Emerging Trends in Privacy and Data Security Litigation

Date: Sep 10, 2012

Plaintiffs' lawyers and privacy advocates are spurring rapid growth in the area of "privacy" litigation. Plaintiffs' lawyers apparently see privacy litigation as a new source of revenue, while privacy advocates see it as a way of answering the need for perceived privacy protections. Whether brought for financial gain or policy reasons, such litigation represents a drain on company resources and the possibility of significant financial loss. Therefore, companies need to be aware of the emerging trends in this area, especially since privacy concerns and security lapses are becoming one of the fastest-growing sources of litigation in the U.S.

Privacy litigation has arisen in two primary ways: (1) as the result of a data breach arising from the unauthorized disclosure of personal information found in an organization's records, or (2) from the alleged invasion of an individual's privacy as the result of the collection, use, and disclosure of personal information by companies with whom the affected individual has had contact. Data breaches can take many forms, including unintended disclosure, theft by employees or contractors, physical loss of the information, and theft by hacking. Alleged invasions of privacy can also arise in a variety of contexts, such as circumventing users' privacy settings, collecting users' personal information through mobile applications ("apps"), flash cookies, or social networking sites without permission, or using personal information or internet browsing history to provide online behavioral advertising ("OBA").

Issues common to all privacy litigation include whether plaintiffs can establish injury to themselves and, if so, whether they can also establish damages. These are factors in all civil litigation matters with which Keller and Heckman lawyers are very familiar. Plaintiffs have generally had problems establishing these issues. Yet, this has not stopped plaintiffs' attorneys and privacy advocates from continuing to file suit.

This paper provides an overview of the current legal landscape in privacy and data security litigation and discusses emerging trends in this area. Although these current trends are discussed herein, the law can, and may, change either through judicial intervention or legislative or regulatory action.

I. Overview of Emerging Trends in Data Security and Privacy Lawsuits

The world of information technology has vastly expanded in just the past few decades. Consumers can go online to shop, pay bills, check financial records, view medical records, or store information in the "cloud," all with just the "click" of a button. Consumers trust their personal information to many types of businesses and expect companies to safeguard their information during collection, retention, and disposal.

The number of data breaches, however, seems to be ever increasing. The Privacy Rights Clearinghouse estimates that for the first eight months of 2012 alone, there have been a total of 494 breaches publicly identified, involving more than 19 million records.[1] This is compared to a total of 592 breaches publicly identified in 2011, which involved more than 31 million records, reports that may not represent the full universe of breaches. Negligent employees and malicious attacks are most often the cause of a breach,[2] and hackers nowadays are becoming more sophisticated. Not only are hackers obtaining personal information, such as names, user logins, passwords, and Social Security, debit or credit card information, but some hackers are posting this information on Internet websites for others to see.

Major data breaches in 2012 involving companies like Global Payments, Inc., LinkedIn Corporation, Yahoo! Inc., and Zappos, have triggered multi-million dollar, class action lawsuits alleging a failure to safeguard personal information and/or a delay in the notification of a breach. The Global Payments data breach alone compromised an estimated 1.5 million credit card numbers, and resulted in a proposed class action lawsuit against the company, alleging that it did not adequately safeguard its computer systems, allowing hackers to steal cardholders' personal and financial information.[3] Global Payments has estimated that the breach alone will cost the company more than $120 million, not factoring in the cost of litigation.[4] The bulk of the costs involve fines from credit card companies.

Claims arising from data breaches have included common law actions of breach of contract, negligence, breach of fiduciary duty, breach of implied covenant of good faith and fair dealing, invasion of privacy, and fraud, as well as statutory claims under state consumer protection acts, state unfair trade practices acts, and state data breach notification laws. In many data breach lawsuits, plaintiffs are seeking relief for alleged harms, such as actual financial loss as a result of identity theft, emotional distress, costs of credit monitoring, or anticipated future losses.

The growth of the Internet and social media, and expansion onto mobile platforms, has also sparked increased concerns over consumer privacy as technology drives more information sharing between companies. Virtually all companies in diverse lines of business are now collecting information about consumers, including, at times, personal information, through a variety of avenues and for a number of different reasons. As a result, it is vitally important for all businesses to understand what privacy concerns are being raised by consumers through litigation.

