Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 28, the U.S. Court of Appeals for the 11th Circuit held that receiving one unsolicited text message is not enough of a concrete injury to establish standing under the TCPA. According to the opinion, a former client of an attorney received an unsolicited “multimedia text message” from the attorney offering a ten percent discount on services. The client filed a putative class action, alleging the attorney violated the TCPA arguing the text message caused him “‘to waste his time answering or otherwise addressing the message’” leaving his cell phone “‘unavailable for otherwise legitimate pursuits’” and resulted in “‘an invasion of  privacy and right to enjoy the full utility’” of his cell phone. The attorney moved to dismiss the complaint for lack of standing and the district court denied the motion. However, the court allowed the attorney to pursue an interlocutory appeal.
On appeal, the 11th Circuit looked to the Supreme Court decision in Spokeo, Inc. v. Robins— which held that a plaintiff must allege a concrete injury, not just a statutory violation, to establish standing—as well as the legislative history of the TCPA and determined there was “little support” for treating the client’s allegations as a concrete injury. Specifically, the panel noted that the allegations of “a brief, inconsequential annoyance are categorically distinct from those kinds of real but intangible harms” Congress set out to protect. Moreover, the “chirp, buzz, or blink of a cell phone” is annoying, but not a basis for invoking federal court jurisdiction. The panel also acknowledged that Congress, not a federal court, is “well positioned” to assess the new harms of technology. Because the client failed to allege a concrete harm by receiving the unsolicited text message, the panel reversed the district court decision.
On August 8, the U.S. Court of Appeals for the 9th Circuit affirmed a district court order certifying a class action suit that alleged a social media company’s face-scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). The court found that the plaintiffs alleged a sufficiently concrete injury necessary to establish Article III standing as defined in the U.S. Supreme court’s decision in Spokeo, Inc. v. Robins. The plaintiffs contended that the defendant’s use of the facial-recognition technology did not comply with Illinois law designed to regulate “the collection, use, safeguarding and storage of biometrics”—which, under BIPA, includes the scanning of face geometry. The district court denied the defendant’s motion to dismiss for lack of standing and certified the class. The defendant appealed, arguing, among other things, that even if the plaintiffs have standing to sue, (i) BIPA is not intended to be applied extraterritorially; (ii) the collection of biometric data occurred on servers located outside of Illinois; and (iii) it is unclear that the alleged privacy violations “occurred ‘primarily and substantially within’” within the state. Additionally, the defendant argued that the district court abused its discretion by certifying the class because the state’s “extraterritoriality doctrine precludes the district court from finding predominance,” and that a class action was not superior to individual actions due to the potential for a large statutory damages award.
On appeal, the 9th Circuit held that the plaintiffs’ claims met the standing requirement of Spokeo because the defendant’s alleged development of a face template that uses facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. “Because we conclude that BIPA protects the plaintiffs’ concrete privacy interests and violations of the procedures in BIPA actually harm or pose a material risk of harm to those privacy interests, the plaintiffs have alleged a concrete and particularized harm, sufficient to confer Article III standing,” the appellate court stated. The 9th Circuit also dismissed the defendant’s extraterritoriality argument, stating that predominance is not defeated because the threshold questions of exactly which consumers BIPA applies to can be decided on a classwide basis.
On July 2, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s ruling that a consumer lacked Article III standing to allege a violation of the Fair and Accurate Credit Transaction Act (FACTA) when a merchant included all 16 digits of her credit card account number, her full name, and the expiration date on a receipt, because the receipt was not thrown away. Under FACTA, merchants are prohibited from including on a receipt (i) more than the last five digits of a consumer’s credit card number; and (ii) a credit card’s expiration date. The consumer alleged that the merchant violated the restriction, but the district court ruled that the consumer lacked standing to sue because she failed to describe a concrete risk of “actual or imminent” injury to a protected interest as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. According to the district court, because the consumer did not dispose of the receipt, and was the only person who ever saw the receipt, her risk of identity theft had not increased. Moreover, the district court stated that the burden of protecting the non-compliant receipt did not constitute a concrete injury.
On appeal, the D.C. Circuit reversed, holding that printing a receipt containing all 16 digits of a consumer’s credit card number is an “egregious” enough violation of FACTA to confer standing. According to the panel, the harm inflicted on the consumer by the merchant’s mishandling of her receipt had a “close relationship” to the type of harm that gives rise to a “breach of confidence” claim. Moreover, the panel stated that it was irrelevant that the consumer had been able to protect herself by safeguarding the receipt because: (i) FACTA protects an interest in avoiding an increased risk of identity theft, which the panel considered to be sufficiently concrete; and (ii) under the facts presented, the violation of the truncation requirement created a “risk of real harm” to such concrete interest. The D.C. Circuit remanded the case for further proceedings consistent with its findings. Notwithstanding, the panel was clear that not every violation of FACTA’s truncation requirement creates a risk of identity theft.
