SCOTUS Decision in Spokeo Creates Additional Obstacle for Plaintiffs Seeking Redress for Statutory Violations

Chris Spiers
May 18, 2016

On Monday, the Supreme Court delivered an opinion in Spokeo v. Robins that raises the bar for class action plaintiffs bringing suit for violations of federal statutes, such as the Fair Credit Reporting Act of 1970 (FCRA). In a 6-2 decision, the Supreme Court held that Article III standing requires a concrete injury even in the context of a statutory violation, at the same time confirming that an intangible injury can be considered “concrete” under the right circumstances.

Plaintiff Thomas Robins filed suit under the FCRA after Spokeo, a consumer reporting agency, published incorrect information about him on its “people search engine.” According to the complaint, Spokeo willfully violated the FCRA by publishing false information regarding Robins’ age, income, and marital status. The District Court dismissed the complaint on the grounds that Robins failed to meet Article III’s standing requirements because he did not allege that the false report resulted in an injury-in-fact. The Ninth Circuit reversed the decision, holding that it was enough for Robins to allege that Spokeo violated an individual right imposed by statute. Monday’s ruling vacates that decision and remands the case to the Ninth Circuit.

According to Justice Alito’s majority opinion, the Ninth Circuit erred in its Article III standing analysis by failing to address the requirement that an injury be “concrete,” as well as “particularized.” According to the decision, “Robins could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.” Instead, the Court held that “a ‘concrete’ injury must be ‘de facto’; that is, it must actually exist,”in order to satisfy Article III. At the same time, the Court pointed out that “’[c]oncrete is not, however, necessarily synonymous with ‘tangible.’” Instead, the Court recognized that an intangible right may provide the foundation for Article III standing if there is a ”close relationship” between the alleged intangible harm and a harm traditionally recognized by Congress and common law.

In a concurring opinion, Justice Thomas reached the same conclusion via an historical analysis of private versus public rights provided by statute. His concurrence points out that the concept of injury-in-fact differs depending on the nature of the suit. According to Justice Thomas, a private plaintiff bringing suit to protect his own statutory rights need not allege actual harm beyond the violation of that particular right, while a private plaintiff bringing suit to protect the public’s statutory rights must make a showing of concrete and particularized harm.

In dissent, Justice Ginsburg, joined by Justice Sotomayor, disagreed that remand was necessary because the injuries alleged in the complaint were both particularized and concrete. Particularly disturbing to Justice Ginsburg was the fact that the incorrect information on Spokeo’s website included a picture, as well as information about Robin’s finances and marital status.

In a score for class action defendants, the Spokeo decision makes it clear that bare allegations that a consumer protection statute was violated will no longer be enough for a class action plaintiff to advance past the pleading stage. Moreover, although the opinion leaves the door open for suits based on intangible injuries, the majority cautions that such injuries would have to reflect an injury that the courts, as well as Congress, have previously been determined to be particularized and concrete enough to satisfy Article III.

Are “App Developers Now in Panic Mode?”

William Kellermann
May 10, 2016

In a significant break from a long-standing series of contrary decisions, the First Circuit Court of Appeal revived a plaintiff’s case alleging violation of the Video Privacy Protection Act, (VPPA) 18 U.S.C.§ 2710, against USA Today. Yershov v. Gannett Satellite Information Network, Inc., d/b/a USA Today, No. 15-1719 (1st Cir. Apr. 29, 2016).

At the heart of Alexander Yershov’s case is the allegation that USA Today, through an Android phone app, improperly disclosed personally identifiable information to a third-party, Adobe Systems. The disclosure allowed Adobe to identify and track Yershov and other users of the USA Today app across multiple devices, apps and services. In this instance, USA Today contracted with Adobe to provide third-party analytics services. The USA Today app provides access to in-app video.