Consumer "privacy" class action lawsuits have typically arisen in the context of targeted advertising or OBA, social networking, mobile apps, mobile tracking or use of geolocation, flash cookies or other "tracking" cookies, history sniffing, children's privacy, circumventing users' privacy settings, collecting personal information without the users' knowledge or consent, and disclosing personal information to third parties. These lawsuits involve similar state law claims as those being brought in data breach cases. In addition, plaintiffs have alleged unjust enrichment, trespass to personal property/chattel, and violations of federal statutes, such as the Computer Fraud and Abuse Act ("CFAA"),[5] the Wiretap Act,[6] and the Stored Communications Act ("SCA").[7] Of course, plaintiffs need only hit on one such cause of action to move forward. In many privacy related lawsuits, plaintiffs are seeking relief for alleged harms, such as tracking their online activities or collecting personal information without express consent, the lack of reasonable notice and choice to consumers of tracking or collection of personal information, restitution of monies allegedly unjustly obtained by the defendants through the sale of personal information, compensation for emotional distress, costs of cleaning hard drives to remove cookies, and statutory damages.

II. Establishing Standing in Data Breach and "Privacy" Cases

Every plaintiff has to demonstrate his/her standing to bring a suit. Generally speaking, standing requires that the plaintiff have a personal stake in the litigation. One aspect of standing is that the plaintiff has "suffered an ‘injury in fact' – an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not ‘conjectural' or ‘hypothetical.'"[8] Allegations of identity theft or an actual loss of economic value of the plaintiff's personal information have been found to demonstrate sufficient personal "injury in fact" to establish standing. Absent such allegations, the courts have been generally unreceptive to plaintiffs' claims that they suffered an injury in fact in a privacy-based suit.

A. Standing in Data Breach Lawsuits

In data breach lawsuits, plaintiffs must generally show that there is something more than the mere exposure of personal information in order for there to be sufficient harm to establish standing. The plaintiff must either allege facts demonstrating an actual injury or "a threatened injury must be ‘certainly impending.'" An indefinite risk of future harm is not sufficient. For example, claims that a class of former employees of customers of payroll processing company Ceridian Corporation were harmed when a hacker infiltrated Ceridian's payroll processing system and potentially gained access to their personal information were rejected. The suit, Reilly v. Ceridian Corporation, involved the alleged compromise of such personal data as first and last names, social security numbers, birth dates, and bank account numbers of approximately 27,000 employees at 1,900 companies.[9] It was not known, however, whether the hacker read, copied, or understood the data accessed.

Ceridian notified the people it thought were affected by the data breach and provided them with one year of free credit monitoring and identity theft protection prior to the suit. The complaint filed against Ceridian, however, alleged that the plaintiffs had suffered: (1) an increased risk of identity theft; (2) costs to monitor their credit; and (3) emotional harm. The trial court dismissed the case and the United States Court of Appeals for the Third Circuit affirmed. The case was dismissed because the plaintiffs had only alleged hypothetical, future injury. According to the Court of Appeals, plaintiffs were conjecturing that the hacker had read, copied, and understood their personal information, intended to commit future criminal acts using the information, and would be able to use the information to the detriment of the plaintiffs. The Court held that until those conjectures came true, there had been no misuse of the information and, thus, no harm and dismissal of the suit was appropriate.

Other plaintiffs have run into problems similar to those that defeated the Reilly class. Generally, mere allegations of an increased risk of future identity theft has not been found to be a harm that the law is prepared to remedy.[10] However, a few cases have found that based on the specific facts of the case there was sufficient likelihood of identity theft to establish standing.[11] The difference appears to rest on the type and clarity of the personal information involved and the circumstances under which the data breach arose. Indeed, the Reilly court provided some usable guidance on this question. The court cited cases where the data breach was the result of sophisticated, intentional, and malicious hacking and where someone attempted to open a bank account with a plaintiff's information following the physical theft of a laptop as examples of situations where sufficient harm was alleged.

