Privacy – Attorney Evan Brown

March 28, 2024 Privacy, Section 230

CCPA claim against Apple thrown out on Section 230 grounds

Plaintiffs sued Apple after downloading a malicious app from the App Store. The claims included violation of the Computer Fraud and Abuse Act (“CFAA”), the Electronic Communications Privacy Act (“ECPA”), and the California Consumer Privacy Act (“CCPA). (Alphabet soup, anyone?)

The lower court granted Apple’s motion to dismiss these claims. Plaintiffs sought review with the Ninth Circuit Court of Appeals. On appeal, the court held that the lower court properly applied Section 230 immunity to dismiss these claims.

What Section 230 does

Section 230 (47 U.S.C. § 230) instructs that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” A defendant is not liable if it can show that (1) it is a provider of “interactive computer services” as defined by the statute, (2) the claim relates to “information provided by another content provider,” and (3) the claim seeks to hold defendant liable as the “publisher or speaker” of that information.

Why the CFAA and ECPA claims were dismissed

In this case, concerning the CFAA and ECPA claims, the court looked to Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009) and concluded that the lower court properly found Section 230 immunity to apply. The duty that plaintiffs alleged Apple violated derived from Apple’s status or conduct as a “publisher or speaker.” It found that the claims referred, as the basis for culpability, to Apple’s authorization, monitoring, or failure to remove the offending app from the App Store. “Because these are quintessential “publication decisions” under Barnes, 570 F.3d at 1105, liability is barred by section 230(c)(1).”

Section 230 knocked out CCPA claim too

The data privacy count included allegations that Apple violated duties to “implement reasonable security procedures and practices” to protect the personal information of App Store users, in violation of Cal. Civ. Code § 1798.100(e). The court said that it need not decide whether violations of such duties can be boiled down to publication activities in every instance or whether implementation of reasonable security policies and practices would always necessarily require an internet company to monitor third-party content. Citing to Lemmon v. Snap, Inc., 995 F.3d 1085 (9th Cir. 2021) the court found that in this case, at least, plaintiffs failed to plead adequately a theory of injury under CCPA that was “fully independent of [Apple’s] role in monitoring or publishing third-party content.”

Diep v. Apple, Inc., 2024 WL 1299995 (9th Cir. March 27, 2024)

March 5, 2024 Privacy

Website operator not liable under Wiretap Act for allowing Meta to intercept visitor communications

Plaintiffs asserted that defendant healthcare organization inadequately protected the personal and health information of visitors to defendant’s website. In particular, plaintiffs alleged that unauthorized third parties – including Meta – could intercept user interactions through the use of tracking technologies such as the Meta Pixel and Conversions API. According to plaintiffs, these tools collected sensitive health information and sent it to Meta. Despite defendant’s privacy policy claiming to protect user privacy and information, plaintiffs alleged that using defendant’s website caused plaintiffs to receive unsolicited advertisements on their Facebook accounts.

Plaintiffs sued, asserting a number of claims, including under the federal Electronic Communications Privacy Act (“ECPA”) and the California Invasion of Privacy Act (“CIPA”). Defendant moved to dismiss these claims. The court granted the motion.

To establish an ECPA claim, a plaintiff must demonstrate that defendant intentionally intercepted or attempted to intercept electronic communications using a device. CIPA similarly prohibits using electronic means to understand the contents of a communication without consent. Both laws have a “party exception” allowing a person who is a party to the communication to intercept it, provided the interception is not for a criminal or tortious purpose. In other words, there is an exception to the exception.

In this case, defendant argued it was a legitimate party to plaintiffs’ communications on a website, thus invoking the party exception. Plaintiffs countered that the exception should not apply due to defendant’s alleged tortious intent (making the information available to Facebook without disclosure to plaintiffs). But the court found that plaintiffs did not provide sufficient evidence that defendant’s actions were for an illegal or actionable purpose beyond the act of interception itself. Under the guidance of Pena v. GameStop, Inc., 2023 WL 3170047 (S.D. Cal. April 27, 2023), (a plaintiff must plead sufficient facts to support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording or interception itself), the court concluded there was no separate tortious conduct involved in the interception and dismissed the claims.

