Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 2, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s ruling that a consumer lacked Article III standing to allege a violation of the Fair and Accurate Credit Transaction Act (FACTA) when a merchant included all 16 digits of her credit card account number, her full name, and the expiration date on a receipt, because the receipt was not thrown away. Under FACTA, merchants are prohibited from including on a receipt (i) more than the last five digits of a consumer’s credit card number; and (ii) a credit card’s expiration date. The consumer alleged that the merchant violated the restriction, but the district court ruled that the consumer lacked standing to sue because she failed to describe a concrete risk of “actual or imminent” injury to a protected interest as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. According to the district court, because the consumer did not dispose of the receipt, and was the only person who ever saw the receipt, her risk of identity theft had not increased. Moreover, the district court stated that the burden of protecting the non-compliant receipt did not constitute a concrete injury.
On appeal, the D.C. Circuit reversed, holding that printing a receipt containing all 16 digits of a consumer’s credit card number is an “egregious” enough violation of FACTA to confer standing. According to the panel, the harm inflicted on the consumer by the merchant’s mishandling of her receipt had a “close relationship” to the type of harm that gives rise to a “breach of confidence” claim. Moreover, the panel stated that it was irrelevant that the consumer had been able to protect herself by safeguarding the receipt because: (i) FACTA protects an interest in avoiding an increased risk of identity theft, which the panel considered to be sufficiently concrete; and (ii) under the facts presented, the violation of the truncation requirement created a “risk of real harm” to such concrete interest. The D.C. Circuit remanded the case for further proceedings consistent with its findings. Notwithstanding, the panel was clear that not every violation of FACTA’s truncation requirement creates a risk of identity theft.
Notably, while the D.C. Circuit’s decision is in agreement with an 11th Circuit opinion issued in April (prior InfoBytes coverage here), it conflicts with other appellate decisions, including an opinion issued by the 3rd Circuit in March (covered by InfoBytes here), wherein the 3rd Circuit held that, without concrete evidence of harm, a consumer lacks standing under FACTA to sue a merchant for including too many digits of a credit card account number on a receipt. The D.C. Circuit noted, however, that the 3rd Circuit “recognized its analysis would be different if it were presented with the facts [the consumer] presents to us.”
On June 5, the U.S. Court of Appeals for the 9th Circuit affirmed a lower court’s decision to decertify a class of callers claiming their cellphone calls were unlawfully recorded, holding that the class representative lacked standing as to its individual claim. According to the opinion, customers of a concrete supplier alleged that calls placed to a phone system that the company began using in 2009 failed to inform callers that their cellphone calls were being recorded. In 2013, the company changed the recording to state that the calls maybe be “monitored or recorded.” The class representative sought to certify a class of all persons whose calls were recorded between the time that the company started using the call recording system in 2009 to when it updated the recording. The district court initially denied certification under the Federal Rule of Civil Procedure Rule 23’s predominance requirement, and later—after certifying the class based on evidence presented concerning the timing of certain recorded calls—decertified the class for failing to satisfy the “commonality” and “predominance” requirements once the concrete supplier identified nine customers who claimed they had actual knowledge of the recording practice during the class period. In addition, the court concluded that the class representative lacked standing to seek damages on its individual claim or injunctive relief because it lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, which required that it show a concrete or particularized injury as a result of the concrete supplier's alleged violation.
On appeal, the 9th Circuit rejected the class’s argument that it “has standing to appeal the decertification order notwithstanding the adverse judgment against it on the merits” due to the following two exceptions to the mootness doctrine that may permit a class representative to appeal decertification even if its individual claims have been mooted: (i) the class representative “retains a ‘personal stake’ in class certification”; or (ii) “the claim on the merits is ‘capable of repetition, yet evading review,’” even though the class representative has lost “his personal stake in the outcome of the litigation.” The appellate court concluded that “neither of these mootness principles can remedy or excuse a lack of standing as to the representative's individual claims.”
Splitting from the 6th Circuit, 7th Circuit holds mere procedural violation of FDCPA not sufficient harm for standing
On June 4, the U.S. Court of Appeals for the 7th Circuit held that the receipt of an incomplete debt collection letter is not a sufficient harm to satisfy Article III standing requirements to bring a FDCPA claim against a debt collector. According to the opinion, a consumer received a collection letter which described the process for verifying a debt but did not specify that she had to communicate with the collector in writing to trigger the protections under the FDCPA. The consumer filed a class action against the debt collector alleging the omission “‘constitute[d] a material/concrete breach of her rights’” under the FDCPA. In the complaint, the consumer did “not allege that she tried—or even planned to try—to dispute the debt or verify that [the stated creditor] was actually her creditor.” The district court dismissed the action, concluding that the consumer had not alleged that the FDCPA violation “caused her harm or put her at an appreciable risk of harm” and therefore, the consumer lacked standing to sue.
