John Nadolenco is an experienced civil litigator whose practice is focused on class-action defense, including defending consumer class actions, employment class actions, and securities and derivative cases. Additionally, John also has experience advising clients on privacy issues and defending clients in privacy-related cases. John served as co-editor of Mayer Brown’s The Social Media Revolution: A Legal Handbook.
Read John's full bio.

The Supreme Court today issued its decision in Spokeo, Inc. v. Robins (pdf), a closely-watched case presenting the question whether Article III’s “injury-in-fact” requirement for standing to sue in federal court may be satisfied by alleging a statutory violation without any accompanying real world injury.

The Court held that a plaintiff must allege “concrete” harm—which it described as harm that is “real”—to have standing to sue, and that the existence of a private right of action under a federal statute does not automatically suffice to meet the “real” harm standard. The decision is likely to have a meaningful impact on class action litigation based on alleged statutory violations. Justice Alito authored the opinion for the Court, joined by Chief Justice Roberts and Justices Kennedy, Thomas, Breyer, and Kagan. (We and our colleagues represented Spokeo before the Supreme Court.)

Continue Reading Supreme Court Holds in Spokeo that Plaintiffs Must Show “Real” Harm to Have Standing to Sue for Statutory Damages

Under Article III of the U.S. Constitution, a plaintiff must allege that he or she has suffered an “injury-in-fact” to establish standing to sue in federal court. Today, the Supreme Court granted certiorari in Spokeo, Inc. v. Robins, No. 13-1339, to decide whether Congress may confer Article III standing by authorizing a private right of action based on a bare violation of a federal statute, even though the plaintiff has not suffered any concrete harm.

The Court’s resolution of this question in Spokeo could affect a number of different types of class actions that have been instituted in recent years seeking potentially massive statutory damages based solely on allegations of technical violations of federal statutes—even though the plaintiff has not suffered any of the different types of “injury-in-fact” usually required to establish standing. We represent the petitioner, Spokeo, Inc.

Congress has passed a number of statutes that permit recovery of statutory damages for statutory violations even in the absence of any proof of actual injury. These statutes are particularly common in the privacy and financial-services contexts. The statute at issue in Spokeo—the Fair Credit Reporting Act (FCRA)—stands at the intersection of these two fields. Among other things, it requires “consumer reporting agencies” to “follow reasonable procedures to assure maximum possible accuracy of” consumer reports. 15 U.S.C. § 1681e(b). It also requires the provision of notices to persons who provide information to a consumer reporting agency and to those who use the services of such agencies. Id. § 1681e(d). For a “willful” violation of these sections, a prevailing plaintiff may recover statutory “damages of not less than $100 or not more than $1,000,” id. § 1681n(a)(1), and also may seek punitive damages, id. § 1681n(a)(2).

The plaintiff in Spokeo, Thomas Robins, seeks to recover statutory damages on behalf of a putative class for alleged violations of FCRA. Specifically, Robins alleged that Spokeo, which is a “people search engine,” is a “consumer reporting agency” subject to FCRA and that it had published inaccurate information about him, including that he was married and that he was better situated financially than he actually is. Robins also alleged that Spokeo had failed to provide the notices required under the FCRA. The district court dismissed the case for lack of standing, concluding that Robins had not alleged the injury-in-fact necessary to satisfy Article III.

The Ninth Circuit reversed (pdf). It concluded that the “creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right,” and that “the violation of a statutory right is usually”—on its own—“a sufficient injury in fact to confer standing” when “the statutory cause of action does not require a showing of actual harm.”

Spokeo petitioned for certiorari (pdf), explaining that there is a persistent conflict among the courts of appeals over whether the allegation of a statutory violation—a bare “injury-in-law”—is sufficient to establish Article III standing. The petition also pointed to the importance of this question in light of the large number of class actions involving allegations of technical statutory violations that did not cause the plaintiff any concrete harm.

The Supreme Court will hear the case next Term. We look forward to making the case for Spokeo on the merits.

