Breach of Data Retention Policy Doesn’t Create Actionable Injury – Burton v. Time Warner (Catch-up Post)
[Post by Venkat Balasubramani]
Burton v. Time Warner Cable Inc., 12-06764 JGB (AJWx) (C.D. Cal. March 20, 2013)
[Note: this is a catch up post that fell by the wayside, but I thought it was interesting in its recap of the privacy & standing case law.]
TWC maintain[s] personally identifiable information about subscribers for as long as it is necessary for business purposes. This period of time may last as long as you are a subscriber, and if necessary, for additional time so that we can comply with tax, accounting and other legal requirements. When information is no longer needed for these purposes, it is our policy to destroy or anonymize it.
The plaintiff claimed that TWC failed to deliver on this promise, and instead it keeps personal information well after an account is closed. Plaintiff also claimed that the failure to provide notification to customers whose accounts were closed (i.e., that their personal information was retained) violated their privacy rights. Plaintiff brought putative class claims alleging violations of the Cable Communications Policy Act, and under California statutes (the California Customer Records Act – its “shine the light” law). He also asserted an implied contract claim, but voluntarily dismissed it, signaling that he intended to plead a breach of express contract instead.
As to the remaining claims, which were all statutory, Time Warner argued among other things that plaintiff lacked Article III standing. The court agrees and dismisses the lawsuit. (Although the court grants leave to amend, plaintiff filed a notice of voluntary dismissal without prejudice. They may pursue the claims in other ways, but this particular lawsuit is done.)
Time Warner argued broadly that standing cannot be purely created by statute (citing to Edwards v. First American Corp.). It also argued that since the statutes in this case use the word “aggrieved” and “injured,” the statutes require a separate injury in addition to a mere statutory violation. The court disagrees, citing to the Ninth Circuit’s ruling in Jewel v. NSA (an unlawful spying case). The statutes in Jewel contained the same or similar language to the statutes in the case and the court had no trouble finding that “Article III requirement that the injury be ‘concrete’ can exist solely by virtue of statutes creating legal rights.”
Although Time Warner doesn’t win on the concrete harm issue, the court nevertheless finds that plaintiff lacks Article III standing because plaintiff’s injury is not particularized or imminent:
Burton did not suffer economic harm: Burton also argued that his PI is valuable, as is the right to control it. Additionally, he argued that he didn’t get the benefit of the bargain between Time Warner and him as a result of its failings. Citing to Low v. LinkedIn, La Court v. Specific Media, and other cases, the court says that he did not allege that his information was transmitted to others or how Time Warner’s retention of his information affected the value of that information as to him personally. Burton tried to distinguish Specific Media and LinkedIn on the basis that those cases did not involve paid services, but the court says that in this case, there is no allegation that the economic value of the “underlying cable service is” somehow disturbed.
Among others, two categories of privacy lawsuits are regularly tossed on standing grounds: (1) claims for improper retention of personal information (e.g., under the Video Privacy Protection Act: Sterk v. Best Buy), and (2) claims for failure to disclose privacy practices (e.g., under California’s “shine the light” privacy statute: Boorstein v. Men’s Journal). Both of these lawsuits test the limits of standing where there’s no allegation of any information misuse—the claim is solely that the statute requires certain action (purging or disclosure) and defendant did not take this action. Because the claims in this case are in the same genre, the dismissal is not surprising.
The court’s treatment of the Jewel case and whether statutes can create standing is interesting. On the one hand, the court says yes, a mere statutory violation is enough for harm. On other hand, the court still kicks the lawsuit on the basis that the harm is not particularized and actual (or imminent).
Although Time Warner has a good chance of beating lawsuits brought by private litigants (and this is surely helpful precedent for this purpose), any allegation that it used information in a way other than promised to consumers could still leave it open to action from the FTC. Although this was a tough case for the plaintiff, it could be a relatively straightforward deception case for the FTC.
IMDB’s Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon
Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act
Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox
Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox
Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu
No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix
Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation
Class Action Against Path Over Cellphone Address Book Access Keeps Going
Judge Koh Whittles Down iPhone App Privacy Lawsuit
Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power
Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net
Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark
Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails — Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]
[image credit: Shutterstock/Saut Gursozlu “big brother is watching you”]