B.K. v. Eisenhower Medical Center, 2024 WL 878100 (February 29, 2024)

See also:

January 24, 2024 Privacy

Website cookie banner was not enough for cruise line to sink federal wiretap lawsuit

cookie banner

Plaintiffs sued Carnival Cruise Line because they were upset about how much information carnival.com collected when they visited the site. “On carnival.com, no action goes unnoticed. Every click is counted, every keystroke is collected, and every cursor movement is catalogued.”

The claims centered around Carnival’s use of Clarity – a Microsoft session replay software that was deployed onto the user’s browser to collect a wide variety of information about the user’s system and browsing behavior. That collection was not limited to information from carnival.com. Clarity allegedly assigned each user a specific id that it used to associate and aggregate browsing behavior across all Clarity-enabled websites.

Plaintiffs asserted several claims, including one under the federal Electronic Communications Privacy Act (18 U.S.C. 2510 et seq.) (“ECPA”). They complained that Carnival intercepted Plaintiffs’ personal information, including their passport number, driver’s license number, date of birth, home address, phone number, email address and payment information, and used that information to trace users’ browsing history on other sites.

Carnival moved to dismiss for failure to state a claim under the ECPA. The court denied the motion.

No “party to the communication” exception

Carnival argued that the “party to the communication” exception of the ECPA absolved it of liability. 18 U.S.C. 2511(2)(d) provides that “[i]t shall not be unlawful … for a person … to intercept a[n] electronic communication where such person is a party to the communication.” But plaintiffs asserted that Microsoft, as the provider of the session replay code software, was a third party to the communication of the browsing information. Courts sometimes find third parties to be merely “extensions” of a website when such third parties’ services “merely function as a tape recorder.” But in this case, citing to Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), the court declined to find that Clarity had such limited functionality. The main problem for Carnival was that Clarity did more than just serve as a “tape recorder” – it used data to generate analytics such as heatmaps of user engagement and profiles of browsing history on other sites.

No consent for third party interception

Carnival also argued that the ECPA claim should be dismissed because plaintiffs had consented to the interception of their information. The court rejected this argument.

Carnival’s first argued that by merely sending a communication over the internet, plaintiffs expressed their consent. It cited to a 2001 Pennsylvania decision called Commonwealth v. Proetto, a criminal case in which that court found that a defendant accused of improperly soliciting a 15-year-old girl online could not claim that the girl’s decision to print out the defendant’s chat communication violated defendant’s right of privacy. In other words, the Pretto case stands for the notion that when one sends something over the internet, he or she loses control, from a privacy standpoint, over what the recipient will do with that information. The court distinguished the Proetto case, however, noting that it did not cover third-party interception, focusing instead on direct communication between two parties, and emphasizing that consent is given specifically to the receiver, not any incidental third party. This distinction was crucial in the present case, as Carnival needed to demonstrate that plaintiffs consented not just to Carnival, but also to third-party session replay providers – such as Microsoft in providing Clarity – involved in data collection.

So Carnival cited to Farst v. AutoZone, Inc., 2023 WL 7179807 (M.D. Pa. 2023) wherein the court dismissed similar claims in the context of online shopping, deeming it a public activity with no expectation of privacy in browsing habits. The court distinguished the Farst case, however, by noting that it did not focus not on the collection of sensitive information like this case did. In the current case, plaintiffs had made concrete allegations regarding the interception of sensitive information (e.g., driver’s license number, date of birth, home address).

Carnival’s second argument for plaintiffs’ consent to its recording policy hinged on a “Cookie Policy” banner on its website, suggesting that continued use of the site provided consent to the policy. Plaintiffs countered this by asserting that the website did not adequately notify users of this recording, and interaction with the site was possible without reviewing or agreeing to any privacy policy. The court observed that in assessing the validity of such “browsewrap” agreements, it should consider whether a website provides sufficient notice to a reasonably prudent user about the terms of the contract. In this case, the Cookie Policy banner was less noticeable due to its smaller text, inconspicuous color scheme, and placement away from key user interaction points, like large “SHOP NOW” or “SEARCH CRUISES” buttons. There was also no evidence that the banner appeared immediately or remained visible throughout a user’s visit. Consequently, the court found that – based on the facts alleged – a reasonably prudent user would not be adequately informed of the terms, siding with plaintiffs’ claim that they did not consent to the interception of their communications.