The Ninth Circuit recently clarified the circumstances in which a plaintiff who settles his or her individual claims can appeal the denial of class certification of related claims. In Campion v. Old Republic Protection Company (pdf), the Ninth Circuit dismissed a class certification appeal as moot because the plaintiff had settled his individual claims. The court explained that a settling plaintiff must retain a personal, “financial” stake in litigation in order to appeal the denial of class certification—“the theoretical interest akin to a private attorney general” will not suffice.

The leading Ninth Circuit case on post-settlement class-certification appeals is Narouz v. Charter Communications, LLC (pdf). The plaintiff in Narouz settled his individual claims and attempted to settle on behalf of a class as well. If the settlement class had been certified and the class settlement received final approval, Narouz would have obtained an additional $20,000 incentive payment on top of the amount he had been given to settle his individual claims. The district court, however, refused to certify the class for settlement purposes, and Narouz appealed. The Ninth Circuit found that the individual settlement did not moot the appeal because Narouz retained a “personal stake” in the class litigation—i.e., the $20,000 enhancement award.

As we recently reported, in November 2014, the Ninth Circuit rejected as moot a plaintiff’s attempts to appeal class claims after accepting a Rule 68 offer of judgment covering “any liability” asserted in the action. In an unpublished decision, Sultan v. Medtronic, Inc., the court held that Narouz foreclosed the appeal because the plaintiff did not retain a personal stake in the class claims. Campion, a published decision, follows on the heels of Sultan and clarifies the standard established in Narouz and applied in Sultan. (Our colleague Don Falk represented Medtronic in Sultan.)

In Campion, a customer sued a home warranty provider, alleging breach of contract, breach of the implied covenant of good faith and fair dealing, and violations of the California Consumers Legal Remedies Act (“CLRA”) and California Unfair Competition Law. Campion complained that Old Republic arbitrarily denied class members’ claims and cheated them out of benefits owed under their policies. After extensive motions practice, the district court denied Campion’s motion for class certification, granted Old Republic partial summary judgment on the CLRA claims, and denied Campion leave to amend the complaint. After these rulings, the parties reached a settlement agreement. Campion dismissed his individual claims with prejudice in exchanged for the “full amount of those claims,” but “expressly reserve[d] the right to appeal the … order denying class certification” and “any other order in the case.” Campion then purported to appeal (on behalf of the putative class) the orders denying class certification and granting the defendant partial summary judgment.

A divided panel of the Ninth Circuit dismissed the appeal as moot. Campion argued that he retained an interest in the matter as a private attorney general sufficient to satisfy Narouz. But the panel majority disagreed, explaining that “a more concrete interest” is necessary. Specifically, the panel majority explained that courts of appeals have jurisdiction over appeals of class certification denials brought by settling named plaintiffs “only where the putative class representative maintain[s] a financial interest in class certification.” Because Campion had settled his individual claims for their full value, he lacked the personal financial stake necessary to pursue the class appeal.

Judge Owens dissented. He explained that he would have reached the merits of Campion’s appeal and affirmed the denial of class certification and grant of partial summary judgment. Judge Owens predicted that “the Supreme Court someday will hold that a plaintiff who voluntarily settles his claim must retain a financial stake in the litigation to serve as a class representative.” But he stated that, in his view, current law allowed settling plaintiffs to appeal on a private attorney general theory; he did not read the Narouz decision as imposing a “financial-in-nature” limitation on the type of personal stake needed to have standing to appeal the denial of class certification.

The majority noted, however, that Narouz had retained a $20,000 interest in his class appeal (the potential incentive payment). Although the Narouz court had not used the term “financial” in its formulation of the personal-stake standard, the court had permitted Narouz to proceed with his appeal only because of his $20,000 financial interest in the class claims. Similarly, in another case discussed by the Campion majority (Evon v. Law Offices of Sidney Mickell (pdf)), the settling plaintiff continued to have a personal stake in the class appeal because he had retained the right to seek up to $100,000 in attorneys’ fees if that appeal were successful. Campion, by contrast, stood to gain no compensation if the putative class recovered, thereby mooting his appeal.

