News, Developments, and Insights

high-tech technology background with eyes on computer display


When is a person harmed by a privacy violation?

The U.S. Supreme Court just handed down a decision in an important case, Spokeo Inc. v. Robins.  

Spokeo Logo

Plaintiff Thomas Robins sued Spokeo under the Fair Credit Reporting Act (FCRA) because Spokeo had inaccurate information about him in its profile.  Spokeo’s profiles are used by potential employers and others to search for data about people.  FCRA requires that information in profiles for these purposes be accurate, and it allows people to sue if information is not.


What is Spokeo

Spokeo argued that notwithstanding the fact that Congress permitted people to sue under FCRA for violations of the statute, Robins lacked standing to sue.  To have standing in federal court, there must be an “injury in fact,” which is “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992).  The U.S. Court of Appeals for the 9th Circuit held for Robins.  Because Congress allowed people to sue for violations of FCRA, this was sufficient to create standing.

The Supreme Court Steps in and Creates Confusion

Supreme Court

The U.S. Supreme Court sided with Spokeo . . . sort of.  In a rather murky and inconsistent decision, Justice Alito, writing for the Court, delivered what reads like a lecture to the 9th Circuit, attempting to school them on how standing works.  The only problem is that the decision begs nearly all the important questions, states inconsistent rules, and fails to provide any test or clear guidance.  (Other than these flaws, I think it’s a good opinion. 🙂

So let’s see what the Court teaches us in its mega lecture on standing.  The text in quotes is from the Spokeo opinion:

  1. An injury must be “concrete.”  A “concrete” injury “must actually exist” and must be “real and not abstract.”
  2. “[W]e have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete.”
  3. “In determining whether an intangible harm constitutes injury in fact, both history and the judgment of Congress play important roles.”
  4. “[W]e said in Lujan that Congress may “elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.”

All of the above is really about who gets to define what a “concrete injury” is. The Court’s answer is that both the Judicial and Legislative Branches can define what gets recognized as a concrete injury.  And both have recognized not just tangible harms as concrete but also intangible harms.

The U.S. Supreme Court recognizes that Congress can define what a “concrete injury” is and that Congress is not limited to the types of injuries the courts define as concrete.  Thus, Congress can deem even injuries “previously inadequate in law” to be concrete injuries sufficient to confer standing.  Congress can thus independently define “concrete injury” in a way that enlarges the concept and brings cases to the courts that courts ordinarily wouldn’t hear because of more narrow judicial definitions of “concrete injury.”

Supreme Court 2

So far, it sounds like this will be a win for Robins . . .

But no.  Not so fast.  The Court states that “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation. For that reason, Robins could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”

So Congress has the power to deem intangible harms to be “concrete injuries” except when it can’t.  A “bare procedural violation” of a statute doesn’t seem to be enough.  There must also be concrete injury.

But in FCRA, Congress plainly created a provision to allow people to sue for violations of the FCRA.  So by the plain language of the statute — something many of the Supreme Court justices strongly defer to — Congress seemingly declared that there was a concrete injury whenever any requirement of the statute was violated.  That’s why Congress wrote in the statute plaintiffs could sue when there is a failure to comply with “any requirement” of FCRA. See FCRA, 15 U.S.C. § 1681n (willful violations), and 15 U.S.C. § 1681o (negligent violations).  If Congress had thought that the violation of only some FCRA requirements were concrete injuries, then it would probably have written the law to say that.

But the Court held either that Congress didn’t mean what it said or that Congress’s power to define concrete injuries is limited in some way.

Of course, the Court doesn’t have the temerity to say this.  The Court doesn’t want to seem like it is either rewriting Congress’s laws or curtailing Congress’s power.  So the Court does a very awkward dance around these logical implications of its holding.

Real Risk of Harm and Violations of Procedural Rights

The Court goes on to say some more things about standing:

  1. A “real risk of harm” can “satisfy the requirement of concreteness.” “[T]he law has long permitted recovery by certain tort victims even if their harms may be difficult to prove or measure.”
  2. “[T]he violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.”

Okay, I’m getting a bit confused here.  So a mere violation of a procedural right can be sufficient for concrete injury “without any additional harm.”  But the Court said just a few paragraphs earlier that a “bare procedural violation, divorced from any concrete harm” cannot constitute concrete harm.  Thus we need to distinguish between when a violation of a procedural right is a concrete injury and when it isn’t.

One way to distinguish it is to defer to what Congress has written in its statute. The Court stated earlier that Congress has the power to elevate harms that are ordinarily insufficient to be concrete injuries and deem them as such.

But no . . .  In FCRA, Congress created a cause of action whenever any requirement of FCRA was violated.  So Congress has expressly allowed people to sue for violations of FCRA requirements, but when they get to court, they might be turned away because only some violations of FCRA requirements are viable despite what Congress said.  Essentially, Congress gave people a right to sue but sometimes there might be no place to hear the suit.  A tip of the hat Franz Kafka . . .

Franz Kafka

It thus appears that the Court is now setting some limits on how far Congress can go in defining concrete harm.  Congress can’t just elevate any violation of any statutory requirement and make it a concrete harm.   Sometimes a mere procedural violation of a statute can be a concrete injury, and sometimes not.  How do we distinguish between the two?