Rejection of Carnival’s other ECPA arguments

In denying the motion to dismiss the ECPA claims, the court rejected Carnival’s remaining arguments as well.

The court found that based on the facts alleged in the complaint, it was plausible to believe that the transmission of the information was contemporaneous, thereby qualifying as an “interception” under the statute.

It found that the information transmitted was not merely “record information” but that information such as an intent to travel, dates and locations were actual “contents” of the alleged communications.

And it rejected Carnival’s argument that the offending session replay code comprising Clarity was not a “device” prohibited by the statute. Carnival contended that it did not meet the definition of a “device” in the context of wiretapping laws, arguing that a “device” should be a physical object. The court held that that the combination of software and hardware involved in this case fell under the ambit of “device” as contemplated by the statute.

Price v. Carnival Corporation, 2024 WL 221437 (S.D. Cal., January 19, 2024)

See also:

January 15, 2024 Privacy

Beauty and the Biometrics: Federal court in Illinois tosses biometric data case brought against cosmetics giant

biometric privacy

A federal judge recently dismissed a class action lawsuit against The Estée Lauder Companies and one of its affiliates. This case involved allegations that these entities violated the Illinois Biometric Information Privacy Act (BIPA).

Background of the Case

Plaintiffs represented a proposed class and accused defendants of three distinct violations of BIPA. The dispute centered on the use of a virtual try-on tool that one of defendants had licensed to Estée Lauder which enabled customers to virtually test cosmetic products on brand websites. Plaintiffs claimed that they were not adequately informed about the capture and use of their biometric data, including facial mapping and facial geometry. They argued that there was a failure to provide clear consent and privacy policies regarding biometric data.

What BIPA Says

The law governs private entities’ collection, use, and storage of biometric identifiers and information. Plaintiffs contended that defendants did not comply with these requirements, specifically in failing to obtain written consent and establishing proper retention and destruction policies for biometric data.

What the Court Said

The court’s decision to dismiss the case hinged on plaintiffs’ inability to demonstrate that defendants used the biometric data in a manner that could identify individuals. The court referenced similar cases where allegations were dismissed due to the lack of plausible claims connecting biometric data collection with the capability to identify individuals.

The court found that plaintiffs did not provide sufficient factual allegations to establish that defendants could identify individuals using the facial scans. It compared other cases where claims were either dismissed or upheld based on the presence or absence of plausible allegations of identification capability. The case was dismissed without prejudice, meaning plaintiffs were given the opportunity to file an amended complaint by a specified date.

What It Means

This decision highlights the importance of clear legal standards for biometric data usage and the challenges plaintiffs face in proving violations under BIPA. It also underscores the need for companies to be transparent and compliant with privacy laws when implementing innovative technologies.

Castelaz v. The Estee Lauder Companies, Inc. et al., 2024 WL 136872 (N.D. Illinois, January 10, 2024)

Microsoft Edge privacy case dismissed for lack of standing

standing

A legal dispute involving Microsoft recently concluded with the dismissal of a class-action lawsuit. Plaintiffs had accused Microsoft of unauthorized data collection through its Edge browser, alleging violation of privacy laws. The court, however, ruled in favor of Microsoft, citing the plaintiffs’ lack of standing under Article III of the Constitution.

The Allegations Against Microsoft

The lawsuit centered on the claim that Microsoft Edge intercepted and sent private user data, including activities in “private” browsing mode, to Microsoft-controlled servers. This data, linked to unique user identifiers, allegedly allowed Microsoft to track users’ internet habits. Plaintiffs argued this was done without consent, breaching the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and various state laws, and claimed economic injury due to these practices.

Microsoft’s Challenge and the Court’s Decision

Microsoft moved to dismiss the lawsuit, arguing plaintiffs lacked the necessary standing under Article III of the U.S. Constitution. The court agreed, determining the plaintiffs did not meet the required standing criteria.

The core issue was whether the plaintiffs had standing, a fundamental requirement for a case to be heard in a federal court. The constitution requires an actual “case or controversy” for federal courts’ involvement. The court examined whether plaintiffs demonstrated (1) an injury in fact, (2) a direct causation, and (3) a potential remedy through court action.