Campion thus confirms that, at least in the Ninth Circuit, a plaintiff voluntarily settling individual claims must retain a personal, financial stake in continuing litigation in order to purport to file appeals on behalf of a putative class. Individual cases will “turn[] on the language of [the] settlement agreement,” but merely retaining the right to appeal as a private attorney general will not suffice. The court left open the possibility that a private attorney general interest might suffice when the plaintiff’s individual claims expire “involuntarily,” rather than by voluntary settlement. But where the plaintiff voluntarily extinguishes his entire financial interest, he or she cannot later appeal on behalf of the class.

Since 2006, companies based outside California have been alert to the potential burdens of class actions under California’s Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630 et seq. The laws of most states, as well as federal law, allow telephone calls to be recorded with the consent of one party to the call. Accordingly, companies in those states usually can record customer service calls for quality-assurance purposes without the need to procure the customer’s consent because the call-center employee, as a party to the call, can consent to the recording. California, however, is one of 12 states that allow recording only if all parties to the call consent. (The other so-called “two-party consent” states are Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.) The plaintiffs’ bar has been trying to use California’s extremely pro-plaintiff privacy laws, such as the CIPA, to turn this innocuous business practice into an opportunity to extract class-action settlements from companies.

In 2006, the California Supreme Court held that CIPA applies even when one party to the conversation is outside California in a state that authorizes recording with the consent of a single party to the call. Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95 (2006). The court explained that, under California’s choice-of-law rules, California had the overriding interest in applying its privacy laws, such as CIPA, whenever “national or international firms” headquartered outside of California record “conversations with their California clients or customers.” And, like Flanagan v. Flanagan, 27 Cal. 4th 766 (2002), Kearney applied CIPA regardless of the content of the conversations, though that likely was because Kearney involved calls to a financial institution and Flanagan involved calls between family members—i.e., situations where callers arguably have an expectation of privacy. Nonetheless, an onslaught of consumer class actions followed and continue to this day.

Companies facing CIPA suits have been making progress. More and more courts are recognizing that CIPA was not intended to apply to calls to customer-service centers. See Shin v. Digi-Key Corp., 2012 WL 5503847 (C.D. Cal. Sept. 17, 2012); Sajfr v. BBG Commc’ns, Inc., 2012 WL 398991 (S.D. Cal. Jan. 10, 2012). They’ve also recognized that customer-service calls usually do not involve private information. See Faulkner v. ADT Sec. Servs., Inc., 706 F.3d 1017, 1020 (9th Cir. 2013); Shin; Safjr. And they’ve found that individualized issues of privacy and consent under CIPA preclude class certification. See Torres v. Nutrisystem, Inc., 289 F.R.D. 587 (C.D. Cal. 2013).

The recent decision in Jonczyk v. First National Capital Corp., No. 13-cv-959-JLS (C.D. Cal. Jan. 14, 2014), provides another arrow in companies’ quivers—and a large one at that. In that case, First National and its employee were located in California and the plaintiff called in from her home in Missouri. The district court applied a conflict-of-law analysis and concluded that the law of Missouri (a one-party consent state) should apply, not California’s CIPA. The court distinguished Kearney, which involved Salomon Smith Barney’s California clients, and held that California had little interest in a Missouri resident’s claims, while Missouri had valid interests in limiting the reach of its wiretapping statute. In so holding, the court cited our victory in Mazza v. American Honda Motor Co., 666 F.3d 581 (9th Cir. 2012) for the proposition that “maximizing consumer and business welfare … does not inexorably favor greater consumer protection.” The district court’s extension of Mazza to the privacy context, and CIPA specifically, represents a significant step forward for companies doing business in California. The decision should be particularly helpful to companies in California who receive out-of-state customer calls that are recorded.

