Enforcing Federal Privacy Law—Constitutional Limitations on Private Rights of Action
Legal Sidebari
Enforcing Federal Privacy Law—
Constitutional Limitations on Private Rights
of Action
May 31, 2019
Over the last two years, the prospect of a comprehensive federal data privacy law has been the subject of
considerable attention in the press and in Congress. Some Members of Congress and outside groups have
developed many proposals in the last six months alone. Some of the proposed legislation would limit
companies’ ability to use personal information collected online, require that companies protect customers
from data breaches, provide certain disclosures about their use of personal information, or allow users to
opt out of certain data practices. Some proposals combine all of those elements or take still different
approaches.
One overarching question that every data privacy proposal raises is how to enforce any new federal rights
or obligations that a given bill would impose. One traditional method of enforcement would be by a
federal agency, such as the Federal Trade Commission or Department of Justice, through civil penalties or
criminal liability. A bill could also provide for enforcement in civil lawsuits brought by State Attorney
Generals. Along with these methods, several outside commentators have recently called for any new
federal privacy legislation to include a federal private right of action—a right that would allow
individuals aggrieved by violations of the law to file lawsuits against violators in order to obtain money
damages in federal court. At least one bill proposed in Congress includes such a right: the Privacy Bill of
Rights Act, S. 1214.
Such proposals for judicial enforcement by individual lawsuits must necessarily tangle with the
constitutional limits on when federal courts can hear such claims. This Sidebar considers how the lower
courts have addressed such questions in the wake of the Supreme Court’s 2016 decision in Spokeo v.
Robins. As is discussed in detail below, these cases reveal some common principles on the limits of
federal justiciability that might inform Congress’s efforts to craft a private right of action in the data
privacy context.
Congressional Research Service
https://crsreports.congress.gov
LSB10303
CRS Legal Sidebar
Prepared for Members and
Committees of Congress
Congressional Research Service
2
Article III Standing and Spokeo v. Robins.
Under Article III of the Constitution, federal courts can only exercise the judicial power in “cases” and
“controversies.” The Supreme Court has interpreted this limitation to mean, among other things, that
courts can only adjudicate a dispute if the party seeking relief shows “standing.” The doctrine of standing
requires that a litigant must have “a personal stake in the outcome of the controversy as to warrant [the]
invocation of federal-court jurisdiction and to justify exercise of the court’s remedial powers on his
behalf.” Courts generally evaluate standing with a three-part test: a litigant must show that he has
personally suffered or will suffer (1) a concrete, particularized, and actual or imminent injury-in-fact (2)
that is traceable to the allegedly unlawful actions of the opposing party and (3) that is redressable by a
favorable judicial decision.
The constitutional nature of this limitation means that even if Congress provides for a private right of
action, federal courts may not be able to adjudicate such claims, as the 2016 Supreme Court case Spokeo,
Inc. v. Robins illustrates. Spokeo involved a Fair Credit Reporting Act (FCRA) lawsuit brought by
Thomas Robins against a website operator that allowed users to search for particular individuals and
obtain personal information harvested from several databases. Robins alleged that Spokeo’s information
about him was incorrect, in violation of the FCRA requirement that consumer reporting agencies “follow
reasonable procedures to assure maximum possible accuracy.” Although FCRA provides that individuals
like Robins can sue for willful violations of its provisions, the Court explained that, under the first prong
of the tripartite standing inquiry, Robins still had to show that Spokeo’s conduct had injured Robins in a
concrete and particularized way. Robins’ complaint did not allege any financial or reputational injury
from the inaccuracies, but he sought statutory damages (i.e., set monetary damages for bare violations of
the law) for the entire class of similarly situated individuals.
Although there was no question that Robins’s alleged injury was particularized (because it affected him in
a distinct fashion), the Court determined that the lower court had failed to adequately analyze whether
Robins’s allegations amounted to concrete injury. According to the Court, this requirement did not
necessitate that Robins allege a pecuniary, tangible injury as a result of the inaccurate representations—
but whatever injury he alleged, it had to be “real,” begging the question of what a “real” injury entails. On
this front, the Court first explained that, no matter what Congress intended, a “bare procedural violation”
could not give rise to standing. For example, no injury-in-fact would typically result if a consumer
reporting agency incorrectly reported a consumer’s zip code, as the court could not envision this kind of
misrepresentation harming a consumer in a real way. The Court then identified two factors courts can
consider in determining when an intangible harm rises to the level of a concrete injury. First, “the
judgment of Congress play[s] [an] important role” with respect to this question, although the Court did
not clarify the extent of that role. Second, because the “case or controversy requirement is grounded in
historical practice,” courts should look to harms that have been “traditionally [] regarded as providing a
basis for a lawsuit in English or American courts” as “instructive” in identifying statutory violations that
can amount to concrete injuries. Ultimately, the court did not decide whether Robins’s injury was
concrete, remanding the case to the Ninth Circuit to make that determination in the first instance.
Post-Spokeo Case Law.