The 2021 Supreme Court ruling in TransUnion LLC v. Ramirez was key to the outcome in this case. This ruling stressed that not every violation of a statutory right leads to a concrete harm that warrants a federal lawsuit. This court, agreeing with Microsoft, found that the data identified in the complaint was not traditionally considered private. It determined that the collection of browsing data did not closely relate to a harm traditionally actionable in court. The court pointed out that data like browsing history and keystrokes do not carry a reasonable expectation of privacy.

Final Outcome

So the court found that the plaintiffs failed to allege a concrete privacy injury that would fulfill the requirements for Article III standing. The dismissal of this lawsuit highlights the complex challenges in digital privacy litigation and the difficulty plaintiffs face in proving standing in privacy-related legal actions.

Saeedy v. Microsoft Corporation, 2023 WL 8828852 (W.D. Washington, December 21, 2023)

August 8, 2022 Employment, Privacy

Can a company snoop on its employee’s personal email account?

Plaintiff was an administrative assistant at defendant company. When her supervisor got word that plaintiff had been asked to join a competing company started by some other former company employees, the supervisor allegedly logged onto plaintiff’s work computer and without authorization accessed plaintiff’s Gmail account to get more information confirming plaintiff’s plans. Plaintiff was later terminated.

So she sued under the federal Stored Communications Act (“SCA”) and the Federal Wiretap Act (under a part of that act often called the Electronic Communications Privacy Act (“ECPA”)). Defendant moved to dismiss both the claims. The court denied the motion to dismiss the SCA claim but dismissed the ECPA claim.

The SCA prohibits, among other things, the intentional unauthorized access of a “facility through which an electronic communication service is provided”—thereby obtaining access to an electronic communication while in electronic storage. 18 U.S.C. § 2701(a). A court may award actual damages, statutory damages, and punitive damages for violation of the SCA. If a plaintiff seeks statutory damages under the SCA, it must prove actual damages. But one need not prove actual damages to recover punitive damages. The ECPA prohibits, among other things, the “interception” of electronic communication. 18 U.S.C. § 2511(a). Courts have generally held that such “interception” must be contemporaneous with transmission.

The court held plaintiff could move forward with her SCA claim even though she had not pled actual damages. She had sufficiently pled that she should be awarded punitive damages. And the court tossed the ECPA claim because the facts as alleged showed that the email messages the employer allegedly accessed had already been delivered and therefore were not intercepted as the statute requires for liability.

Benz v. PHB Realty Co., 2022 WL 3098579 (D. Kansas, August 4, 2022)

See also:

March 15, 2022 Privacy

Is storing protected information on an unencrypted server a disclosure of that information?

unencrypted server disclosure

Back in the 1990s, Congress recognized that stalkers were aided in their crimes by using victims’ driver’s license information, and states were selling driver’s license information to marketers. So Congress passed the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq. (the “DPPA”). This statute makes it unlawful for any person to knowingly disclose personal information from a motor vehicle record for any use other than certain uses that the statute permits.

Defendant had more than 27 million Texas driver’s license records that it stored on an external unencrypted server. In 2020, it announced that a third party had accessed the records without authorization. As expected, the class action lawyers jumped on board and sued under the DPPA.

The lower court dismissed the DPPA claim in response to defendant’s motion to dismiss for failure to state a claim. Plaintiffs sought review with the Fifth Circuit Court of Appeals. On appeal, the court affirmed the dismissal.

It held that plaintiffs failed to plausibly allege that storing the data on an unencrypted server amounted to a “disclosure”. More specifically, although plaintiffs argued that defendants had placed the information on a server that was readily accessible to the public, that assertion was nowhere in the complaint, nor was it supported by the facts alleged in the complaint.

In finding there to be no disclosure, the court observed that the storage of the data, as alleged, did not make it visible to a digital “passer-by”. This made the case different from Senne v. Village of Palatine, Ill.,695 F.3d 597 (7th Cir. 2012), in which a police officer disclosed information by putting a traffic ticket on a windshield, which any passer-by could see. The court also looked to Enslin v. Coca-Cola Co., 136 F. Supp. 3d 654 (E.D. Pa. 2015), in which that court held there to be no disclosure under the DPPA when someone stole an unencrypted laptop containing information protected under the statute.