The plaintiffs’ bar continues to march forward in bringing privacy-related class actions. As we’ve written before, companies have often been able to defeat such lawsuits at the pleading stage when plaintiffs cannot allege that they suffered a harm that was concrete or cognizable. But that trend has not been universal: In a recent case involving Apple, the federal court for the Northern District of California refused to dismiss the majority of claims, in large measure because the plaintiff alleged that she relied on the company’s online representations concerning the privacy and security of personal information.

In Pirozzi v. Apple, Inc. (pdf), the plaintiff alleged that Apple acts as a “gatekeeper” in reviewing and screening the apps it makes available for download in its App Store. According to the second amended complaint, Apple’s App Store Review Guidelines state that third-party apps “cannot transmit data about a user without first obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.” Apple also requires all app developers to agree to its iOS Developer Agreement, which requires developers to follow this policy. In addition, the plaintiff alleged that, at the time she was considering whether to purchase an iPhone, Apple’s website said that “[a]ll apps run in a safe environment, so a website or app can’t access data from other apps.”

Despite these agreements and online statements, plaintiffs alleged that some apps (including popular ones like Facebook and Angry Birds) accessed users’ contacts, location data, and private videos and photographs without user consent. The plaintiff alleged that if she had known “that the apps would be able to potentially steal her private photos and contacts she would not have downloaded the apps and would not have paid as much as she did for the iPhone, or would not have purchased the iPhone” at all.

In arguing that the plaintiff lacked standing under Article III of the U.S. Constitution as well as California’s consumer protection statutes, Apple contended that the plaintiff failed to allege that she suffered a “non-speculative injury.” But the court concluded that it was “enough” for the plaintiff to allege that “that she was ‘misled as to the nature and integrity of Apple’s products’” based on Apple’s online representations about app privacy and security. The court concluded this was a “palpable economic injur[y]” because plaintiff was able to point to a specific online statement that she found material in her decision to purchase the Apple iPhone and apps. And the alleged reliance on such a statement also sufficed, in the court’s view, to satisfy the requirement that claims of fraud be pleaded with particularity.

The court apparently saw a difference between Pirozzi’s claims and the long line of cases in which claims were dismissed when a plaintiff could not identify concrete harms resulting from the allegedly improper disclosure of private information. The deciding factor, it seems, was that Pirozzi could point to specific online statements that (she says) led her to pay more for an iPhone than she would have without those statements. Does this decision signal a broad changing of the tide in privacy cases? We don’t think so. But it should remind companies to reexamine their online statements (including relevant contract terms and privacy policies) to ensure that those statements are in fact consistent with company and industry practice.

When a company’s computer systems are raided by hackers, all too often it must brace itself for being victimized a second time by the class action bar. Plaintiffs frequently target such companies for class actions on behalf of the consumers whose data might have been exposed as a result of the potential data breach.
The fact that the consumers rarely have experienced any real harm can be the Achilles’ heel of these data-breach class actions. “World of Warcraft” creator Blizzard Entertainment Inc. was able to capitalize on this vulnerability when a court dismissed most of a putative class action against the company, finding that plaintiffs had failed to allege sufficient harm as to a number of claims. See Bell v. Blizzard Entertainment Inc. (pdf), No. 2:12-cv-09475 (C.D. Cal. July 11, 2013).

The suit arose after hackers breached Blizzard’s Battle.net system in August 2012 and stole user information. Two gamers responded by filing a putative class action, seeking to represent 10 million players worldwide. The plaintiffs alleged that Blizzard should have emailed or called affected users to notify them of the breach rather than simply posting a notice on its website. And the plaintiffs asserted that Blizzard should have better informed customers that they should buy a separate “authenticator,” a program that provides an extra layer of protection for user information.