B. Standing in Privacy Lawsuits

Plaintiffs in privacy lawsuits have claimed that they suffered the invasion of a protected right or the loss of an economic benefit as a result of the defendant's conduct. Generally, plaintiffs have not succeeded in making sufficient allegations to demonstrate standing.

For example, in a flash cookies/OBA case, LaCourt v. Specific Media, plaintiffs claimed that Specific Media, a leading online third party ad network, used Adobe Flash Local Shared Objects ("LSOs" or "flash cookies") either to circumvent the privacy and security controls of users who had set their browsers to block third party http cookies, or to re-spawn deleted http browser cookies in connection with OBA. Flash cookies are used to assist in storing user preferences, game play, and other activities. They are said to be "super cookies" that never expire and are protected against deletion by the user, and allegedly were used to track users across websites to provide targeted advertising. A federal district court in California found that plaintiffs had failed to allege harm or economic injury sufficient to demonstrate standing.

In particular, plaintiffs did not actually allege that Specific Media tracked the online activity of any named plaintiff, that plaintiffs ever deleted any Specific Media browser cookies, or that plaintiffs' browser cookies were ever "re-spawned" by Specific Media. Rather, the complaint simply alleged that Specific Media installed flash cookies on plaintiffs' computers and plaintiffs believed that the LSOs would be used as substitutes for http cookies and would re-spawn previously deleted cookies. The court found that such subjective allegations did not allege the fact of injury. Additionally, the court rejected plaintiffs' claims that they had suffered economic loss. The court noted that plaintiffs did not identify a single individual who was foreclosed from entering into a "value-for-value exchange" as a result of the defendant's conduct, nor did they explain how they were "deprived" of the economic value of their personal information.[12] In essence, nothing indicated that the plaintiffs ascribed an economic value to their personal information and the plaintiffs failed to explain how they were deprived of any economic value of their personal information.

Similarly, in the social networking context, a putative class action against Facebook, Inc. arising from the site's use of their names and likenesses in its "Friend Finder" service was dismissed for failure to allege harm. Rather than claiming any emotional distress or other damages, plaintiffs argued that Facebook was using their names and likenesses without permission to turn a profit by selling advertisements. In dismissing the case in its entirety, the court found that the use of the names and likenesses of non-celebrity private individuals without compensation or consent did not cause injury sufficient to establish standing. The names and likenesses were merely displayed on the pages of other users who were already the plaintiffs' Facebook friends and who would regularly see, or at least have access to, those names and likenesses in the ordinary course of using their own Facebook account.[13] The situation might have been different if the complaint alleged violation of a specific statute regulating the use of a personal likeness in advertising, as exists in several states.

Plaintiffs have had similar problems in the context of alleged disclosure of personal information to third party advertisers. The disclosure of a users' personal information to third party advertisers can be done for a number of reasons, including providing targeted advertisements to the user. A class action lawsuit was filed against LinkedIn involving its alleged data sharing with third party advertising and marketing companies through the use of "cookies" or "beacons." The plaintiff alleged that he was harmed after suffering embarrassment and humiliation caused by the disclosure of his personally identifiable browsing history, and that his browsing history is valuable personal property with a market value, which was taken without compensation. The court, however, found that plaintiff failed to: (a) allege that LinkedIn linked plaintiff's identity to his browsing history; (b) establish how the third parties would be able to infer plaintiff's identity; and (c) allege facts to demonstrate economic harm by LinkedIn's practices or loss of the value of personal data.[14]

In contrast, plaintiffs have been able to make specific allegations of harm and economic damages sufficient to establish standing in the mobile tracking context. Mobile tracking and use of geolocation technology essentially uses data acquired from an individual's computer or mobile device to identify or describe the user's actual physical location. Geolocation technology has become a foundation for location positioning services, social networking services, and location-aware apps running on smartphones. In a multi-district litigation filed against Apple, Inc., Google, Inc., and other "mobile industry defendants," plaintiffs claimed that the defendants violated their privacy rights by unlawfully allowing third party apps that run on Apple's' iPhone, iPad, and iPod Touch to collect and make use of, for commercial purposes, personal information stored on the device without the user's consent or knowledge. Plaintiffs alleged that at least three types of "injury-in-fact" occurred: (1) misappropriation or misuse of personal information; (2) diminution in value of the personal information, which is an "asset of economic value" due to its scarcity; and (3) "lost opportunity costs" in having installed the apps, and diminution in value of the iDevices because they are "less secure" and "less valuable" in light of the privacy concerns.[15]