Allen v. Vertafore, Inc., No. 21-20404 (5th Cir., March 11, 2022)

February 15, 2022 Privacy

Biometric privacy statute does not violate First Amendment

biometric privacy First Amendment — Biometric identifiers extracted from a photo are not public in the same way the photo itself is

Plaintiffs filed a class action lawsuit against a facial recognition technology company and related individual defendants, asserting violations of the Illinois Biometric Information Privacy Act (“BIPA”). Plaintiffs alleged that defendants covertly scraped over three billion photographs of faces from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted to harvest the individuals’ unique biometric identifiers and corresponding biometric information. One of the defendants then created a searchable database containing this biometric information and data that enabled users of its proprietary platform to identify unknown individuals by uploading a photograph to the database. Accordingly, plaintiffs alleged that defendants collected, captured, or otherwise obtained their biometric data without notice and consent, and thereafter, sold or otherwise profited from their biometric information, all in violation of BIPA.

Unconstitutional restriction on public information?

Defendants moved to dismiss the BIPA claim on a number of grounds, including an argument that BIPA violated defendants’ First Amendment rights. More specifically, defendants maintained that the capture and analysis of faceprints from public images was protected speech, and thus, BIPA was unconstitutional because it inhibited the ability to collect and analyze public information. Plaintiffs, however, asserted that the capturing of faceprints and the action of extracting private biometric identifiers from the faceprints was unprotected conduct. The court sided with plaintiffs and rejected defendants’ argument.

The court held that defendants’ argument oversimplified plaintiffs’ allegations. Although defendants captured public photographs from the internet, they then harvested an individual’s unique biometric identifiers and information – which are not public information – without the individual’s consent. Put differently, plaintiffs asserted that the defendants’ business model was not based on the collection of public photographs from the internet, some source code, and republishing information via a search engine, but the additional conduct of harvesting nonpublic, personal biometric data. And, as plaintiffs further alleged, unlike fingerprints, facial biometrics are readily observable and present a grave and immediate danger to privacy, individual autonomy, and liberty.

An intermediate approach to biometric privacy

Accordingly, the court looked at defendants’ conduct as involving both speech and nonspeech elements. Looking to the test set out in the Supreme Court case of United States v. O’Brien, 391 U.S. 367 (1968), the court evaluated how when “elements are combined in the same course of conduct, a sufficiently important governmental interest in regulating the nonspeech element can justify incidental limitations on First Amendment freedoms.” The court applied the intermediate scrutiny standard set out in O’Brien, namely, a regulation does not violate the First Amendment if (1) it is within the power of the government to enact, (2) furthers an important government interest, (3) the governmental interest is unrelated to the suppression of free expression, and (4) any incidental restriction on speech is no greater than is necessary to further the government interest.

The first element was easy to dispense with because the parties did not argue that the Illinois General Assembly lacked the power to enact BIPA. On the second element, the court found that the General Assembly enacted BIPA to protect Illinois residents’ highly sensitive biometric information from unauthorized collection and disclosure. Regarding the third element, the court noted that BIPA, including its exceptions, does not restrict a particular viewpoint, nor does it target public discussion of an entire topic. And on the fourth O’Brien element, the court found BIPA to be narrowly tailored by legitimately protecting Illinois residents’ highly sensitive biometric information and data, yet allowing residents to share their biometric information through its consent provision. And BIPA is not overly-broad, in the court’s view, because it does not prohibit a substantial amount of protected speech.

In re Clearview AI, Inc., Consumer Privacy Litigation, 2022 WL 444135 (N.D. Illinois, February 14, 2022)

January 20, 2022 Computer Crime, Privacy

Is Indiana’s revenge porn law constitutional?

revenge porn constitutional — Stained glass window at Pokagon State Park in Angola, Indiana, near where the underlying events in this case took place.

In 2019, Indiana joined a number of other states and enacted a statute that makes it a crime for a person to distribute an “intimate image” when he or she knows or reasonably should know that an individual depicted in the image does not consent to the distribution. In March 2020, defendant sent a video of himself receiving oral sex to his ex-girlfriend via Snapchat. After being charged under the statute, defendant moved to dismiss, arguing in part that the statute violates both the Indiana and U.S. constitutions. The trial court agreed and dismissed the case. But the state appealed to the Indiana Supreme Court.

What part of the Indiana constitution applied?

The court’s analysis under the Indiana constitution is particularly interesting. Indiana’s constitutional protection in this area reads quite a bit differently than the language of the First Amendment.

