Ninth Circuit takes cautious approach to privacy and data security standing

Two recent decisions suggest that the federal Court of Appeals for the Ninth Circuit is taking a slightly more restrictive approach than some other circuits to standing in privacy and data breach cases.

In what will likely be a widely quoted line, the court stated in one of the cases, "there existed no free-roaming privacy right at common law." And the common law is what unlocks the door to the federal courthouse in privacy and data breach cases brought by consumers.

'Discrete torts' define privacy-related harms

The first of the two cases — and the one with that striking line — is Popa v. Microsoft, handed down 26 Aug. It involved an e-commerce website's use of the "session-replay technology" known as "Clarity," which is owned and operated by Microsoft. The plaintiff alleged she encountered the technology when she visited petsuppliesplus.com, where it collected information about her browser, operating system and activities on the site.

She sued under Pennsylvania's Wiretapping and Electronic Surveillance Control Act and also asserted a common law claim for "invasion of privacy — intrusion upon seclusion." 

Recall that, to have a case heard in federal court, consumers must have "standing," meaning they must have suffered an "injury in fact," and that injury must be "concrete." To determine what is concrete, the Supreme Court has said, courts must look to history. Specifically, courts must assess whether the alleged injury has a "close relationship" to a harm "traditionally" recognized as providing a basis for a lawsuit in American courts. An exact match to the 18th century is not required. The question, rather, is whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.