On appeal, the 7th Circuit affirmed the district court’s decision, concluding that because the consumer did not allege that she tried to dispute or verify the debt orally, leaving her statutory protections at risk, she suffered no harm to her statutory rights under the FDCPA. The appellate court emphasized that “procedural injuries under consumer‐protection statutes are insufficiently concrete to confer standing.” The court acknowledged that its opinion creates a conflict with a July 2018 decision by the U.S. Court of Appeals for the 6th Circuit, which held that consumers had standing to sue a debt collector whose letters allegedly failed to instruct them that the FDCPA makes certain debt verification information available only if the debt is disputed “in writing.” (Covered by InfoBytes here.) The appellate court also agreed with the district court’s decision to deny the consumer’s request for leave to file an amended complaint, noting that she did not indicate what facts she would allege to cure the jurisdictional defect.
On April 30, the U.S. Court of Appeals for the 2nd Circuit held that the receipt of unsolicited text messages, absent any additional injury, is sufficient to demonstrate injury-in-fact in a TCPA class action. According to the opinion, consumers filed a class action lawsuit against a retail store for sending unsolicited text messages in violation of the TCPA. The district court approved a settlement between the parties and certified the class despite various objections, including one from a third-party defendant who argued the consumers lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, because “they alleged only a bare statutory violation and statutory damages cannot substitute for concrete harm.”
On appeal, the appellate court first rejected the third-party defendant’s standing to appeal the district court’s decision because it had not been “‘formally strip[ped]’ of any claim or defense, it lacks standing to pursue its appeal” in the underlying class action. Notwithstanding the lack of standing by the third-party defendant, the appellate court then went on to address the jurisdictional standing issues raised against the consumers. The court reasoned that, even though the third party that raised the jurisdictional question had been dismissed, the court had an “independent obligation to satisfy [itself] of the jurisdiction” of the appellate and district court. The appellate court concluded that the consumers sufficiently alleged “nuisance and privacy invasion” by the unsolicited text messages, which “are the very harms with which Congress was concerned when enacting the TCPA.” Because the harms identified are “of the same character as harms remediable by traditional causes of action,” the appellate court held the consumers sufficiently demonstrated injury-in-fact as required by Article III.
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and Accurate Credit Transactions Act (FACTA), merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. According to the opinion, the consumer filed a class action suit against a chocolate company, alleging that one of its stores printed the first six and last four digits of his account number on a receipt, which exposed the class members “to an elevated risk of identity theft.” When the parties sought approval of a proposed settlement, two unnamed class members contested the settlement on the grounds that, among other things, the consumer/class representative lacked standing to sue because he had not suffered a concrete injury as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. The district court, however, approved the settlement.
On appeal, the 11th Circuit held that an increased risk of identity theft is sufficient to bring claims under FACTA, and that the class representative’s “alleged injury is ‘particularized’ because the heightened risk of identity theft affected him ‘in a personal and individual way’—it was his credit card number that appeared on the receipt.” Moreover, the appellate court noted, “In our view, if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.”
On March 25, the U.S. District Court for the Southern District of Florida granted in part and denied in a part a motion to dismiss a putative class action alleging that an auto dealer violated the TCPA by using a “ringless” voicemail platform to leave pre-recorded telemarketing voicemails on consumers’ cell phones without obtaining prior express consent. The defendant moved to dismiss the putative class claims arguing that (i) the plaintiff lacked standing and failed to state a claim because he did not receive a “call” within the meaning of the TCPA; (ii) the plaintiff lacked standing to seek declaratory or injunctive relief; (iii) the TCPA was unconstitutional; and (iv) the complaint failed to adequately allege that the defendant “willfully or knowingly violated the TCPA.”
The court rejected the defendant’s argument that the plaintiff did not receive a “call” as defined by the TCPA, concluding that a ringless voicemail is a call subject to the TCPA restrictions. The court found that the plaintiff had Article III standing because he sufficiently alleged an injury-in-fact and actual harm, including, among other things, invasion of privacy, aggravation, annoyance, and intrusion. The court further found that the plaintiff’s complaint alleged sufficient facts to support the TCPA claim and the allegation that defendant acted willfully or knowingly. The court also rejected defendant’s challenge to the TCPA’s constitutionality. However, the court found the plaintiff could not seek declaratory or injunctive relief because the plaintiff failed to show real and immediate threat of future harm or proffer a basis that would allow the court to infer that the defendant would ever send ringless voicemails again.