None of the plaintiffs, however, could allege that he or she was the victim of identity theft—or even that the hackers had obtained his or her information. This omission led Judge Beverly Reid O’Connell to tell plaintiffs’ counsel at the hearing on Blizzard’s motion to dismiss, “I don’t understand your claim for harm.” The plaintiffs contended that Blizzard profited by selling the “authenticators.” And they asserted that Blizzard’s security procedures subjected them to the risk of having their data exposed to hackers (with the concomitant risk of identity theft)—which (they said) diminished the value of the games they bought from Blizzard. But Judge O’Connell concluded that plaintiffs did not satisfy the harm element required for their negligence and breach of contract claims. Plaintiffs could not identity any authority for the proposition that “an increased risk” of future harm from identity theft was “a type of harm sufficient to support a negligence claim.” And because it was not possible to resell Blizzard’s various online games played through Battle.net, the court concluded that any alleged reduction in the value of the plaintiffs’ games could not have harmed them. Accordingly, the court granted a motion for judgment on the pleadings with respect to those claims.

This ruling is in line with many other federal court dismissals of data-breach claims for failure to allege concrete, tangible harms, although many of those decisions rest on Article III standing rather than the merits. See, e.g., In re Sony Gaming Networks and Customer Data Sec. Breach Litig. (pdf), 903 F. Supp. 2d 942 (S.D. Cal. 2012) (putative class action against manufacturer of computer gaming systems for theft of personal information dismissed for failure to allege any injury-in-fact); In re LinkedIn User Privacy Litig. (pdf), 2013 WL 844291 (N.D. Cal. Mar. 6, 2013) (putative class action alleging that LinkedIn failed to adequately protect user information dismissed because claims for economic harm were insufficient to satisfy standing requirement); Claridge v. RockYou, Inc. (pdf), 785 F. Supp. 2d 855 (N.D. Cal. 2011) (despite finding Article III standing, court found that user who sued developer for failing to secure users’ personally-identifiable information had failed to allege the more particularized elements of injury required for his causes of action).

That said, the court left room for plaintiffs to amend their complaints as to certain claims, and did allow two claims under Delaware’s Consumer Fraud Act to survive. But the lesson for defendants is clear: When a plaintiff cannot allege tangible harm from data breach claims, courts are willing to narrow or dismiss a lawsuit at the pleading stage.

A key question in many privacy class actions is whether the plaintiff has suffered an injury sufficient to confer Article III standing. Quite a number of these actions have been dismissed for lack of standing. The plaintiffs’ bar therefore has been brainstorming new theories of injury in the hope that one of them will be deemed sufficient to allow the case to remain in court (and open the door to expensive discovery). A recent order by Judge White of the Northern District of California in Yunker v. Pandora Media, Inc. addresses—and rejects—some of these theories.

The lawsuit involves Pandora’s mobile app, which provides music-streaming services to wireless devices. The plaintiff alleges that, although Pandora tells users that it will sell information to advertisers only after that information has been stripped of identifying details, in fact the company also sells personally identifiable information such as the user’s age, gender, and location—which, the plaintiff says, violates federal and state law.

As is now routine in privacy class actions, the first question was whether the plaintiff has standing to sue in the first place. Judge White batted down each of the plaintiffs’ arguments.

First, the plaintiff argued that because Pandora allegedly sold the plaintiff’s personally identifiable information, that information is now less valuable. Judge White pointed out that this theory has been rejected five times by federal judges in California alone because of the highly speculative nature of this alleged harm. In addition, although the plaintiff had alleged that he “paid” for the Pandora app with his personal information (the app is available for free), he hasn’t alleged that he otherwise had “attempted to sell” that information, that he “would do so in the future,” or that he either was “foreclosed from entering into” any other transaction involving his information or even would have chosen not to use Pandora’s app if he had “known how Pandora would use his” information.

Second, the plaintiff alleged that the manner in which the Pandora app allegedly collected his information by installing “third-party advertising libraries” on his phone decreased its usable memory. Judge White acknowledged that an alleged decrease in device “performance” could be an injury conferring standing. But Judge White explained that the plaintiff had failed to allege any such problems, that he paid money for the app, or even that he would not have downloaded it if he had known that it used slightly more memory because it used these libraries.

