Breach of Data Retention Policy Doesn’t Create Actionable Injury – Burton v. Time Warner (Catch-up Post)

July 28, 2013 · by Venkat Balasubramani · in Privacy/Security

Burton v. Time Warner Cable Inc., 12-06764 JGB (AJWx) (C.D. Cal. March 20, 2013)

[Note: this is a catch up post that fell by the wayside, but I thought it was interesting in its recap of the privacy & standing case law.]

Time Warner Cable’s privacy policy says:

TWC maintain[s] personally identifiable information about subscribers for as long as it is necessary for business purposes. This period of time may last as long as you are a subscriber, and if necessary, for additional time so that we can comply with tax, accounting and other legal requirements. When information is no longer needed for these purposes, it is our policy to destroy or anonymize it.

The plaintiff claimed that TWC failed to deliver on this promise, and instead it keeps personal information well after an account is closed. Plaintiff also claimed that the failure to provide notification to customers whose accounts were closed (i.e., that their personal information was retained) violated their privacy rights. Plaintiff brought putative class claims alleging violations of the Cable Communications Policy Act, and under California statutes (the California Customer Records Act – its “shine the light” law). He also asserted an implied contract claim, but voluntarily dismissed it, signaling that he intended to plead a breach of express contract instead.

As to the remaining claims, which were all statutory, Time Warner argued among other things that plaintiff lacked Article III standing. The court agrees and dismisses the lawsuit. (Although the court grants leave to amend, plaintiff filed a notice of voluntary dismissal without prejudice. They may pursue the claims in other ways, but this particular lawsuit is done.)

Time Warner argued broadly that standing cannot be purely created by statute (citing to Edwards v. First American Corp.). It also argued that since the statutes in this case use the word “aggrieved” and “injured,” the statutes require a separate injury in addition to a mere statutory violation. The court disagrees, citing to the Ninth Circuit’s ruling in Jewel v. NSA (an unlawful spying case). The statutes in Jewel contained the same or similar language to the statutes in the case and the court had no trouble finding that “Article III requirement that the injury be ‘concrete’ can exist solely by virtue of statutes creating legal rights.”

Although Time Warner doesn’t win on the concrete harm issue, the court nevertheless finds that plaintiff lacks Article III standing because plaintiff’s injury is not particularized or imminent:

No injury from inability to control personal information: plaintiff argued that Time Warner’s actions deprived him of the ability to make an informed decision regarding his personal information. The court says this is highly attenuated. Citing to Boorstein v. Men’s Journal, the court says that his arguments over lack of notice don’t work because he never requested a privacy policy from Time Warner and its failure to provide information was just a “procedural injury,” rather than informational injury that is actionable.

Burton did not suffer economic harm: Burton also argued that his PI is valuable, as is the right to control it. Additionally, he argued that he didn’t get the benefit of the bargain between Time Warner and him as a result of its failings. Citing to Low v. LinkedIn, La Court v. Specific Media, and other cases, the court says that he did not allege that his information was transmitted to others or how Time Warner’s retention of his information affected the value of that information as to him personally. Burton tried to distinguish Specific Media and LinkedIn on the basis that those cases did not involve paid services, but the court says that in this case, there is no allegation that the economic value of the “underlying cable service is” somehow disturbed.

Among others, two categories of privacy lawsuits are regularly tossed on standing grounds: (1) claims for improper retention of personal information (e.g., under the Video Privacy Protection Act: Sterk v. Best Buy), and (2) claims for failure to disclose privacy practices (e.g., under California’s “shine the light” privacy statute: Boorstein v. Men’s Journal). Both of these lawsuits test the limits of standing where there’s no allegation of any information misuse—the claim is solely that the statute requires certain action (purging or disclosure) and defendant did not take this action. Because the claims in this case are in the same genre, the dismissal is not surprising.

The court’s treatment of the Jewel case and whether statutes can create standing is interesting. On the one hand, the court says yes, a mere statutory violation is enough for harm. On other hand, the court still kicks the lawsuit on the basis that the harm is not particularized and actual (or imminent).

Although Time Warner has a good chance of beating lawsuits brought by private litigants (and this is surely helpful precedent for this purpose), any allegation that it used information in a way other than promised to consumers could still leave it open to action from the FTC. Although this was a tough case for the plaintiff, it could be a relatively straightforward deception case for the FTC.

Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap