The Internet is all about sharing. We share memes with our friends on Facebook, messages with our coworkers on Slack, and 140 characters of witty repartee with the public on Twitter. These platforms are fueled by data, which allows providers to better tailor their services to our desires and develop new, innovative ways for us to create, interact, and transact both online and in the physical world.
Other entities use data in different ways. Spokeo, a data broker, is one such entity. Spokeo collects, collates, and cross-references publicly available data from a variety of databases, and presents that information in profiles about individuals, basic details of which it then makes freely available, with greater detail available to interested parties for a fee. Spokeo’s services, though very different from the consumer-facing platforms we enjoy every day, can help illustrate a key distinction in the ever-shifting balance between consumer privacy and innovation online.
Last month, the Supreme Court ruled in Spokeo, Inc. v. Robins that Robins, whose Spokeo-generated online profile contained inaccurate information, failed to meet minimum constitutional requirements to show harm in order to have standing to bring a case when alleging that Spokeo willfully failed to comply with the compliance requirements of the Fair Credit Reporting Act (FCRA) in making an inaccurate profile available to its users.
As every first year law student knows from Lujan v. Defenders of Wildlife, to have federal standing a plaintiff must demonstrate that they have suffered (1) an injury in fact, that is (2) fairly traceable to the the challenged conduct of the defendant, and (3) likely to be redressed by a favorable judicial decision. The injury-in-fact requirement requires a plaintiff to show that he or she suffered an invasion of a legally protected interest that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”
The Supreme Court determined that the Ninth Circuit erred in finding that Robins had adequately alleged an injury in fact because it failed to consider the concreteness prong of the Lujan standard. A concrete injury to a plaintiff need not be tangible (something hard to manage online so long as the Internet is not the Matrix), but should, at minimum, be tied to a real harm rather than a bare procedural violation of a statute like the FCRA. Here, the Court notes that simply disseminating inaccurate consumer information is no guarantee of an actual or concrete harm to a plaintiff, even if the FCRA bars such an act as procedurally noncompliant. The dissemination of inaccurate information must cause harm or present a material risk of harm. However, as Robins failed to allege that he was in any way actually harmed by the inaccuracy of Spokeo’s information, the Court found he failed to allege an injury-in-fact necessary for federal standing.
It’s worth noting that in this case, if Robins had not sued Spokeo under the FCRA, which federally preempted state law defamation actions against consumer reporting agencies, he might have had recourse under a state defamation statute or at common law—though he still would have to prove injury to succeed.
At its core, the Supreme Court’s decision in Spokeo is about what actually constitutes a privacy harm online. Is the mere sharing, possession, or use of information by an entity in a way a person did not expect harmful to an individual’s privacy? What if that information is not one hundred percent accurate?
According to the Supreme Court, the answer is “probably not,” so long as the activity doesn’t in some way harm or materially increase the risk of harm to the person. If a person should concretely allege that an inaccurate profile assembled by a people search engine led to an adverse credit decision or prevented him or her from being hired for a job, for example, then there might be a federal or state case to be made.
This distinction is important because information generated and collected digitally is not just used by third party entities like Spokeo. Almost every online app, social network, and financial platform relies on user data to develop and provide a variety of services that directly benefit Internet users. When considering lawsuits and regulations that directly or indirectly work to restrict data use, it’s important to consider the full costs. If a procedurally non-compliant data use does not actually lead to privacy harms, but does provide some productive or useful service to users, then any litigation or rules that prevent that use based on a non-harm will actively be reducing benefits to consumers with no offsetting reduction in costs.
The benefits of the Supreme Court’s decision will be most felt by the disruptive startups we are such fans of here at Project DisCo. Startups with the best intentions often “move fast and break things,” some of which may be obscure compliance requirements found in complex federal statutes. Lawyers are expensive. Garnering a personal injury suit for use of data that does not actually pose a risk of real harm to individuals would chill development of innovative new products and services based on rich data analysis. Neither consumers nor startups are helped if the law compels innovators to spend time and resources correcting procedural issues that actually harm no one. The appropriate balance should ensure consumers are protected from real harms.
That’s not to say that companies that rely on data should not protect it or otherwise respect the privacy interests of users. Startups and mature online players alike should do their best to incorporate privacy-by-design principles into their development processes and look to the FTC to determine privacy and security best practices for the handling of personal information, with the intention of avoiding concrete harms to Internet users. But thanks to the Supreme Court, innovators may be able to do so in a legal environment that affords them the space to try new things and make minor procedural mistakes without the fear of frivolous lawsuits claiming hypothetical harms.