Notably, while the D.C. Circuit’s decision is in agreement with an 11th Circuit opinion issued in April (prior InfoBytes coverage here), it conflicts with other appellate decisions, including an opinion issued by the 3rd Circuit in March (covered by InfoBytes here), wherein the 3rd Circuit held that, without concrete evidence of harm, a consumer lacks standing under FACTA to sue a merchant for including too many digits of a credit card account number on a receipt. The D.C. Circuit noted, however, that the 3rd Circuit “recognized its analysis would be different if it were presented with the facts [the consumer] presents to us.”
On June 5, the U.S. Court of Appeals for the 9th Circuit affirmed a lower court’s decision to decertify a class of callers claiming their cellphone calls were unlawfully recorded, holding that the class representative lacked standing as to its individual claim. According to the opinion, customers of a concrete supplier alleged that calls placed to a phone system that the company began using in 2009 failed to inform callers that their cellphone calls were being recorded. In 2013, the company changed the recording to state that the calls maybe be “monitored or recorded.” The class representative sought to certify a class of all persons whose calls were recorded between the time that the company started using the call recording system in 2009 to when it updated the recording. The district court initially denied certification under the Federal Rule of Civil Procedure Rule 23’s predominance requirement, and later—after certifying the class based on evidence presented concerning the timing of certain recorded calls—decertified the class for failing to satisfy the “commonality” and “predominance” requirements once the concrete supplier identified nine customers who claimed they had actual knowledge of the recording practice during the class period. In addition, the court concluded that the class representative lacked standing to seek damages on its individual claim or injunctive relief because it lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, which required that it show a concrete or particularized injury as a result of the concrete supplier's alleged violation.
On appeal, the 9th Circuit rejected the class’s argument that it “has standing to appeal the decertification order notwithstanding the adverse judgment against it on the merits” due to the following two exceptions to the mootness doctrine that may permit a class representative to appeal decertification even if its individual claims have been mooted: (i) the class representative “retains a ‘personal stake’ in class certification”; or (ii) “the claim on the merits is ‘capable of repetition, yet evading review,’” even though the class representative has lost “his personal stake in the outcome of the litigation.” The appellate court concluded that “neither of these mootness principles can remedy or excuse a lack of standing as to the representative's individual claims.”
Splitting from the 6th Circuit, 7th Circuit holds mere procedural violation of FDCPA not sufficient harm for standing
On June 4, the U.S. Court of Appeals for the 7th Circuit held that the receipt of an incomplete debt collection letter is not a sufficient harm to satisfy Article III standing requirements to bring a FDCPA claim against a debt collector. According to the opinion, a consumer received a collection letter which described the process for verifying a debt but did not specify that she had to communicate with the collector in writing to trigger the protections under the FDCPA. The consumer filed a class action against the debt collector alleging the omission “‘constitute[d] a material/concrete breach of her rights’” under the FDCPA. In the complaint, the consumer did “not allege that she tried—or even planned to try—to dispute the debt or verify that [the stated creditor] was actually her creditor.” The district court dismissed the action, concluding that the consumer had not alleged that the FDCPA violation “caused her harm or put her at an appreciable risk of harm” and therefore, the consumer lacked standing to sue.
On appeal, the 7th Circuit affirmed the district court’s decision, concluding that because the consumer did not allege that she tried to dispute or verify the debt orally, leaving her statutory protections at risk, she suffered no harm to her statutory rights under the FDCPA. The appellate court emphasized that “procedural injuries under consumer‐protection statutes are insufficiently concrete to confer standing.” The court acknowledged that its opinion creates a conflict with a July 2018 decision by the U.S. Court of Appeals for the 6th Circuit, which held that consumers had standing to sue a debt collector whose letters allegedly failed to instruct them that the FDCPA makes certain debt verification information available only if the debt is disputed “in writing.” (Covered by InfoBytes here.) The appellate court also agreed with the district court’s decision to deny the consumer’s request for leave to file an amended complaint, noting that she did not indicate what facts she would allege to cure the jurisdictional defect.
On April 30, the U.S. Court of Appeals for the 2nd Circuit held that the receipt of unsolicited text messages, absent any additional injury, is sufficient to demonstrate injury-in-fact in a TCPA class action. According to the opinion, consumers filed a class action lawsuit against a retail store for sending unsolicited text messages in violation of the TCPA. The district court approved a settlement between the parties and certified the class despite various objections, including one from a third-party defendant who argued the consumers lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, because “they alleged only a bare statutory violation and statutory damages cannot substitute for concrete harm.”
On appeal, the appellate court first rejected the third-party defendant’s standing to appeal the district court’s decision because it had not been “‘formally strip[ped]’ of any claim or defense, it lacks standing to pursue its appeal” in the underlying class action. Notwithstanding the lack of standing by the third-party defendant, the appellate court then went on to address the jurisdictional standing issues raised against the consumers. The court reasoned that, even though the third party that raised the jurisdictional question had been dismissed, the court had an “independent obligation to satisfy [itself] of the jurisdiction” of the appellate and district court. The appellate court concluded that the consumers sufficiently alleged “nuisance and privacy invasion” by the unsolicited text messages, which “are the very harms with which Congress was concerned when enacting the TCPA.” Because the harms identified are “of the same character as harms remediable by traditional causes of action,” the appellate court held the consumers sufficiently demonstrated injury-in-fact as required by Article III.
