This post was written by Paul Bond and Lisa B. Kim.
A Michigan federal judge has held that plaintiffs could proceed in federal court on their claims under the Video Rental Privacy Act (VRPA), a state law akin to the federal Video Privacy Protection Act (VPPA). The ruling came in three similar putative class actions that alleged Bauer Publishing Co., Hearst Communications, Inc, and Time, Inc., respectively, sold their customers’ personal information without permission. (The three cases were assigned to the same judge for their similar allegations.)
To have jurisdiction over a case, a federal court must find that the plaintiffs satisfy Article III of the United States Constitution, including by alleging that they have suffered an injury-in-fact. Many privacy class actions falter because plaintiffs allege only a technical violation, but cannot point to any actual or imminent impact that this supposed violation had, or will have, on their lives. The plaintiffs’ bar has therefore tried to find federal and state privacy laws, with associated statutory or liquidated damage hooks, in an attempt to avoid dismissal for lack of harm.
In these cases, plaintiffs brought suit under the VRPA. Michigan’s VRPA provides that a person “engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not disclose to any person, other than the customer, a record or information concerning the purchase, lease, rental, or borrowing of those materials by a customer that indicates the identity of the customer,” with certain exceptions. The statute also provides that “a person who violates this act shall be liable in a civil action for damages to the customer identified” for “[a]ctual damages, including damages for emotional distress, or $5,000.00, whichever is greater” (emphasis added) and costs and reasonable attorneys’ fees. Because of the provision for $5,000 per person in statutory damages, the VRPA threatens businesses with the prospect of catastrophic class damages.
Defendants moved to dismiss these cases. In part, the defendants argued that the plaintiffs had alleged no injury-in-fact, and thus, the court had no jurisdiction. The court rejected that argument. Analyzing the language of the VRPA, Judge George Steeh reasoned that the VRPA did not contain any language that would require the claimant to have suffered any actual injury apart from the violation of the statute. To the contrary, the statute expressly provided for statutory damages and actual damages as alternative remedies. Contrasting Michigan’s law with its federal counterpart, the court noted that “Unlike the VPPA, a close reading of the VRPA reveals that it contains absolutely no language to require that a claimant suffer any actual injury apart from a violation of the statute[.]” In doing so, Judge Steeh followed the reasoning of the Northern District of California, who addressed this same issue of Article III standing in connection with Michigan’s VRPA in Deacon v. Pandora Media, Inc. (901 F.Supp.2d 1166 (N.D. Cal. 2012).
While the VRPA is similar to the VPPA, and was in fact enacted right after the VPPA, this holding is not likely to extend to the VPPA. In his ruling, Judge Steeh specifically noted differences between the language of the VRPA and the VPPA as to this issue of standing, and also referenced how the Northern District of Illinois found that the VPPA required that a plaintiff actually be “aggrieved,” i.e., suffered an Article III injury-in-fact (See Sterk v. Best Buy Stores, L.P., 2012 WL 5197901 (N.D. Ill.)). That being said, holdings like this are surely being watched by legislatures who are introducing new privacy bills that explicitly include language that violations of the law would constitute an injury. See e.g.
You can read Judge Steeh’s 17 page ruling here.