Consumer products companies increasingly do business online, which means they frequently collect, and sometimes share, customers’ personal information. That practice makes companies potential class action targets under various privacy laws. Recently, the Ninth Circuit rejected three similar putative class actions under California’s “Shine the Light” law (STL), Cal. Civ. Code §§ 1798.83-1798.84, and Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §§ 17200, et seq. In three unpublished opinions, Baxter v. Rodale, No. 12-56925, 2014 WL 667474 (9th Cir. Feb. 21, 2014), King v. Conde Naste Publications, No. 12-57209, 2014 WL 607385 (9th Cir. Feb. 18, 2014) and a companion case, the same three-judge panel affirmed dismissal of class actions under these statutes because the plaintiffs lacked standing to sue, since they failed to plead that they asked the defendants whether their information had been shared with third parties. Therefore, the plaintiffs did not sufficiently plead injury.
The STL “requires businesses, which disclose customers’ personal information to third parties for direct marketing purposes, to respond to a customer’s request to learn the identity of the third parties and the types of personal information revealed to them.” Baxter, 2014 WL 667474 at *1. To enable these customer requests, businesses must inform the customers how they can make the requests, either via customer service employees, the company’s web site, or posted physical notice at the place of business. “Alternatively, a business is excused from [the STL's] requirement to respond to customer requests, if it adopts a privacy policy informing customers of their right to prevent disclosure of their personal information and provides a cost-free means to do so or evinces a policy of not disclosing customers’ personal information to third parties for direct marketing purposes.” Id.
The STL allows for three statutory remedies: (1) a civil action for damages for a customer injured by a violation, (2) a civil penatly for an intentional or reckless violation and (3) injunctive relief. Cal. Civ. Code § 1798.84. “The California Court of Appeal recently interpreted these provisions and concluded that ‘a plaintiff must have suffered a statutory injury to have standing to pursue a cause of action under the STL, regardless of the remedies he or she seeks.’” 2014 WL 667474 at *1, quoting Boorstein v. CBS Interactive, Inc., 165 Cal. Rptr. 3d 669, 675 (Cal. Ct. App. 2013). To plead a sufficient statutory injury, “a plaintiff must have made, or attempted to make, a disclosure request in order to have standing under the STL.” Id. at 673.
Thus, “[b]ecause Baxter has failed to allege that she submitted a request to Rodale under the STL law, or that she would have, had accurate contact information been provided, the district court erred when it found she had statutory standing.” 2014 WL 667474 at *1. Moreover, the UCL requires the plaintiff to have “suffered injury in fact and ha[ve] lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. “Baxter has failed to allege an injury in fact, because (1) California does not recognize informational injury, … and (2) Rodale’s compliance with the STL law was not a ‘benefit of the bargain’ when she subscribed to Runner’s World magazine.” 2014 WL 667474 at *1.
The King and companion decisions were essentially identical.
What this means for consumer products companies is that it will be harder, but not impossible, for customers to state viable claims under the STL. A customer can’t just allege a technical violation without sufficiently alleging injury. However, California businesses and businesses that collect and share California customers’ information should be aware of this law and implement compliance policies so that even better-pled lawsuits against them won’t survive.