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and Accurate Credit Transactions Act (FACTA), merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. According to the opinion, the consumer filed a class action suit against a chocolate company, alleging that one of its stores printed the first six and last four digits of his account number on a receipt, which exposed the class members “to an elevated risk of identity theft.” When the parties sought approval of a proposed settlement, two unnamed class members contested the settlement on the grounds that, among other things, the consumer/class representative lacked standing to sue because he had not suffered a concrete injury as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. The district court, however, approved the settlement.
On appeal, the 11th Circuit held that an increased risk of identity theft is sufficient to bring claims under FACTA, and that the class representative’s “alleged injury is ‘particularized’ because the heightened risk of identity theft affected him ‘in a personal and individual way’—it was his credit card number that appeared on the receipt.” Moreover, the appellate court noted, “In our view, if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.”
On March 25, the U.S. District Court for the Southern District of Florida granted in part and denied in a part a motion to dismiss a putative class action alleging that an auto dealer violated the TCPA by using a “ringless” voicemail platform to leave pre-recorded telemarketing voicemails on consumers’ cell phones without obtaining prior express consent. The defendant moved to dismiss the putative class claims arguing that (i) the plaintiff lacked standing and failed to state a claim because he did not receive a “call” within the meaning of the TCPA; (ii) the plaintiff lacked standing to seek declaratory or injunctive relief; (iii) the TCPA was unconstitutional; and (iv) the complaint failed to adequately allege that the defendant “willfully or knowingly violated the TCPA.”
The court rejected the defendant’s argument that the plaintiff did not receive a “call” as defined by the TCPA, concluding that a ringless voicemail is a call subject to the TCPA restrictions. The court found that the plaintiff had Article III standing because he sufficiently alleged an injury-in-fact and actual harm, including, among other things, invasion of privacy, aggravation, annoyance, and intrusion. The court further found that the plaintiff’s complaint alleged sufficient facts to support the TCPA claim and the allegation that defendant acted willfully or knowingly. The court also rejected defendant’s challenge to the TCPA’s constitutionality. However, the court found the plaintiff could not seek declaratory or injunctive relief because the plaintiff failed to show real and immediate threat of future harm or proffer a basis that would allow the court to infer that the defendant would ever send ringless voicemails again.
On March 11, the U.S. District Court for the Central District of California approved a stipulation for prospective relief, settling a consumer FCRA action against a purported credit reporting agency (defendant) for alleged procedural violations. In 2016, the case went to the U.S. Supreme Court (covered by a Buckley Special Alert), which remanded the case so the 9th Circuit could fully consider whether the plaintiff had standing under Article III of the Constitution. The approved stipulation lasts three years and, among other things, requires the defendant to (i) post a “clear and appropriately-titled” link to its opt-out privacy form; (ii) create a step requiring that its customers affirmatively agree not to use its information to determine eligibility for a FCRA-related purpose; and (iii) state on all of its webpages that it is not a consumer reporting agency. The order also prohibits the defendant from publishing “any numerical estimates or predictions of consumer credit scores” unless its terms and conditions specify that the information may not be used for FCRA purposes.
On March 25, the U.S. Court of Appeals for the 9th Circuit affirmed dismissal of five plaintiffs’ allegations against two credit reporting agencies, concluding the plaintiffs failed to show they suffered or will suffer concrete injury from alleged information inaccuracies. According to the opinion, the court reviewed five related cases of individual plaintiffs who alleged that the credit reporting agencies violated the FCRA and the California Consumer Credit Report Agencies Act (CCRAA), by not properly reflecting their Chapter 13 bankruptcy plans across their affected accounts after they requested that the information be updated. The lower court dismissed the action, holding that the information in their credit reports was not inaccurate under the FCRA. On appeal, the 9th Circuit, citing to U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert), concluded that the plaintiffs failed to show how the alleged misstatements in their credit reports would affect any current or future financial transaction, stating “it is not obvious that they would, given that Plaintiffs’ bankruptcies themselves cause them to have lower credit scores with or without the alleged misstatements.” Because the plaintiffs failed to allege a concrete injury, the court affirmed the dismissal for lack of standing, but vacated the lower court’s dismissal with prejudice, noting that the information may indeed have been inaccurate and leaving the door open for the plaintiffs to refile the action.
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Tim Lange to discuss "State legislative update - MSBs and consumer finance" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the Puerto Rican Symposium of Anti Money Laundering
- Melissa Klimkiewicz to discuss "Private flood insurance updates" at the Mortgage Bankers Association Servicing Solutions Conference & Expo
- Jonice Gray Tucker and H Joshua Kotin to discuss regulatory compliance issues in the fintech industry at Protiviti's Risk & Compliance Innovation Roundtable
- APPROVED Checkpoint Webcast: CFL overview
- Amanda R. Lawrence and Sherry-Maria Safchuk to discuss "California privacy rule" on an NAFCU webinar
- Sasha Leonhardt to discuss "MLA & SCRA" on a NAFCU webinar
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS International AML & Financial Crime Conference
- John P. Kromer to discuss "Navigating the multi-state fintech regulatory regime" at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems