As we have recently reported, the Massachusetts legislature is currently considering a comprehensive data privacy law that would create a private right of action for consumers who allege a violation of any provision of the proposed law. Last week, a Massachusetts federal court dismissed a data privacy class action, concluding that the plaintiffs failed to state an actionable claim under existing law. The decision draws into sharp relief the potential impact of the proposed legislation. The case demonstrates how the data privacy bill, if enacted, could open a new avenue for individuals to sustain private actions based on alleged data privacy violations that courts have previously found do not entitle plaintiffs to relief.
The Mount Ida College Plaintiffs Alleged Data Privacy Violations but Could Not Sustain their Class Claims
In this recent and closely watched case, Squeri v. Mount Ida College, brought on behalf of a putative class of former and prospective Mount Ida students, the plaintiffs alleged that Mount Ida College and its trustees and officers violated students’ privacy rights “by disclosing their sensitive and private student academic data to UMass Dartmouth without their consent.” Civil Action No. 18-12438-RGS, 2019 WL 2249722, *2 (D. Mass. 2019). The students’ data privacy claims were brought under the Commonwealth’s right of privacy law, Mass. Gen. Laws. ch. 214, § 1B, which provides: “A person shall have a right against unreasonable, substantial or serious interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages.” In addition, the students alleged violations of the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, but, fatal to that claim, that statute does not confer a private right of action. The students also argued that the unauthorized disclosure of their academic and financial information violated Massachusetts’s consumer protection law, Mass. Gen. Laws. ch. 93A, § 9, which prohibits “unfair or deceptive acts or practices in the conduct of any trade or commerce.” However, because the court deemed the college’s transfer of personal information was “in furtherance of Mount Ida’s core educational mission,” and the college was not “engaged in trade or commerce,” it held the statute did not apply. Squeri, 2019 WL 2249722, *5-6.
On May 24, 2019, the District of Massachusetts granted the defendants’ motion to dismiss all claims, including the claim for invasion of privacy under state law. Under Massachusetts’s right of privacy, a claim for invasion of privacy must be based on an invasion that is “both unreasonable and substantial or serious.” Id. at *2, citing Nelson v. Salem State Coll., 446 Mass. 525, 536 (2006). In this case, the court determined that there were “legitimate countervailing business interests,” even for the alleged disclosure of “sensitive” personal data without consent. Id., citing Bratt v. Int’l Bus. Machines Corp., 392 Mass. 508, 520 (1984). The court accepted that the transfer of records served a legitimate purpose and was reasonably intended “to facilitate plaintiffs’ enrollment at the successor institution” and “conducted in accordance with [guidance from] the Massachusetts Attorney General[]” that the student records should be conveyed “using an anonymized set of unique student identifiers.” Based on these factors, the court concluded that any invasion of privacy was “justified” and the claim failed as a matter of law. Id. at *2.
Mount Ida College Illustrates Current Bars to Claims based on Justified Disclosures without Actual Injury that the Consumer Data Privacy Bill Might Remove
This ruling brings the potential impact of Massachusetts’s consumer data privacy bill into focus, because it could possibly command a different result under similar facts. This is because the legislation would create new data privacy rights (including the right to notification of and informed consent to third-party disclosures) with new statutory remedies to seek recovery, even if the disclosures at issue are made for the benefit of affected individuals and no actual injury is alleged. This is not to say that the Massachusetts’s proposed data privacy law would have provided a remedy in this specific case; it is possible that Mount Ida College would not qualify as a “business” under the statute, that the disclosed data would be specifically exempted “education information covered by [FERPA]” or adequately “deidentified,” that the defendants could show the disclosure was necessary to cooperate with government authorities, or that the plaintiffs would not be able to establish Article III standing. See S.120 at Sections 1(c), 1(m)(3), 8(a) and 8(b)(8). Nonetheless, Squeri v. Mount Ida College illustrates many of the current protections that exist in the law to prevent burdensome litigation for technical disclosure violations that create no cognizable harm, serve a legitimate purpose, and occur outside of the context of business transactions. If the proposed legislation is enacted as currently drafted, the law could potentially diminish or remove these protections, which would likely result in an explosion of expanded consumer privacy class action litigation in Massachusetts.