In the wake of Spokeo, many courts have considered whether concrete injury-in-fact is present under
existing private rights of action.
Exposure of Personal Information. A few federal statutes already provide litigants a private right of
action when certain information is inadvertently exposed or inadequately protected. For example, the Fair
and Accurate Credit Transactions Act (FACTA), which amended FCRA in 2003 to better protect
individuals from identity theft, requires, among other things, that the truncation of credit card numbers
Congressional Research Service
3
printed on receipts—no more than the last five digits of a card number or the expiration date may be
printed on any receipt. Individuals can sue to enforce this provision, just like other violations of FCRA.
The Third Circuit considered this provision in a case decided earlier this year, Kamal v. J. Crew Group,
Inc. There, plaintiff Kamal filed a class action suit against the clothing store J. Crew alleging that, after
his purchases at J. Crew retail stores, he received receipts printing the first six digits of his credit card
number, as well as the last four digits. Kamal did not allege that anyone other than the cashier saw the
receipt or that someone stole his identity as a result of the apparently unlawful redaction. The court,
joining with several other circuits that had considered similar claims under FACTA, concluded that Kamal
had failed to allege a concrete injury. Kamal claimed that he was injured in two ways. First, he claimed
the printing of the unredacted information in violation of FACTA, standing alone, amounted to an injury-
in-fact. Second, he claimed an increased risk that his identity would be stolen constituted a sufficient
injury. On the first argument, the court, applying the two key factors enunciated in Spokeo, acknowledged
that while Congress had expressed “an intent to make the injury redressable,” this was not enough to
“automatically satisfy” the injury-in-fact inquiry. In considering whether history and tradition supported
Kamal’s claim of concrete injury, the court analogized the harm alleged to “traditional privacy torts” and
determined that the key factor underlying such torts was disclosure “to a third party.” Here, Kamal had
alleged no disclosures of information to third parties, meaning that his harm did not bear a close
relationship to the harms recognized at common law. On Kamal’s second argument, the court rejected the
idea of injury arising from “increased risk” of identity theft as depending on an unreasonably speculative
chain of future events. In the court’s view, Kamal had not plausibly alleged that he would lose the receipt
and that unidentified third parties would use the information in the receipt to steal his identity.
By contrast, in the Third Circuit’s prior decision in In re: Horizon Healthcare Services Data Breach
Litigation, the court held that plaintiffs properly alleged standing to pursue a claim under FCRA when the
defendant had allegedly allowed the theft from their headquarters of laptop computers containing the
unencrypted personal information of the plaintiffs. The plaintiffs claimed that this violated FCRA by
unlawfully “furnishing” their personal information to third parties, and that this unlawful furnishing alone
constituted concrete injury (the court ruled only on standing and declined to consider whether such a
claim was viable under FCRA on the merits). The court agreed that this violation constituted an injury-in-
fact. Unlike in Kamal, in Horizon, and in similar decisions from other circuits, the key factor was that the
plaintiffs alleged that information was shared with third parties—the laptop thieves—and that was enough
to make the harm concrete because of the connection to common law privacy torts involving
dissemination of private information. Although the common law did not proscribe the release of “truthful
information that is not harmful to one’s reputation,” Congress had elevated this to a concrete injury by
passing the statute in question.
Retention and Collection of Personal Information. A few other federal and state laws provide private
rights of action against companies that collect or retain information without proper authorization. Like the
claims under FCRA discussed above, lower courts have considered standing to pursue these claims after
Spokeo. For example, in Gubala v. Time Warner Cable, the Seventh Circuit confronted a claim under the
Cable Communications Policy Act (CCPA), which requires cable operators to “destroy personally
identifiable information if the information is no longer necessary for the purpose for which it was
collected.” The CCPA also provides for a private right of action against cable operators that violate this
provision. The plaintiff Gubala alleged that, although he canceled his Time Warner Cable subscription in
2006, in 2014 he learned that all of the information that he originally provided to the company had
remained in the company’s possession. Gubala, however, did not allege any specific consequences
flowing from the cable company’s actions—only that “retention of the information, on its own, has
somehow violated a privacy right.” The court rejected this argument because there was “no indication that
Time Warner has released, or allowed anyone to disseminate any of the plaintiff’s personal information in
the company’s possession.” Similarly, in Hancock v. Urban Outfitters, Inc., the D.C. Circuit determined
that there was no injury-in-fact when a plaintiff alleged a clothing retailer’s unlawful collection of her zip
Congressional Research Service
4
code at the point of purchase violated her rights. Under D.C.’s Identification Act, it is unlawful to collect
a consumer’s address as a condition of accepting a credit card. However, similar to the holding in Gubala,
the plaintiff alleged no injury apart from a bare violation of the requirements of the D.C. law, and she did
not tie that violation to any privacy interest recognized by the court.
Even though cases like Gubala suggest that a failure to retain personal information, without more,
generally does not amount to an injury-in-fact, some courts have suggested that this principle can be
limited when certain types of especially sensitive information—like biometric information—are involved.
However, other courts have disagreed, and the precise boundaries of this limitation have yet to be
established.
Intrusion into Private Spaces and Nuisance Correspondence. Yet another category of cases in which
courts have considered statutory violations are cases in which a consumer has received an unwanted
communication. Under the Telephone Consumer Protection Act (TCPA), it is generally unlawful to call a
consumer’s cell phone using an automatic telephone dialing system. In a series of cases, courts have
largely concluded that consumers have standing to sue for violating the TCPA without alleging any
additional harm beyond the statutory violation itself. For example, in Melito v. Experian Marketing
Solutions, a case decided in April 2019, the Second Circuit determined that plaintiffs had standing to
bring a class action lawsuit for the receipt of unsolicited text messages in violation of the TCPA, despite
alleging no additional injury beyond the receipt of unwanted messages. The court explained that “the
receipt of unwanted advertisements is itself the harm” that Congress sought to prevent. The court
analogized the harm from the receipt of such advertisements to the common law injury of “intrusion upon
seclusion,” concluding that Congress could create such a cause of action without requiring a showing of
additional injury. As a different circuit explained in analyzing a similar claim, although one phone call or
a handful of text messages would ordinarily not give rise to an intrusion upon seclusion claim, Congress
“sought to protect the same interests” and the TCPA successfully “elevat[ed] a harm” that was previously
inadequate to one that is concrete.
Disclosures About Existing Practices. Finally, many federal statutes provide consumers a right to be
informed of certain information through mandatory disclosures. Whether standing exists to complain
about the failure to make a particular disclosure turns on the factual circumstances—specifically, the
nature of the disclosure and allegations of how the lack of the information affected the plaintiff. However,
in general courts have rejected the idea that the failure to make a disclosure—standing alone—results in a
justiciable injury. For example, in Hagy v. Demers & Adams, the Sixth Circuit found that a plaintiff had
not suffered a concrete injury-in-fact when a law firm sent a letter to the plaintiff about a debt that failed
to include a disclosure required by the Fair Debt Collection Practices Act (FDCPA). The FDCPA
mandates, among other things, that all communications concerning a debt indicate if they are from debt
collectors. However, the actual letter at issue in Hagy, although from a debt collector and lacking the
required disclosure, was only sent to confirm that the lender would not be collecting on the debt. Plaintiffs
failed to explain how the lack of the required disclosure had harmed them. Plaintiffs even asserted that a
more favorable letter, such as one attaching $1,000 in cash, would support an injury if it lacked the
required disclosure. The court could not see how an injury could exist in such a case and refused to
conclude that the lack of a disclosure would, in all circumstances, give rise to concrete injury.
Although a missing disclosure by itself rarely establishes a concrete injury, courts have concluded that not
much more is needed to establish standing. Some courts have concluded that an abstract explanation of
the importance of the disclosure, even without tying it to the plaintiff’s specific circumstances, can be
enough to establish concrete injury. For instance, in Macy v. GC Services Limited Partnership, a Sixth
Circuit case that followed Hagy, the court found that plaintiffs had suffered a concrete injury when they
had received a letter from a debt collector that failed to inform them that they had to dispute debts in
writing, as the FDCPA requires. Unlike Hagy, in Macy the court determined that the lack of this
Congressional Research Service
5
disclosure created a risk of harm to the plaintiffs because it provided “misleading information” about how
consumers could dispute the debt and could have led them to inadvertently waive their rights.
Relevance to Future Privacy Legislation
A future federal privacy law may seek to create a private right of action that could allow individuals to
enforce any rights created under the statute. For example, a future privacy law could afford rights
mirroring more limited ones that currently exist in federal law—including rights that protect users from
unauthorized sharing of their information, rights that prevent companies from collecting or retaining too
much information, or rights that companies inform consumers about data practices. As a result, the case
law discussed above may provide insight into how a court might evaluate the constitutionality of a new
private right of action contained in future privacy legislation.
The case law on standing and privacy law provides several guideposts for Congress to consider. First, it is
important to understand what the post-Spokeo cases did not consider, namely a situation where a plaintiff
has suffered a pecuniary or reputational injury as a result of a violation of a privacy. In such a situation,
there would be no question as to standing because such injuries are injuries-in-fact. However, many data
breaches and other privacy violations that a data privacy law may target generally will not involve
pecuniary injury.
Congress’s role can be to elevate these intangible harms to concrete status, irrespective of financial harm.
As the case law discussed above suggests, Congress can craft privacy legislation which does this in two
ways. First, Congress can ensure that the federal right of action involves a harm bearing a “close
relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or
American courts,” such as a harm involving nuisance or involving the sharing of private information with
third parties. Second, Congress can tie the federal right of action to some sort of “substantial risk” of
actual harm and can “articulate chains of causation that will give rise to a case or controversy where none
existed before.” Ultimately, however, this is a legal area that is in flux, and a future Supreme Court
decision could further change the landscape for Congress.
Author Information
Wilson C. Freeman
Legislative Attorney
Congressional Research Service
6
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.
LSB10303 · VERSION 1 · NEW