “actual” harm before I am allowed to punish negligent companies for failing to protect my privacy.
While the outcome this morning was disappointing, CDT will stay with this case as it returns to the lower courts.