Supreme Court To Consider Data Aggregation Suit Against Spokeo

BUL2294 writes: Consumerist and Associated Press are reporting that the Supreme Court has taken up the case of Spokeo, Inc. v. Robins — a case where Spokeo, as a data aggregator, faces legal liability and Fair Credit Reporting Act violations for providing information on Thomas Robins, an individual who has not suffered "a specific harm" directly attributable to the inaccurate data Spokeo collected on him.

From SCOTUSblog: "Robins, who filed a class-action lawsuit, claimed that Spokeo had provided flawed information about him, including that he had more education than he actually did, that he is married although he remains single, and that he was financially better off than he actually was. He said he was unemployed and looking for work, and contended that the inaccurate information would make it more difficult for him to get a job and to get credit and insurance." So, while not suffering a specific harm, the potential for harm based on inaccurate data exists. Companies such as Facebook and Google are closely watching this case, given the potential of billions of dollars of liability for selling inaccurate information on their customers and other people.

Re:How about this..

[Aristos+Mazer]

All the EULAs will just get updated to include a clause saying, "And you give us the right to share." The problem seems to be that if you *can* give permission then you will be coerced into giving permission. That implies that, just like a contract of enforced slavery is illegal in USA even if signed willingly, any agreement that gives permission for sharing is illegal. That would solve the problem of coercion but would wipe out a whole bunch of services that people actually like and want.

I don't have an answer, but I am pretty sure that just barring the data sharing would not actually change anything except the EULAs.

This case is not about Spokeo or data

[MobyDisk]

Before everyone gets upset about data collection: This Supreme Court case is not about Spokeo's data collection. It is about who has the right to sue and under what circumstances. Even if the Supreme Court rules in favor of this individual, all it means is that the individual can continue their suit. It is not a ruling for or against Spokeo's data.

Interesting

[sgrover]

... "attributable to the inaccurate data Spokeo collected on him." If a company is in the clear for publishing inaccurate data about an individual, are they also in the clear for just fabricating data? What's to say that any of the names in their lists represent real and physical people with the same name? In theory the users entered the data at one point or another and that should be enough to tie the data to a real human. BUT any coder knows it's not rocket science to write a script to fill in a form and submit it. Consider tools like Faker https://github.com/fzaninotto/....

Re:How about this..

To qualify as libel or slander a statement must be not only false, but knowingly false, and used with malicious intent. I doubt if you can convince anyone that Google is libeling you.

The Malicious Intent test you're citing is from New York Times v. Sullivan and it only applies to public figures. SCOTUS made it clear in Gertz v. Robbin Welch that negligence is sufficient to support Libel/Slander/Defamation/etc. in the case of a private person.

Re:This seems backwards.

[Frobnicator]

Or as is very likely the case, a company passes up on hiring him for something.

That's nifty and all, but that's not the actual lawsuit.

The key feature of the lawsuit is that the individual cannot show any specific harm was done, only that their legal rights were infringed. Most aspects of civil law require that the person show some sort of injury. In this case the specific law does not require damage. Damage to consumers is assumed as automatic if the company does not comply with the law. The wording of the law is only about compliance, not about harm.

The big data companies absolutely want to forbid standing in the case. If he could show specific harm he'd have a strong case but it would be a different case. This is about data aggregators being compelled to follow the law.

The first court dismissed it, claiming since he had no specific "actual or imminent harm" he couldn't sue.

The appeals court observed that the law required specific actions by the company, and the law tied failure to comply with the rules to a $100-$1000 fine for noncompliance. That's even the name of the section: "Civil liability for willful noncompliance". Again, the law specifies damages for failing to comply, not damages for actual harm. The appeals court ruled that since the law as written does not require any actual damages -- the law is about compliance by the company, with damages assigned to "any consumer" affected by non-compliance -- he can sue. He qualifies under the definition of "any customer", and the law is only about compliance, not about actual harm.