In their Amended Consolidated Complaint, plaintiffs identified the devices plaintiffs used, which defendants accessed or tracked their personal information, which apps plaintiffs downloaded that accessed or tracked their personal information, what harm resulted from the access or tracking of their personal information, and the specific type of personal information collected, which the court found were sufficiently concrete to support standing. Moreover, the court found that plaintiffs alleged additional theories of harm, including "diminished and consumed iDevice resources, such as storage, battery life, and bandwidth," "increased, unexpected, and unreasonable risk to the security of sensitive personal information," and "detrimental reliance on Apple's representations regarding the privacy protection afforded to users of iDevice apps."[16]

C. Attempts to Avoid Standing Problems by Alleging Statutory Violations

In part because of the standing issues they have confronted, plaintiffs have been including claims based on alleged statutory violations in an attempt to establish standing.[17] To determine standing in such cases, courts generally look to whether the statute can be "understood as granting persons in the plaintiff's position a right to judicial relief."[18] This standing question is independent of the merits of the case.[19]

In the mobile tracking case, In re iPhone/iPad Application Consumer Privacy Litigation, plaintiffs alleged a violation of their statutory rights under the Wiretap Act and SCA in the First Amended Consolidated Complaint. Specifically, the plaintiffs claimed violations of the Wiretap Act because Apple allegedly intercepted wire electronic communications, including geolocation data, from the plaintiffs' iPhones and used such data to develop a database about the locations of cellular towers and wireless networks; and violations of the SCA because defendants allegedly intentionally accessed and collected temporarily stored location data from iPhones. Recognizing that violation of the Wiretap Act or the SCA have been found by other courts to serve as a concrete injury for purposes of standing, the court found standing under these statutory claims, noting that the injury necessary to support standing may exist by virtue of "statutes creating legal rights, the invasion of which creates standing."[20]

Nevertheless, claims in cases involving allegations of statutory violations must allege violations of each of the statutory elements, or such a claim will be dismissed under Federal Rule of Civil Procedure 12(b)(6) for failure to allege a claim upon which relief can be granted.[21] See infra, Section II(D).

D. When Alleging Statutory Violations, Statutory Damage Requirements Must be Met

In attempting to avoid standing problems by alleging statutory violations, plaintiffs in invasion of privacy cases have relied on the CFAA, among others. The CFAA is known as the "anti-hacking statute" and is primarily a criminal statute. It prohibits accessing and obtaining information from a computer without authorization, and it permits anyone who has suffered at least $5,000 in damages in any 1-year period, or under certain circumstances, a group of people who collectively have suffered such damages, to sue for compensatory damages and injunctive or other equitable relief.[22] Plaintiffs, however, have had difficulty meeting the CFAA's statutory damage requirement.

For example, in Del Vecchio v. Amazon.com, Inc., a flash cookies case, the judge dismissed claims that the alleged use of flash cookies to gather information about users' Internet habits to share with third parties violated CFAA. The plaintiffs claimed that Amazon derived substantial financial gain through the use of cookies to gather the plaintiffs' personal information, thereby depriving plaintiffs of the opportunity to monetize their own valuable information. The court found that plaintiffs did not allege any facts that would allow it to reasonably infer that statutory losses had occurred. In addition, the court noted its concerns with the plaintiffs' assertion that Amazon acted without authorization or exceeded its authorization in accessing their computers, since Amazon's Privacy Notice stated that the company uses flash cookies and that a failure to accept them will effectively preclude use of the website.[23]

Similar rulings have arisen in the context of "history sniffing." Like flash cookies that are used for OBA, history sniffing involves companies "peeking" into a user's Internet visitation history to create a profile of the user, which is then used to advertise or market across websites. In Bose v. Interclick, Inc., the plaintiff alleged that the placement of "flash cookies" and use of "history sniffing" code on websites to target advertising violated the CFAA. The court dismissed advertisers McDonald's, CBS, Mazda, and Microsoft from the case based on the plaintiff's failure to quantify any damage, including any costs associated with either repairing or investigating the alleged damage caused to the computer.[24] The court found that Bose's claimed damages due to the impairment of her computer, the collection of her personal information, and interruption of Internet service were insufficient.

