California Courts Set Privacy Litigation Standards for Big Tech

Oct. 15, 2019, 8:31 AM

Federal courts in California are lowering the bar for consumers to bring privacy suits against the big tech giants, in effect setting the standard for how such cases are handled, attorneys and academics said.

Facebook Inc., Apple Inc., and Alphabet Inc.’s Google have faced dozens of consumer class claims in California federal courts in recent years, after a series of high-profile privacy and security breaches. Plaintiffs have had an easier time convincing big tech’s home courts, the U.S. District Court for the Northern District of California and the U.S. Court of Appeals for the Ninth Circuit, that they have standing to sue the companies for privacy harms.

Courts in other regions of the country see far fewer privacy lawsuits, and tend to favor businesses, making California a magnet for the plaintiffs’ bar.

The two courts have an outsized impact on the privacy litigation of tech giants because of where they are located, the liberal makeup of the courts, and the Supreme Court’s unwillingness to question the courts’ tech decisions, privacy attorneys and academics said. And it is likely to stay that way.

“California federal courts are definitely shaping the privacy jurisprudence in a very pro-privacy way,” Amanda Fitzsimmons, privacy and litigation partner at DLA Piper in San Diego, said. Plaintiffs continue to file their claims in these courts as California federal judges have allowed privacy suits to proceed past the pleading stage, she said.

“California is likely to continue to be a hotbed for privacy litigation,” Fitzsimmons said.

California federal courts accounted for 173 decisions in standing cases over the past five years, including 73 in the Northern District, according to a Bloomberg Law analysis. New York courts decided 57 standing cases and Florida had 44 during the same time period, the analysis shows.

The Ninth Circuit issued 13 rulings in privacy and data security standing cases in the past five years, the analysis shows. The Third and Seventh Circuits made 9 rulings each during the same time period.

In the Neighborhood

Big tech being located “within the Ninth Circuit, and the Northern District of California in particular, means that privacy issues are often litigated in these courts,” Adam A. Cooke, senior litigation associate at Hogan Lovells, said. “Challenges over Article III standing often take center stage, so courts in the Ninth Circuit tackle these issues on a regular basis,” he said.

The Ninth Circuit ruled in In re Zappos (2018) that plaintiffs can bring claims in court by showing they may be harmed in the future following a data breach, possibly through identity theft. Plaintiffs whose data was allegedly stolen argued that possible misuse of their private information in the future should give them standing to sue, and the court agreed.

Similar, earlier rulings in Krottner v. Starbucks (2010) and In re Adobe Systems, Inc. Privacy Litig. (2014) opened the door for these courts to be more pro-plaintiff in privacy and data breach cases, privacy attorneys said. The three cases still stand as controlling law in the Ninth Circuit.

Facebook users suing over the Cambridge Analytica data scandal won an early challenge to their standing in the Northern District. The plaintiffs said In re Facebook, Inc., Consumer Privacy User Profile Litig. (2019) that they were harmed when Facebook collected their data and shared it with third parties—Cambridge Analytica and other app developers—without permission.

Northern District Judge Vince Chhabria said users who shared their data only with Facebook friends had a right to assume the data would be kept private, and therefore had Article III standing to sue the company for a breach when the data was shared with Cambridge Analytica without consent. Facebook appealed the decision to the Ninth Circuit Oct. 8.

Circuits Split

Other courts around the country, including the Second and Fourth Circuits, have issued decisions less favorable to protecting individual privacy. Unlike the Ninth Circuit in Zappos, for example, those courts found that an increased risk of identity theft isn’t enough on its own to bring class claims following a data breach.

The Seventh and D.C. Circuits are more pro-plaintiff, allowing claims with a mere showing that plaintiffs suffered increased identity theft risks, attorneys said.

The Ninth Circuit and the Northern District of California will continue to favor consumers in privacy and data breach cases amid the “corollary and conflicting decisions” at the circuit courts, Bradford Mank, professor at the University of Cincinnati College of Law focusing on standing issues, said. That will keep happening absent a major Supreme Court decision that limits a plaintiff’s ability to sue in federal court over privacy concerns, he said.

Supreme Inaction

The Supreme Court has been unwilling to revisit standing issues in privacy and data breach cases since its 2016 decision in Spokeo v. Robins. In that case, which came through the Ninth Circuit, the high court said plaintiffs must raise a concrete injury traceable to alleged bad conduct, such as deliberate sharing of data without consent, to keep claims in court.

The high court likely sees its Spokeo decision as providing enough clarity for standing challenges, privacy attorneys said. That could change as more privacy and data breach cases make their way through the court system. But the Supreme Court hasn’t signaled it will weigh in again soon, privacy attorneys said.

Without Supreme Court action, courts like the Ninth Circuit that see the most privacy cases are likely to set the tone for when consumers have the right to sue, attorneys and academics said.

The lack of more Supreme Court guidance on standing will “absolutely lead to more aggressive suits” by consumers seeking to protect their privacy in permissive courts like those in California, Peter Ormerod, assistant professor of business law at Western Carolina University, said.

Plaintiffs attorneys are watching a few other courts that might learn toward helping consumers bring privacy cases against big tech companies. Federal district and circuit courts in Illinois are allowing more privacy cases. But the California federal courts will continue to be in the forefront of those cases, attorneys said.

“There are certain jurisdictions that routinely get complex privacy cases and our preference is to be in front of courts where a privacy case isn’t a rare filing,” Jay Edelson, founder and CEO at class action firm Edelson PC in Chicago, said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editors responsible for this story: Cheryl Saenz at csaenz@bloombergtax.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in. To learn more about a subscription click here.