If our legal rights to data privacy aren’t enforceable, they are just empty promises. One of the best ways to enforce them is to let people sue the companies that violate their data privacy. Unfortunately, the U.S. Supreme Court has been chipping away at private enforcement by rewriting a legal doctrine called “standing,” which determines who has been harmed enough to deserve their day in court.

California’s standing rules are different, and far more protective. But a recent state appeals court decision may change those rules, closing the courthouse doors to victims of corporate violations of data privacy laws. This week, EFF filed an amicus letter with the California Supreme Court, urging it to review that decision and keep those doors open. Our co-amicus is the Electronic Privacy Information Center (EPIC), and we had assistance from Hunter Pyle Law and Feinberg, Jackson, Worthman & Wasow.

The case, called Limon v. Circle K Stores, alleges the company violated the federal Fair Credit Reporting Act (FCRA), by presenting a prospective employee with a confusing request for “consent” to run a background check on them. The plaintiff initially sued the company in federal court, but the case was dismissed under federal standing doctrine. The plaintiff then sued the company in California state court, but the case was dismissed again. Worse, when a California appellate court affirmed this dismissal, it imported restrictive federal standing requirements into California’s law. The plaintiff is asking the California Supreme Court to take another look and fix this dangerous mistake.

EFF has filed many amicus briefs in federal court in favor of broad standing to bring data privacy lawsuits. So has EPIC. A recurring question in federal court is whether the plaintiff’s injury is sufficiently “concrete” to satisfy the U.S. Constitution’s limit of federal litigation to “cases and controversies.” It should be enough to suffer a deprivation of one’s legal right to data privacy, without having to prove more, such as an economic or physical injury. After all, American law has historically recognized causes of action for the loss of control over what other people know about us, including claims against intrusion upon seclusion and publication of private facts.

But in TransUnion v. Ramirez (2021), a five-Justice majority of the U.S. Supreme Court rejected standing for some 6,000 people to sue the credit reporting agency for its violation of FCRA. Specifically, the company supposedly did not cause a concrete injury when it negligently and falsely labelled these innocent people as potential terrorists, and made that dangerous information available to employers and other businesses. This opinion was wrongly decided and should be overruled.

In the meantime, state courts must step up as guardians of data privacy. As explained by the TransUnion dissent, state courts are now “the sole forum” for certain kinds of FCRA and other claims.

As the California Supreme Court recently held: “Unlike the federal Constitution, our state Constitution has no case or controversy requirement imposing independent jurisdictional limitation on our standing doctrine.” Thus, it is enough for a plaintiff to show they have “an actual and substantial interest” in the case’s outcome, to ensure the parties “press their case with vigor.” A person should be able to pass this test when a business violates their legal right to data privacy.

We hope the California Supreme Court will grant review of Limon, reverse the erroneous appellate court ruling, and ensure that Californians can still turn to state court to protect their data privacy.

You can read our amicus letter here.

Related Issues