III. Settlement Issues

Litigating any case is expensive and involves risk. Since almost every privacy case today is being brought as a class action lawsuit, the risk is even greater. Given the size of the data breaches and the breadth of data collection, the class sizes can be very large. For instance, Fraley v. Facebook, Inc., a case involving claims over Facebook's use of users' names and likenesses in its "Sponsored Stories" service, allegedly involved approximately 71.1 million users who fit the plaintiff class definition.[25] Even a small recovery to each of the class members represents a significant amount of money. In these circumstances, a defensive settlement may make sense. However, not just any settlement will do.

Settling a class action requires court approval. Settlements can be challenged by any member of the class and, in certain circumstances, by non-class members as well. In Fraley v. Facebook, Inc., the court recently rejected a proposed $20 million class settlement into which the parties had entered, that provided for the payment of $10 million to certain organizations involved in internet privacy issues, and allowed plaintiffs to apply for an attorney fee award of up to $10 million. The court's rejection was based on the fact that: (1) the settlement provided no monetary relief directly to class members, even though the statute under which plaintiffs' claims were brought provided for statutory damages of $750 for each violation; (2) even if settlement involving a payment to charity (cy pres) is appropriate in lieu of payments to class members, the court questioned whether $10 million in cy pres recovery was fair, adequate, and reasonable based on the nature of the complaint; (3) the proposed settlement did not specifically require Facebook to allow users to opt-out of the Sponsored Stories; and (4) the ratio of the $10 million in attorneys' fees, compared with the $10 million in cy pres payment, raised serious concern.[26] In fact, the total settlement in Fraley was valued at $123,537,500, which included an estimated value of $103.2 million for future "Sponsored Stories."

IV. Public Policy Developments

Privacy and data security lawsuits are on the rise, but despite the increase, the track record suggests that it can be extraordinarily difficult for plaintiffs to prevail, often because they simply cannot establish damages. That may be one reason privacy advocates are increasing efforts to promote federal privacy legislation and advocating for laws that recognize private rights of action and allow for allegations of emotional distress and other harms to support a cause of action.

The Electronic Privacy Information Center, for example, is urging Congress to "update" the ECPA to permit individuals to be compensated for provable, non-pecuniary harms. Other consumer groups have embraced the recent White House privacy report calling for a "Consumer Privacy Bill of Rights," and continue to call for federal baseline privacy legislation that nevertheless allows states to adopt still more stringent laws. Even at the National Telecommunication and Information Administration's (NTIA) first "multistakeholder" meeting on the topic of developing privacy codes of conduct, numerous consumer groups called for the process to result in an agreement on legislative standards.

The prospects for privacy legislation seem somewhat dim in this election season, and there is another side to the debate about privacy: free content needs to be subsidized in whole, or in part. Newspapers, magazines, radio, television, and now the Internet and mobile offerings have been fueled by the engine of advertising. In a digital world where targeted advertising is king, data collection and use will remain a fact of life. There is no question, however, that those who are careless with data or fail to disclose privacy practices, especially the collection and use of data that may not be consistent with a reasonable consumer's understanding, are at risk not only in terms of litigation, but new legislation that may be more favorable to plaintiffs should the political winds shift. Strong self-regulatory standards remain an important bulwark against ill-conceived legislation that might hamper what has become an area of growth in an otherwise bleak economy.

V. Conclusion

In light of these trends, companies should be proactive in embracing best practices to not only ensure compliance with privacy laws and regulations, but to consider whether privacy practices are transparent and clear, and consistent with consumer expectations. Doing so may offer the best chance of avoiding potential litigation.