A Test for What Harms Congress May Deem to be “Concrete Injuries”?

Surely, there will be a test that follows to guide us.  But no . . . This opinion is like an M.C. Escher painting.  It keeps on begging questions and sending the reader around and around in impossible loops.


The Court then says: “On the one hand, Congress plainly sought to curb the dissemination of false information by adopting procedures designed to decrease that risk. On the other hand, Robins cannot satisfy the demands of Article III by alleging a bare procedural violation.”

What is a “bare procedural violation” that is not harmful versus the “violation of a procedural right” that doesn’t need additional harm?

The Court goes on to say: “A violation of one of the FCRA’s procedural requirements may result in no harm. For example, even if a consumer reporting agency fails to provide the required notice to a user of the agency’s consumer information, that information regardless may be entirely accurate.”

The Court appears to be viewing the only harm FCRA is seeking to prevent as “inaccuracy” but that’s clearly not the only purpose of FCRA.  FCRA provides for all sorts of requirements beyond accuracy.  And if inaccuracy were the only thing Congress deemed harmful, wouldn’t it have limited the liability provisions to only FCRA violations that involved inaccuracy?  Maybe Congress was just dumb and didn’t understand its own law.  Or maybe Congress meant what it said by creating liability for violating any requirement because it deemed all requirements of the law as ones designed to protect consumers from harm.

In FCRA’s preamble, 15 U.S.C. § 1681, Congress issued its findings under a heading called “accuracy and fairness of credit reporting” (emphasis added).   What happened to “fairness”?  Congress also declared that the purpose of FCRA is “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.”  What happened to “fair and equitable”?  To “confidentiality”?  To “relevancy”?

Spokeo’s complaints were actually about accuracy, ironically. But the Court then supplies an example where inaccuracies might not cause harm: “In addition, not all inaccuracies cause harm or present any material risk of harm. An example that comes readily to mind is an incorrect zip code. It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.”

So do we get a test for when Congress is allowed to deem a violation of a statute a concrete injury and when Congress has gone too far?  No.  We just get these two examples.

The Boundaries of the Court’s Imagination

Maybe we can infer a test from these examples. The only discernible test appears to be the boundaries of the Court’s imagination.


Congress might have imagined that an incorrect zip code in a credit report is a concrete injury.  Perhaps because a lot can be inferred about a person based on where they live.  I bet you can probably make some guesses about a person’s wealth if her zip code is 90210.  Other zip codes might lead to demographic generalizations about race, religion, or ethnicity.  Marketing companies have found it useful to segment by zip code based on generalizations about people who live in certain areas.  Maybe you’re trying to get a job where you need to be on call and living nearby, but the wrong zip code puts you very far away.  Or maybe you said you lived at a particular address but your zip code doesn’t match the one in your profile due to an error, and you might be viewed as lying.

I don’t know what Congress imagined specifically about the zip code, but it is clear from the statute that Congress thought that all FCRA’s requirements were important and not trivial and were designed to protect people from harm.  Congress doesn’t just create liability willy-nilly.

So being “difficult to imagine” apparently is the test. And that’s the end of the opinion.  The Court remands to the 9th Circuit to “examine whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement. We take no position as to whether the Ninth Circuit’s ultimate conclusion—that Robins adequately alleged an injury in fact—was correct.”

This opinion is akin to a professor pontificating a rather ambiguous and inscrutable theory that could mean virtually anything, then telling the students to go off and apply it.

What is the 9th Circuit to do?  It must figure out whether Robins suffered concrete injury.  Congress said he did based upon the plain language in the statute.  And Congress can define what concrete injuries mean.  But should the 9th Circuit look to Congress?  Yes, the Court says.  But no, the Court says.  Accept Congress’s definition except when you really don’t want to, when you just can’t imagine what Congress has imagined.  Basically, with the guidance of the Supreme Court, the 9th Circuit can do anything it wants, because the arrows are pointing in all sorts of directions.

This should have been a simple case.  Congress can define what a concrete injury is.  In FCRA, Congress deemed the violation of any provision of FCRA to be a concrete injury.  The end!

When Congress deems something to be a concrete injury, courts should respect the will of Congress.  The entire reason for the concrete injury requirement is a separation-of-powers of protection of Congress against encroachment by the courts.  But the Spokeon decision usurps Congress’s power, curtailing its ability to define concrete injury.

So now, for concrete injuries, maybe we’ll know them when we see them.  Or, to be more precise, we’ll know them when the courts can imagine them.

I need to stop thinking about Spokeo.  It’s straining my imagination, and now I have a concrete injury — a headache.

* * *

If you’re interested in more about the nature of privacy harms and information security harms, I wrote a series of posts about the issue:

  1. Privacy and Data Security Violations: What’s the Harm?
  2. Why the Law Often Doesn’t Recognize Privacy and Data Security Harms
  3. Do Privacy Violations and Data Breaches Cause Harm?
  4. How Should the Law Handle Privacy and Data Security Harms?

I also have a forthcoming article about privacy harms that I’m co-authoring with Professor Danielle Citron.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.

Privacy+Security ForumProfessor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security. 

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
 LinkedIn Influencer blog

TeachPrivacy privacy security training 08