The VPPA was originally enacted to provide protection for the viewing habits of consumers in the days of VHS videotapes. The Act specifically targeted practices by video rental outlets, such as the largely forgotten Blockbuster Video, to track and disclose customer video rental preferences. The VPPA came about in reaction to the disclosure of Supreme Court nominee Robert Bork’s video rental records in a newspaper, and protects personally identifiable rental records of “prerecorded video cassette tapes or similar audio visual material.” However the language of the act does not limit enforcement to “renters.” Moreover, modern disputes center on the definition of “similar audio visual material” such that the viewing history of online video qualifies for protection.

The matter came up on appeal after the District Court for the District of Massachusetts granted a motion to dismiss. The district court ruled that while the app collected and disclosed personally identifiable information (PII), as defined by the VPPA, Yershov was not a “renter, purchaser, or subscriber” of, or to, Gannett’s video content, and therefore was not a “consumer” protected by the Act. 18 U.S.C.§ 2710(a)(1), (b)(1). The court of appeal agreed with the district court analysis that the information collected in the app, the unique Android device ID and GPS location coordinates, constituted PII. While neither court illuminated whether or not the device ID or GPS coordinates each independently constitute elements of PII, the circuit court focused on the linkage between the two stating:

“While there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work, here the linkage, as plausibly alleged, is both firm and readily foreseeable to Gannett.”

However, the court of appeal disagreed that Yershov was not a consumer protected by the Act and remanded the case for further proceedings. Yershov limited his allegation to contend he was a “subscriber” under the Act. The court found Congress failed to define the term “subscriber” nor provide a clear indication they had a specific definition of the term in mind. Using dictionary definitions for “subscribe” and “subscription,” where a subscription is defined as an agreement to receive or be given access to electronic texts or services, the court found:

“…Gannett offered and Yershov accepted Gannett’s proprietary mobile device application as a tool for directly receiving access to Gannett’s electronic text and videos…”

The court further held the failure to pay for subscription services is not dispositive of whether or not one is a subscriber. To do so would render the category “subscriber” superfluous in light of the “purchaser” or “renter” categories included in the Act. Further, the PII provided to Gannett had sufficient value to act as consideration for the subscription services.

The Yershov decision signals a circuit split on the definition of PII under the Act. The Ninth Circuit previously held in In re Nickelodeon Consumer Privacy Litigation, 2015 WL 248334, MDL No. 2443 (SRC) (D.N.J. Jan. 20, 2015) that the disclosure of user attributes (such as demographic information, unique identifier and IP address), without more, does not amount to disclosure of someone’s personal identity.

The decision in Yershov also creates a split among the circuits as to the definition of “subscriber” under the VPPA. The Eleventh Circuit previously ruled an app downloader is not a subscriber in Ellis v. The Cartoon Network, Inc., 2015 WL 5904760 (11th Cir. Oct. 9, 2015) analogizing an app to a browser bookmark or “Favorites” link.

This case signals a shift in the views of the federal judiciary as to the application of the Act to cutting edge technology. In addition to the Ellis and Nickelodeon cases, previous courts have generally dismissed cases under the Act on a number of grounds. For example the court dismissed a complaint under the Act alleging failure to purge subscriber information (Sterk v. Redbox, 7th Circuit, March 6, 2012) A district court also dismissed a case alleging unlawful disclosure of viewing history and queue titles through enabled devices (Mollett v. Netflix, N.D. Cal.; Aug 17, 2012). Claims alleging violation of the VPPA traditionally subjected plaintiffs to an up-hill battle. A new paradigm may have significant consequences for in-app advertising as well as big data analytics.

Many companies large and small develop apps to build brand identity and market goods and services. Startups, like Cambridge, Massachusetts’ Media Mob, provide a ready platform linking clients with artists and designers to quickly and cheaply build apps. These apps often use video as a means to communicate about the company. Last, the apps may capture a trove of data about the user, often based on the use of developer templates or tools, and unbeknownst to the company that commissioned or developed the app. Hence the tweet from counsel for Plaintiff Jay Edelman, on receipt of the First Circuit opinion:

“Huge privacy decision just handed down. 1st Cir. holds that Android ID is PII. App Developers now in panic mode. Great job Ryan & @edelsonpc”

Federal Court: Discovery Sanctions Mooted Upon Settlement

Neil Bardack
May 4, 2016

Discovery sanctions are a fact of life in the courts and becoming more so in high stakes litigation. They can arise from judgment calls that are proved wrong by a court ruling, as in the case of HM Electronics, Inc. v. R.F. Technologies, Inc., 2016 WL 1267385 (S.D. Cal. March 15, 2016). There, the question arose regarding whether parties could compromise sanctions awarded by a magistrate judge in their settlement agreement in advance of the District Court decision to affirm that award.

Defendants (the client and its attorney) objected to the sanction award on the grounds that the parties’ settlement of their dispute, including the sanctions award, mooted the court’s jurisdiction to entertain the motion. The District Court agreed and vacated the sanctions award as moot. How did this happen?

The defendants were sanctioned for discovery misconduct under Rule 37 (for violation of prior discovery orders of the court) and under Rule26(g)(3) (raised by the court for improper certifications of discovery responses). This misconduct caused the plaintiff to incur great expense, and an award of compensatory sanctions was made to compensate plaintiff for the fees and costs involved in collecting discovery from defendants.

Two days before the hearing on discovery misconduct, the parties settled and dismissed the case, notifying the magistrate judge to vacate the motions that were scheduled to be heard. The hearing went forward partly because the magistrate judge held that the settlement could not affect the court’s right to pursue sanctions for the Rule 26 violations, which outlived the settlement. The court proceeded with the scheduled hearing, which resulted in a finding that the violations justified a compensatory sanctions award.

Continue reading Federal Court: Discovery Sanctions Mooted Upon Settlement

Proposed Privacy Shield framework criticized by European Parliament, civil liberties groups

Everett Monroe
April 7, 2016

On February 29, the European Commission published its complete draft of the EU-U.S. Privacy Shield framework. The framework, if approved, will replace the invalidated Safe Harbor, which was the governing mechanism for the transfer of European personal data to the U.S. for commercial purposes. The framework has been criticized by members of the European Parliament and civil liberties groups in the United States.

The Privacy Shield keeps the basic self-certification mechanism of Safe Harbor, but contains new substantive requirements for U.S. businesses. Privacy Shield participants would need to meet a number of new requirements, as well as more exacting versions of old requirements.

  • Privacy notices must include more information about Privacy Shield requirements than previously needed under Safe Harbor. Businesses will need to make clear their participation, identify redress mechanisms available to European Data Subjects, and explain under what circumstances it will disclose personal data to government agencies for law enforcement or national security purposes
  • Participating businesses will fund a last resort arbitration system, in addition to providing other dispute resolution mechanisms to EU data subjects free of charge
  • Third party data controllers will have to agree by contract to maintain Privacy Shield protections before a participating business can disclose personal information to them. This will be the case even if the third party independently meets EU data transfer requirements
  • Participating businesses must continue to protect data collected under Privacy Shield – even if it later chooses not to re-certify or is disqualified from participating.

Federal agencies have also committed to stronger oversight of the Privacy Shield framework. The Department of Commerce has agreed to step up monitoring and to designate an official contact for European Data Protection Authorities to receive and respond to inquiries, inform them of potential violators, and facilitate resolution of complaints. The Federal Trade Commission has also pledged to step up enforcement, and both agencies will participate in a joint annual review of the framework with the European Commission and Data Protection Authorities.

To satisfy the European Court of Justice’s requirements from the Schrems decision, the Privacy Shield framework includes letters from Office of the Director of National Intelligence and the Department of Justice detailing U.S. regulation of national security surveillance and law enforcement access to data. The framework also establishes a State Department Ombudsman responsible for addressing grievances of EU data subjects over specific alleged surveillance abuses.

Privacy groups and European lawmakers in the European Parliament’s civil liberties committee viewed the framework’s safeguards against improper surveillance with skepticism. Committee members questioned whether commitments made about surveillance by the Office of the Director of National Intelligence and the Department of Justice were suffiently binding and enforceable. In addition, a number of civil liberties group sent a letter expressing their view that legislation from Congress is the only way to guarantee that European personal data would be protected from indiscriminate surveillance.

The European Commission hopes to finalize the Privacy Shield this summer. Before that can happen, the Article 29 Working Party has to give its opinion on the framework, and representatives from EU Member State governments must assent to it. The view of the Working Party is important, despite their inability to officially reject the framework, because the individual Data Protection Authorities that make up the working party can challenge the framework in future court actions. While a negative opinion of the framework is not fatal to finalization, it could signal future challenges to the framework in European courts.

CA Supreme Court Enforces Broad, Non-Negotiable Arbitration Clause In Employment Agreement

Neil Bardack
March 31, 2016

The California Supreme Court surprisingly upheld an arbitration agreement in a pre-printed, non-negotiable employment agreement which broadly required the employee to arbitrate any employment-related disputes with the company in the case of Baltazar v. Forever 21 (S208345, March 28, 2016). Although the employee, Maribel Baltazar, at first refused to sign the agreement as she did not want to be bound to arbitrate, she begrudgingly relented, signed and was hired. She later resigned and sued the company for sexual harassment, sex discrimination, and retaliation.

The trial court denied a motion to compel arbitration, finding procedural unconscionability because the employee was required to sign a pre-printed, non-negotiable agreement as a condition of employment and she was not provided with a copy of the arbitration rules. The trial court also found substantive unconscionability because the agreement gave the employer greater protections with the right to seek injunctive relief to protect trade secrets and required arbitration under the rules of the American Arbitration Association even if the court found the agreement unenforceable. This was an expected result in a state trial court based upon the existing body of appellate decisions which are hostile to forced arbitration in employment and consumer settings.

However, the Court of Appeal reversed the trial court. Although agreeing that the employee did not have meaningful choice in signing the employment agreement, the appellate court disagreed with the trial court’s conclusion that the agreement was substantively unconscionable because it permitted either party to seek injunctive relief, even if such relief more often served the interests of the employer rather than the employee.  Further, even if the AAA rules were found unenforceable, they could still could arbitrate under the California Arbitration Act.

Continue reading CA Supreme Court Enforces Broad, Non-Negotiable Arbitration Clause In Employment Agreement

California’s ‘Made In The USA’ Law Is Now More Business-Friendly

Eric Junginger
February 29, 2016

So what exactly does the “Made in the USA” label on products and clothing sold in California really mean?  Starting on January 1, 2016, it means that not all of the parts of the merchandise with that label were actually made in the U.S.A.

Prior to 2016, California had the most stringent law governing “Made in the USA” labels on products, which made it unlawful for any entity to sell a product in California with the “Made in the USA” label when the product or any part of the product was made entirely or substantially produced outside of the U.S.  In other words, the general rule was that 100% of the product (including all of its components) had to be made in the U.S. in order to market it with the “Made in the USA” label in California.  This law generated many class actions in California.

Under amended California Business and Professions Code section 17533.7, California now allows the “Made in the USA” label if one of the following two criteria are met:  (1) If all of the foreign-made units or parts in a product is not more than 5% of the final wholesale value of the product; or (2) If all of the foreign-made units or parts in a product – that cannot be obtained from a domestic source – is not more than 10% of the final wholesale value of the product.  California Governor Jerry Brown signed this law to stop the tide of class actions filed in California concerning “Made in the USA” claims where tiny components of the end product were foreign-made, and to bring its law closer to the rules set forth by the Federal Trade Commission (“FTC”) .