Because of the exact wording of the law, my money is on Robins on this one. The actual law does not rely on harm to the individual. The wording of the law is based entirely on compliance, with noncompliance resulting in liability. Additional harm is not mandated.

But let's turn it around. Frequently the courts will examine the consequences if the court rejects the arguments. If they turn it down, if they say consumers cannot have standing unless there is real harm, then they would effectively void sections 1681n and 1681o. There would only be civil liability for actual harm, there would not be any civil liability for noncompliance. Generally the SCOTUS relies on a Constitutional reason to void large chunks of law like that, but in this case there are several solid reasons for Congress to pass the law. If he doesn't have standing then SCOTUS is voiding the law since no other method is available for liability. The Justices tend to be careful about voiding the law, generally only voiding laws when it falls outside what the Constitution allows. I'm absolutely certain that will come up in the oral arguments: if they deny standing how else can the noncompliance law be applied? If they deny standing they seem to be voiding the law without a constitutional reason.

Re:I was looking up my name to see what would come

and i remember going through this Spokeo site and a bunch of others. It had my name, correct address and some other information, all of which, i never gave them permission to use on their site. Right off the bat, it seems to me that is breaking the law.

What many don't realize is the amount of publicly shared information data aggregators have available - phone books, home loans recorded with your county, court cases, graduation information from universities, membership listings for organizations, what you list on Facebook or LinkedIn, public DMV records, public notices in newspapers, marriage recordings, birth recordings, professional licensing. There's an assumption many people have similar to, "How would anyone access my information unless they knew where to specifically look for it?" Spokeo seems to collect *all* information from *everywhere* and then will work their way backwards to build a profile on *you*. It's super creepy, but the practice is not illegal.

If you care about privacy (in the US at least), you actually have to make an effort to keep your information out of the public eye and out of the hands of data aggregators. If you see this: "You may opt out of sharing your personal information with third-party providers if you [jump through this extra annoying hoop]," ask yourself what will eventually happen if you don't opt out right away.

To an extreme: Spokeo probably has my sentence structure identified so that there's a 99.5% chance they can link this Anonymous Coward SlashDot post to my Spokeo profile. I won't need a eulogy at my burial to tell anyone who I was. I can just have someone tweet a link to a Spokeo profile for me. :O

Re:This *seems* backwards.

Think about it this way:

Mr. Robins applies for a job, filling out his resume with his accurate information. The company then goes to these 'information businesses' for a routine check and finds apparent discrepancies between his resume and the other company's records.

It is not a stretch to infer that your ability to find a job would be damaged by companies sharing false information about a person, whether the information would be considered better or worse.

What is truly disheartening is that both the sellers and buyers of this information currently have no liability for spreading false information (and hence no reason to worry about it).

In the end, it is left to the individual to monitor the spread of information about themselves, a virtually impossible task considering the sheer number of companies that buy/sell your information.

These companies should be responsible for the accuracy of the information as they are the ones profiting from the sale/purchase of said information.

Re:This seems backwards.

Unless, of course, his resume goes into the round file because it doesn't agree with "known" information about him.

I once failed a background check because a former employer gave me a more _senior_ title than the one I actually held. I had to get them to correct it before I could be hired (into my present position).

The hiring company HR department behaves as if their job is to help the line manager get and keep the right people, so they were willing to sort out the mess. In other places, I would never have known what happend.

So this is a real problem.

So, data CAN be owned? (Re:How about this...)

[mi]

I find it rather ironic, that the same site, which shouts down any attempts to reason that an idea can be owned — and that using it without the owner's permission is illegal and immoral — would be so respectful towards other kinds of information.

If, as the opinion prevailing here holds, "information can not be stolen" because you still have your original copy, what grounds are there to prohibit somebody else to share, what they know about you, with others? On that matter, will you also outlaw gossip?

The problem seems to be that if you *can* give permission then you will be coerced into giving permission.

Except the term coercion implies use of force. As long as you aren't forced to use a web-site despite your disagreement with their EULA, you can not complain of being "coerced".