Third, the plaintiff argued that the sale of information about him could subject him to future harm (such as identity theft). The plaintiff pointed out that, in Krottner v. Starbucks Corp., the Ninth Circuit had indicated that a future harm like identity theft could confer standing. But Judge White explained that Krottner involved very different facts—a laptop containing individuals’ financial information had been stolen, and a plaintiff alleged that she actually was the victim of identity theft. Judge White pointedly observed that the plaintiff here alleged nothing of the sort.

Having rejected these theories of standing, Judge White dismissed a number of the plaintiff’s claims. (He also concluded that many of them failed on the merits.) Nonetheless, Judge White granted the plaintiff leave to amend (not a big surprise, as such leave is freely given by most federal courts).

In sum, Yunker confirms that challenges to Article III standing remain a major arrow in the quiver of companies facing privacy class actions.

In recent months, we have seen growing interest in potential privacy issues in the context of mobile applications. Earlier this month, California Attorney General Kamala D. Harris released an official report—“Privacy On the Go: Recommendations for the Mobile Ecosystem”—with new privacy recommendations for the mobile industry. The report, while providing a “template” for best practices, suggests that app manufacturers take steps beyond what is required under current law. Please take a look at our assessment of the report—and the potential that it will be used by plaintiffs’ lawyers seeking a new source for privacy class actions.

Class actions alleging that employers’ meal-break policies violate California law have long been a favorite of the plaintiffs’ bar.  Earlier this year, however, the California Supreme Court handed employers a victory in Brinker Restaurant Corp v. Superior Court, 53 Cal. 4th 1004 (Cal. 2012), holding that the obligation under the California Labor Code to provide employees with meal periods does not require the employer to affirmatively “ensure” that meal periods are actually taken.  In other words, an employer satisfactorily “provides” meal breaks if it relieves employees of their duties, relinquishes control over their activities, and permits them a reasonable opportunity to take an uninterrupted 30-minute break, and neither impedes nor discourage them from doing so.  Brinker thus is a significant win on the merits for employers.  (For more on Brinker, please see our Legal Update (pdf) after the decision was issued.)  But employers should remain alert for opportunities to use Brinker in all aspects of the case—including to defeat class certification.  Last week’s decision by the Second District of the California Court of Appeal in Brookler v. RadioShack Corp. (although unpublished) is a great example.

In Brookler, plaintiff Morry Brookler, a former RadioShack employee, filed a putative class action alleging, among other things, that RadioShack deprived employees of the uninterrupted 30-minute meal periods required by California law.  The trial court initially certified a class, but then decertified it after concluding that because employers need not force employees to take meal breaks, the key question presented by the case—whether RadioShack coerced, impeded, or discouraged employees from taking meal breaks—raised a number of highly individualized inquiries that precluded certification.  The Court of Appeal initially reversed the decertification order.  But it reconsidered after the California Supreme Court’s decision in Brinker and has now affirmed the trial court’s decertification order.

Applying Brinker, the Court of Appeal agreed that class certification turned on whether it was possible to determine whether RadioShack had deprived employees of meal breaks in a single class trial without resort to a litany of individualized inquiries.  And because Brinker confirmed that there are lawful reasons for employees to skip meal breaks, the Court of Appeal agreed that, as a matter of law, the particular circumstances surrounding each skipped break would be relevant to determining RadioShack’s potential liability (if any), making it impossible to certify a class.

The Court of Appeal also concluded that the trial court’s decision was supported by substantial evidence.  RadioShack had established that it had a uniform policy of providing for meal periods and had a software program to assist management in scheduling employee hours and meal breaks.  Radio Shack also had developed deposition testimony showing a wide variety of reasons why employees voluntarily chose not to take a full, uninterrupted meal period.  The Court of Appeal therefore affirmed the trial court’s decision that individualized issues would predominate over any common ones, barring class certification.

Brookler provides additional reason for California employers to rely on Brinker in opposing class certification in meal-break lawsuits by adducing proof showing that employees might skip meal breaks for all sorts of legitimate reasons.