Continue reading California’s ‘Made In The USA’ Law Is Now More Business-Friendly

Key Class Action Developments In 2016 In Northern California

Eric Junginger
February 25, 2016

Class action filings are plentiful in California.  Each day, there are 10-20 new class actions filed in California’s state and federal courts.  They include the following categories of cases:

  1. Labor and Employment [e.g., wage and hour, overtime, Fair Labor Standards Act (“FLSA”), discrimination, and Employee Retirement Income Security Act of 1974 (“ERISA”) / employee benefits];
  2. Consumer class actions [g., products, food labeling, Unfair Competition Law (“UCL”) (Cal. Bus. & Prof. Code, § 17200 et seq.), False Advertising Law (“FAL”) (Cal. Bus. & Prof. Code, § 17500 et seq.), and Consumers Legal Remedies Act (“CLRA”) (Cal. Civ. Code, §1750 et seq.)];
  3. Civil Rights (42 U.S.C. § 1983 claims), including Americans with Disabilities Act of 1990 (“ADA”) Titles II and III class actions and disability claims; and
  4. Data Breach and Privacy class actions [g., Fair Credit Reporting Act of 1970 (“FCRA”) and Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) (15 U.S.C. §1681 et seq.), Telephone Consumer Protection Act of 1991 (“TCPA”) (47 U.S.C. §227)].

Specifically, over the past month in Northern California, consumer, employment, and TCPA class actions have dominated the filings, as indicated in the chart below.


With so many class actions filed, many of them are settled prior to trial – 2 were especially noteworthy.

  • On February 8, 2016, Warner/Chappell Music Inc. agreed to establish a $14 million fund to repay those who have over the last 60+ years paid fees to license use of “Happy Birthday to You!” (Marya v. Warner/Chappell Music, Inc., C.D. Cal., No. 13-04460).
  • On February 16, 2016, a class settled for $13 million with LinkedIn over sending multiple e-mails to members. The settlement included a $3.25 million attorney fee award and $1,500 incentive awards for each of nine lead plaintiffs.  [Perkins v. LinkedIn Corp., N.D. Cal., No. 5:13-cv-04303-LHK).

Attorneys in Hanson Bridgett’s Class Actions and Mass Torts group monitor these developments in Northern California on a daily basis and have deep experience defending and favorably resolving these types of claims.

EPA Launches eDisclosure Portal for Self-Disclosure of Civil Environmental Violations

Samir Abdelnour
February 17, 2016

The United States Environmental Protection Agency (“EPA”) recently launched its “eDisclosure” portal intended to facilitate self-disclosure of civil violations of environmental law. The portal aims to streamline EPA’s Audit Policy and Small Business Compliance Policy, which provide incentives to regulated entities – such as penalty reductions and avoidance of criminal prosecution – for voluntary discovery and correction of federal environmental violations. The eDisclosure portal does not make any substantive changes to the Audit and Small Business Compliance Policies; rather, EPA expects the portal to “result in faster and more efficient resolution of self-disclosures, while saving considerable time and resources for regulated entities and EPA.”

Disclosures made through the new portal may fall into one of two categories. “Category 1” disclosures include violations of the Emergency Planning and Community Right-to-Know Act (“EPCRA”) for which the disclosing entity can show compliance with all conditions of either the Audit or Small Business Compliance Policy. Category 1 disclosures through eDisclosure will automatically generate an electronic Notice of Determination confirming resolution of the violation(s) with no assessment of civil penalties. “Category 2” disclosures include EPCRA violations not covered by Category 1 and all non-EPCRA violations. The eDisclosure portal will automatically generate an “Acknowledgment Letter” for Category 2 disclosures, which will notify the disclosing entity that EPA will determine penalty mitigation eligibility if and when it considers taking enforcement action for the violation(s).