Implementing best practices in privacy and data security should begin with three fundamental principles: Know; Say; and Do. Know what data you are collecting and how it is protected. Say what you do – be transparent about practices in your privacy notices. Do what you say – periodically confirm compliance, update policies, and representations as appropriate, and stay abreast of evolving technology and evolving expectations of consumers and regulators. Privacy and data security is a value that we all share. Mistakes and lapses may always occur, but those who make privacy a priority, communicate the value of data collection to consumers, and take action to adhere to the standards they adopt, may find that they can win commercially and avoid litigation.

[2] Ponemon Institute, Inc., "2011 Cost of a Data Breach Study: United States" (March 2012).

[3] Willingham v. Global Payments, Inc., No. 12-cv-01157 (N.D. Ga. Apr. 4, 2012).

[4] See Global Payments, Inc. "Form 10-K Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934, For the fiscal year ended May 31, 2012" (filed July 27, 2012).

[5] The CFAA is generally intended to reduce the hacking of computer systems, and provides criminal offenses for "knowingly" or "intentionally" accessing a computer without the user's authorization. 18 U.S.C. §§ 1030, et seq.

[6] Title I of Electronic Communications Privacy Act ("ECPA"), also known as the Wiretap Act, protects wire, oral, and electronic communications while in transit, and provides civil recovery if an electronic communication is "intercepted, disclosed, or intentionally used" in violation of the Act. 18 U.S.C. §§ 2510, et seq.

[7] Title II of the ECPA, also known as the SCA, generally protects wire or electronic communications that are held in electronic storage, which includes messages stored on a computer, and prohibits: (1) intentionally accessing without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeding authorization to access that facility; and obtaining, altering, or preventing authorized access to a wire or electronic communication while it is in electronic storage. 18 U.S.C. §§ 2701, et seq.

[8] Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (citations omitted).

[9] Reilly v. Ceridian Corporation, 664 F.3d 38 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012).

[10] See, e.g., Whitaker v. Health Net of Cal., Inc., No. 11-cv-0910, 2012 WL 174961 (E.D. Cal. Jan. 20, 2012) (plaintiffs alleged the defendants lost certain server drives consisting of more than 800,000 California residents' personal and medical information. The court dismissed the case for lack of standing, finding that a mere loss of information, without more, is too conjectural and hypothetical); Low v. LinkedIn Corp., No. 11-cv-01468, 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011) (plaintiffs alleged that LinkedIn disclosed its members' private information to third parties for advertising purposes; however, the plaintiff did not allege: (1) what information was actually disclosed to third parties that caused the plaintiff's alleged harm; (2) that his private information was actually transmitted to any third parties; (3) how third parties would be able to infer his personal identity from the information allegedly transmitted; (4) how the information was transmitted to third parties; or (5) how the defendant actually caused him harm. The court found that the plaintiff lacked standing because he failed to allege any present harm and his allegations of possible future harm were "too theoretical to support injury-in-fact for the purposes of Article III standing."); Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046 (E.D. Mo. 2009) (plaintiffs alleged that the defendant's inadequate security measures in relation to its computerized database system allowed unauthorized persons to gain access to confidential personal information, placing the plaintiff at an increased risk of becoming a victim of identity theft crimes, fraud, abuse, and extortion. The court found that the increased risk of harm from possibly having plaintiffs' personal information compromised was insufficient to state an injury in fact); Key v. DSW Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006) (plaintiff alleged that the improper retention and failure to secure personal financial information allowed unauthorized persons to access and acquire the information of approximately 96,000 customers, and subjected them to a substantial increased risk of identity theft or other related financial crimes. The court found that plaintiff did not sufficiently allege that she personally experienced any injury and dismissed for lack of standing).

[11] See, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007) (the court reasoned that "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions." Ultimately, however, the court rejected plaintiffs' request for compensation of past and future credit monitoring services, finding that the type of damages the plaintiffs seek are not compensable as a matter of Indiana law); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (court found that the plaintiffs alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data); Ruiz v. Gap, Inc., No. 09-15971, 380 F. Appx. 689 (9th Cir. May 28, 2010) (the court found that the plaintiff had standing where he alleged that he was at a great risk of identity theft based on the theft of a laptop computer containing his Social Security Number).