On March 11, the U.S. District Court for the Central District of California approved a stipulation for prospective relief, settling a consumer FCRA action against a purported credit reporting agency (defendant) for alleged procedural violations. In 2016, the case went to the U.S. Supreme Court (covered by a Buckley Special Alert), which remanded the case so the 9th Circuit could fully consider whether the plaintiff had standing under Article III of the Constitution. The approved stipulation lasts three years and, among other things, requires the defendant to (i) post a “clear and appropriately-titled” link to its opt-out privacy form; (ii) create a step requiring that its customers affirmatively agree not to use its information to determine eligibility for a FCRA-related purpose; and (iii) state on all of its webpages that it is not a consumer reporting agency. The order also prohibits the defendant from publishing “any numerical estimates or predictions of consumer credit scores” unless its terms and conditions specify that the information may not be used for FCRA purposes.
On March 25, the U.S. Court of Appeals for the 9th Circuit affirmed dismissal of five plaintiffs’ allegations against two credit reporting agencies, concluding the plaintiffs failed to show they suffered or will suffer concrete injury from alleged information inaccuracies. According to the opinion, the court reviewed five related cases of individual plaintiffs who alleged that the credit reporting agencies violated the FCRA and the California Consumer Credit Report Agencies Act (CCRAA), by not properly reflecting their Chapter 13 bankruptcy plans across their affected accounts after they requested that the information be updated. The lower court dismissed the action, holding that the information in their credit reports was not inaccurate under the FCRA. On appeal, the 9th Circuit, citing to U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert), concluded that the plaintiffs failed to show how the alleged misstatements in their credit reports would affect any current or future financial transaction, stating “it is not obvious that they would, given that Plaintiffs’ bankruptcies themselves cause them to have lower credit scores with or without the alleged misstatements.” Because the plaintiffs failed to allege a concrete injury, the court affirmed the dismissal for lack of standing, but vacated the lower court’s dismissal with prejudice, noting that the information may indeed have been inaccurate and leaving the door open for the plaintiffs to refile the action.
On March 8, the U.S. Court of Appeals for the 3rd Circuit issued a precedential opinion holding that, without concrete evidence of harm, a consumer lacks standing under the Fair and Accurate Credit Transactions Act (FACTA) to sue a merchant for including too many digits of his credit card account number on a receipt. According to the opinion, the plaintiff claimed that he received receipts from three different stores owned by the defendant, all of which included both the final four digits and the first six digits of his account number. The plaintiff filed a class action lawsuit alleging the defendant willfully violated FACTA, which prohibits printing more than the last five digits of credit card number on a receipt. The plaintiff alleged that this violation, which he also claimed increased the risk of identity theft, constituted an injury-in-fact sufficient to confer Article III standing as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert). The district court dismissed the suit.
On appeal, the 3rd Circuit agreed with the lower court, holding that the plaintiff failed to allege actual harm from the defendant’s practice. The appellate court held that the defendant’s technical violation of FACTA did not give the plaintiff standing to sue. Moreover, in the absence of actual harm, or a material risk of actual harm (the plaintiff did not allege that anyone—aside from the cashier—saw the receipt, that his credit card number had been misappropriated, or that his identity was stolen), the plaintiff would not have suffered the injury-in-fact that created federal court jurisdiction.
On March 5, the U.S. District Court for the Northern District of Illinois denied defendants’ motion to dismiss a class action lawsuit alleging the defendants violated the FDCPA by failing to mention that payment on a settlement offer would restart the statute of limitations on the underlying “legally unenforceable debt.” According to the opinion, the defendants sent the plaintiff a letter outlining three discount program payment options, with a post-script stating that “[d]ue to the age of this debt, we will not sue you for it or report payment or non-payment of it to a credit bureau.” However, the plaintiff claimed that the letter’s failure to disclose that the statute of limitations could be restarted if a payment was made was a concrete information injury sufficient for Article III standing. The court rejected the defendants’ argument that the plaintiff alleged only a bare statutory violation and failed to identify a particularized injury in fact. Instead, the court ruled that even though the plaintiff has a complete defense because the statute of limitations had expired, the alleged injury is clear because the letter “seems to bait the consumer into paying money on a time-barred debt, either by settling for sixty cents on the dollar . . . or by unwittingly renewing the statute of limitations by making a new payment on the debt.”
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference