9th Circuit Takes Strict Approach in Data Breach, Privacy Cases: IAPP
The 9th U.S. Circuit Court of Appeals appears to be taking a more restrictive approach to standing in data breach and privacy cases than other circuits, said Jim Dempsey, managing director for the IAPP Cybersecurity Law Center, in a blog post Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"In what will likely be a widely quoted line, the court stated" in Popa v. Microsoft that "'there existed no free-roaming privacy right at common law,'" he wrote. "And the common law is what unlocks the door to the federal courthouse in privacy and data breach cases brought by consumers."
In Popa, the 9th Circuit affirmed the U.S. District Court for Western Washington's earlier ruling that the existence of session-replay technology on a website -- in this case, on the Pet Supplies Plus site -- wasn't enough to claim a concrete privacy injury (see 2508270052). In its decision, "the court concluded [that] tracking interactions with the pet supplies website and even collecting the name of the plaintiff's street 'are simply not offensive,'" and thus the plaintiff couldn't allege intrusion upon seclusion, Dempsey said.
In another recent case, Kisil v. Illuminate Education, the 9th Circuit relied on Popa to rule that the plaintiff lacked standing. The case was against a software company that suffered a data breach "compromising data that potentially included grades, socio-economic disadvantaged status and special education information."
The 9th Circuit's decision "repeated that there was no 'free-roaming common law right to privacy' and firmly restated that both common law and statutory claims based on intangible harm from an invasion of privacy must be 'benchmarked' to one of the four distinct privacy torts identified in the Popa case," which are: intrusion upon seclusion, appropriation of another person's name or likeness, publicity given to another person's private life, and publicity that places one in a false light, Dempsey said.
Since in the three years since the software company's breach, nobody's identity was stolen, the appeals court ruled "the kind of information at issue ... was not the kind normally considered sufficient to create a credible threat of identity theft," and that "claims based on the cost of monitoring or emotional distress from the risk were inadequate to establish standing."
"In short, the Ninth Circuit's recent decisions add further nuance to the strategy of both plaintiffs and defendants in privacy and data security litigation, with some slight advantage to defendants," Dempsey said.