[12] LaCourt v. Specific Media Inc. (aka In Re Specific Media Flash Cookie Litig.), No. 10-cv-01256, 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (Tentative Ruling on Motion to Dismiss) (amended complaint filed May 17, 2011; but case dismissed without prejudice on August 29, 2011).

[13] Robyn Cohen v. Facebook, Inc., No. 10-cv-05282, 2011 WL 5117164 (N.D. Cal. Oct. 27, 2011) (Order Granting 12(b)(6) Motion to Dismiss First Amended Complaint Without Leave to Amend).

[14] Low v. LinkedIn Corporation, No. 11-cv-01468, 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011) (Order Granting Defendant's Motion to Dismiss) (amended complaint filed on Dec. 2, 2011, but case dismissed with prejudice on July 12, 2012).

[15] In re: iPhone/iPad Application Consumer Privacy Litigation, No. 11-MD-02250, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (Order Granting Defendants' Motions to Dismiss for Lack of Article III Standing with Leave to Amend) (Amended Consolidated Complaint filed Nov. 22, 2011).

[16] See In re: iPhone/iPad Application Consumer Privacy Litigation, No. 11-MD-02250, 844 F.Supp.2d 1040 (N.D. Cal. June 12, 2012).

[17] See In re Facebook Privacy Litigation, 791 F.Supp.2d 705, 712-713 (N.D. Cal. 2011) (finding plaintiffs established standing when they alleged violation of the Wiretap Act, 18 U.S.C. §§ 2510, et seq.); In re Zynga Privacy Litigation, No. 10-cv-04680-JW, 2011 WL 7479170 (N.D. Cal. June 15, 2011); but see Tyler v. Michaels Stores, Inc., 840 F.Supp.2d 438, FN 8 (D. Mass. 2012) (holding that plaintiff did not have standing because of her failure to sufficiently plead injury and distinguishing In re Facebook Privacy Litigation, 791 F.Supp.2d at 712, because the "Wiretap Act creates a private right of action for any person whose electronic communication is ‘intercepted, disclosed, or intentionally used,' and does not require any further injury," while the statute at issue in Tyler explicitly required injury to the plaintiff).

[18] Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 500 (1975)).

[19] Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011) (quoting Equity Lifestyle Props., Inc. v. Cnty. Of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008)).

[20] See In re: iPhone/iPad Application Consumer Privacy Litigation, No. 11-MD-02250, 844 F.Supp.2d 1040 (N.D. Cal. June 12, 2012) (citing Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010)); see also Low v. LinkedIn Corporation, No. 11-cv-01468, at 8 (N.D. Cal. July 12, 2012) (Order Denying in Part and Granting in Part Defendant's Motion to Dismiss).

[21] See Bose v. Interclick, Inc., No. 10-cv-09183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (Order in part granting motion to dismiss CFAA claim for failure to allege cognizable injury or meet the $5,000 threshold to state a claim under the CFAA); Del Vecchio v. Amazon.com, Inc., No. 11-cv-00366, 2012 WL 1997697 (W.D. Wash. June 1, 2012) (finding plaintiffs failed to allege sufficient facts to meet the necessary threshold loss amount required by the CFAA).

[22] 18 U.S.C. § 1030(g).

[23] Del Vecchio v. Amazon.com, Inc., No. 11-cv-00366, 2012 WL 1997697 (W.D. Wash. June 1, 2012) (Order Granting in Part Defendant's Third Motion to Dismiss) (finding that "Plaintiffs alleged sufficient injury to have standing" but nevertheless dismissing CFAA claim for failure to allege sufficient facts to infer that plaintiffs suffered loss in the amount required by the CFAA).

[24] Bose v. Interclick, Inc., No. 10-cv-09183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (Memorandum and Order).

[25] See Fraley v. Facebook, Inc., No. 11-cv-01726, Docket No. 181, 2012 WL 2354653 (N.D. Cal. June 20, 2012) (Plaintiffs' Motion for Preliminary Approval of Class Action Settlement).

[26] See Fraley v. Facebook, Inc., No. 11-cv-01726, Docket No. 163 (N.D. Cal. Aug. 17, 2012) (Order Denying Motion for Preliminary Approval of Settlement Agreement, Without Prejudice).