With the launch of eDisclosure, EPA is requiring all self-disclosed civil environmental violations, except new owner disclosures, to be made through the portal. To submit a self-disclosure through eDisclosure, an entity must first register with EPA’s Central Data Exchange (“CDX”), then submit the self-disclosure within 21 days of discovery, and certify compliance within 60 or 90 days after discovery. Entities may not claim confidential business information (“CBI”) on any disclosures submitted through eDisclosure; however, they may submit CBI manually to EPA and coordinate the manual submission and the eDisclosure submission. More information about eDisclosure is available on EPA’s website. Entities considering self-disclosure should seek the advice of counsel.

CA Court Shields Prelitigation Communications Between Parties

Neil Bardack

In Karnazes v. Ares, B246308, the Court of Appeal recently extended the protections of the litigation privilege under Civ. Code Section 47 (b) to communications between parties made in anticipation of litigation.  In that case, an attorney represented one of the defendants in an action brought by a woman who alleged negligence and fraud, among other causes of action, in relation to investment advice.  The attorney was sued along with his client based upon the attorney’s email exchange with the plaintiff, in which he denied his client’s liability and stated that if his client were sued, he would represent him.  The plaintiff disputed that the communications were made by the attorney in his role as an attorney for his client.

When the complaint was filed, the plaintiff alleged that these communications were evidence of fraudulent activity. A motion to strike under the anti-SLAPP statute, Code Civ. Proc. Section 425.16(b(1)), was filed on the grounds that the communications were privileged as they were made in furtherance of a person’s right to petition or free speech under the United States Constitution or the California Constitution in connection with a public issue. (Section 425.16(e).)

To avoid a SLAPP motion to dismiss, a plaintiff has to establish that there is a probability that the plaintiff will prevail on the claim. This evaluation requires a two-step process in the trial court. First, the court must decide whether the defendant has made a threshold showing that the challenged cause of action is one arising from protected activity. If so, then the court must consider whether the plaintiff has demonstrated a probability of prevailing on the claim. If it is determined that the cause of action arose from protected speech and that it lacks even minimal merit, it is subject to being stricken under the statute.

The court held that protected written or oral statements made in connection with judicial proceedings also included communications made preparatory to or in anticipation of such proceedings. Here, the communications by the attorney postured why his client would not be criminally liable and should prevail on the merits, and cautioned the pro per plaintiff not to directly contact his client. In response, the plaintiff failed to submit any factual evidentiary showing that respondent made any specific misrepresentation or that she relied on any to her detriment or to her damage. All of this was held to be protected speech.

The communications giving rise to a fraud claim were innocuous enough and the fact that the attorney was sued could be better explained by the fact that the plaintiff represented herself in pro per. That said, communications made in the heat of a dispute should be carefully considered to stay within the now-protected sphere of a SLAPP motion. The privilege may be lost, for instance, if what is said is not protected speech such as hate speech, defamatory speech, or speech that threatens criminal action rather than civil litigation.

The good result here is a decision that holds that the back-and-forth communications of parties who are disagreeing on legal rights and obligations are privileged if made in anticipation of a lawsuit, and, if it is apparent that litigation is a possible outcome, can be attacked under the anti-SLAPP statute.

Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

Samir Abdelnour
February 10, 2016

Last week, the European Commission announced  they had reached  agreement with the United States Department of Commerce on a new framework for the transfer of personal data of EU data subjects from EU member states to the U.S. The new data framework, called the EU-US Privacy Shield, attempts to address concerns cited by the European Court of Justice that caused it to invalidate the EU-US Safe Harbor last October.

The Privacy Shield will require participating businesses to make and publish their privacy commitments, though it is unclear exactly what substantive commitments will be required. Similar to the Safe Harbor framework, the Department of Commerce and the Federal Trade Commission will enforce those commitments. The new framework will also formalize dispute resolution mechanisms. Businesses will be encouraged to resolve disputes in house, but the Privacy Shield would establish a free (to the data subject) external dispute resolution mechanism. The framework also allow National Data Protection Authorities to refer complaints they receive to the Federal Trade Commission.

Continue reading Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

A California Litigation Blog