Article 1, Section 9 of the Indiana constitution reads as follows:

No law shall be passed, restraining the free interchange of thought and opinion, or restricting the right to speak, write, or print, freely, on any subject whatever: but for the abuse of that right, every person shall be responsible.

The court first had to evaluate whether videos – and in particular the video at issue – were covered by the applicable Indiana constitutional provision. “Our encounters with Article 1, Section 9 have always involved words, thus invoking the ‘right to speak’ clause.” The court held that the video content was protected under the “free interchange” clause of the state’s constitution. “We understand the free interchange clause to encompass the communication of any thought or opinion, on any topic, through ‘every conceivable mode of expression.’” And the court quickly ascertained that being prosecuted for the distribution of the video was a “direct and substantial burden” on defendant’s right to self-expression.

Abuse of rights?

But defendant’s expressive activity in this case – though within his right to free interchange as expressed in the constitution – was an abuse of that right. Looking through the lens of the natural rights philosophy that informed the drafting of the Indiana constitution, the court cited to previous authority (Whittington v. State, 669 N.E.2d 1363 (Ind. 1996)) that explained how “individuals possess ‘inalienable’ freedom to do as they will, but they have collectively delegated to government a quantum of that freedom in order to advance everyone’s ‘peace, safety, and well-being.'” Thus, the court observed that the purpose of state power is “to foster an atmosphere in which individuals can fully enjoy that measure of freedom they have not delegated to government.”

Citing to State v. Gerhardt, 145 Ind. 439 (Ind. 1896), the court evaluated how “[t]he State may exercise its police power to promote the health, safety, comfort, morals, and welfare of the public.” And citing to other authority, the court noted that “courts defer to legislative decisions about when to exercise the police power and typically require only that they be rational.” So the question became whether – approached from the standpoint of rationality – the statute’s restriction on the right to self-expression was appropriate to promote the health, safety, comfort, morals and welfare of the public.

Rationality favored public protection

“Under our rationality inquiry, we have no trouble concluding the impingement created by the statute is vastly outweighed by the public health, welfare, and safety served.” In reaching this conclusion, the court examined, among other things, the tremendous harms of revenge porn – including its connection to domestic violence and psychological injury. Accordingly, the court found the statute did not violate the Indiana constitution.

The court also found that the statute did not violate the First Amendment of the U.S. Constitution. It held that the statute is content-based and therefore subject to strict scrutiny. Even under this standard, the court found that it served a compelling government interest, and was narrowly tailored to achieve that compelling interest.

State v. Katz, 2022 WL 152487 (Ind., January 18, 2022)

Can a party recover statutory damages under the Stored Communications Act without proving actual damages?

The Stored Communications Act (18 USC 2701 et seq.) is among the most powerful tools relating to email privacy. It is a federal statute that prohibits, in certain circumstances, one from intentionally accessing without authorization, or exceeding authorized access to, a facility through which an electronic communication service is provided. The statute provides criminal penalties and an aggrieved party can bring a civil suit for damages in certain cases.

The statute contains a provision that addresses the amount of money damages a successful plaintiff can recover. Section 2707(c) provides the following:

Damages. The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.

Note the phrase “but in no case shall a person entitled to recover receive less than the sum of $1,000.” Does that mean every plaintiff that successfully proves the defendant’s liability is entitled to at least $1,000, regardless of whether there was any actual damage that occurred? The Fifth Circuit Court of Appeals recently addressed that question in the case of Domain Protection, L.L.C. v. Sea Wasp, L.L.C. It held that one must show at least some actual damages before being entitled to the minimum of $1,000.

The court looked to the Supreme Court’s approach in addressing nearly identical language in another statute, wherein SCOTUS concluded that “person entitled to recover” refers back to the party that suffers “actual damages.” Doe v. Chao, 540 U.S. 614, 620, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004). And it noted that two other circuits have held that this reasoning should apply to the same terms in the Stored Communications Act: Vista Mktg., LLC v. Burkett, 812 F.3d 954, 964–75 (11th Cir. 2016) and Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199, 204–208 (4th Cir. 2009). The court “endorse[d] the reasoning of those opinions and [saw] no need to repeat it.”

Domain Protection, L.L.C. v. Sea Wasp, L.L.C., — F.4th —, 2022 WL 123408 (5th Cir. January 13, 2022)