Chapter 1: Privacy in Tort Law
- Intrusion Upon Seclusion
- In re Google Cookie Placement, 806 F.3d 125 (3rd Cir. 2015) (finding that third party cookie tracking could be challenged via privacy tort)
- See also In re: Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3rd Cir. 2016); In re Facebook Internet Tracking Litigation, 283 F. Supp. 3d 836 (N.D. Cal. 2017); Smith v. Facebook, Inc., 262 F. Supp. 3d 943 (N.D. Cal. 2017)
- Opperman v. Path, Inc., 205 F. Supp. 3d 1064 (N.D. Cal. 2016) (applying the intrusion upon seclusion tort to scraping of contacts by a smartphone app)
- In re: Vizio, Inc., Consumer Privacy Litig., 238 F. Supp. 3d 1204 (C.D. Cal. 2017) (denying motion to dismiss invasion of privacy claim based on alleged monitoring of TV content viewing history)
- Woodbury v. Victory Van Lines, 286 F. Supp. 3d 685 (D. Md. 2017) (no privacy tort claims based on taking and distributing photo of unconscious employee)
- Smith v. Dalta, 451 N.J. Super. 82 (N.J. Super. Ct. App. 2017) (recognizing tort for improper disclosure of medical information)
- Howard v. Aspen Way Enterprises, Inc., 406 P.3d 1271 (Wy. 2017) (applying intrusion upon seclusion tort to installation of spyware on leased computers)
- Safari Club International v. Rudolph, 862 F.3d 1113 (9th Cir. 2017) (finding reasonable probability of prevailing on invasion of privacy claim based on surreptitious recording in public place)
- Friedman v. Martinez, 184 A.3d 489 (N.J. Super. Ct. App. Div. 2018) (invasion of privacy claim based on camera installed in bathroom did not require proof of recording)
- Publication of Private Facts
- Judge v. Saltz Plastic Surgery, P.C., 367 P.3d 1006 (Utah 2016) (adopting “legitimate concern to the public” element for publication of private facts tort)
- Rosa and Raymond Parks Institute for Self Development v. Target Corp., 812 F.3d 824 (11th Cir. 2016) (applying qualified privilege to report on matters of public interest applies to retailer’s sale of books and other items concerning Civil Rights figure)
- False Light
- Franchise Tax Board of State of Cal. v. Hyatt, 407 P.3d 717 (Nev. 2017) (recognizing false light tort but denying privacy and breach of confidentiality claims arising from out-of-state tax audit)
- Breach of Confidentiality
- Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 175 A.3d 1 (Conn. 2018) (recognizing on first impression a tort cause of action for a health care provider’s violation of the duty of confidentiality)
- See also Barber v. Camden Clark Memorial Hospital Corp., 815 S.E.2d 474 (W.Va. 2018) (recognizing similar tort for wrongful disclosure of health care information is not preempted by HIPPA)
- Data Breach
- Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015) (finding that plaintiffs whose credit card data was breached had standing to pursue tort and other state-law claims against the company that collected the data)
Chapter 2: Constitutional Privacy
- First Amendment
- In re Grand Jury Subpoena, No. 16-03-217 (Glassdoor, Inc.), 875 F.3d 1179 (9th Cir. 2017) (finding website operator has third party standing to assert users’ First Amendment rights and applying Branzburg good-faith test to require disclosure of anonymous users’ identities)
- Wollschlaeger v. Governor, Florida, 848 F.3d 1293 (11th Cir. 2017) (en banc) (finding that certain provisions of Florida’s Firearms Owners’ Privacy Act are unconstitutional content-based restrictions on the speech of doctors and medical professionals)
- Packingham v. North Carolina, 137 S. Ct. 1730 (2017) (holding that a statute prohibiting sex offenders from accessing social networking websites violated the First Amendment)
- Signature Management Team, LLC v. Doe, 876 F.3d 831 (6th Cir. 2017) (finding a rebuttable presumption of open judicial records in favor of unmasking anonymous defendants when judgment has been entered for a plaintiff)
- Citizens United v. Schneiderman, 882 F.3d 374 (2nd Cir. 2018) (upholding donor disclosure rules for non-profits under First Amendment “exacting scrutiny” standard)
- See also Van Hollen, Jr. v. FEC, 811 F.3d 486 (D.C. Cir. 2016)
- Perez v. City of Roseville, 882 F.3d 843 (9th Cir. 2018) (finding termination of employment for officer based on off-duty affair violated First Amendment right to privacy and intimate association)
- Second Amendment
- Wollschlaeger v. Governor, Florida, 848 F.3d 1293 (11th Cir. 2017) (en banc) (striking down as unconstitutional under the First Amendment certain portions of Florida’s Firearms Owners’ Privacy Act)
- Fourth Amendment
- United States v. DE L’Isle, 825 F.3d 426 (8th Cir. 2016) (scanning magnetic strip on credit card not a trespassory search under Fourth Amendment)
- See also United States v. Bah, 794 F.3d 617 (6th Cir. 2015)
- Belleau v. Wall, 811 F.3d 929 (7th Cir. 2016)
- In re Grand Jury Subpoena, JK-15-029 (John Kitzhaber), 828 F.3d 1083 (9th Cir. 2016) (finding that a district court has the supervisory power and responsibility to quash a vastly overbroad grand jury subpoena for e-mail records)
- Birchfied v. North Dakota, 136 S. Ct. 2160 (2016) (holding that the Fourth Amendment does not permit warrantless blood tests incident to arrest for drunk driving and that motorists cannot be deemed to have consented to submitted to a blood test on pain of committing a criminal offense)
- Utah v. Strieff, 135 S. Ct. 2056 (US 2016) (finding that an officer’s discovery of a valid, pre-existing warrant during an otherwise unlawful investigatory stop justified denial of a defendant’s motion to suppress)
- Byrd v. Maricopa Cnty. Bd. of Supervisors, 845 F.3d 919 (9th Cir. 2017) (holding that prison policy of allowing cross-gender guard observation of pretrial detainee’s showering and using the bathroom violated the Fourth Amendment)
- Sims v. Labowitz, 885 F.3d 254 (4th Cir. 2018) (finding it clearly established that a sexually invasive search of a minor was unconstitutional despite the existence of a warrant)
- United States v. Houston, 813 F.3d 282 (6th Cir. 2016) (holding that an officer’s warrantless use of a stationary camera on top of a public utility pole to record video and audio of an individual’s private property did not violate the Fourth Amendment)
- United States v. Pacheco, 884 F.3d 1031 (10th Cir. 2018) (finding search of cell phone during warrantless search of parolee’s home was reasonable under totality of the circumstances test)
- But see United States v. Lara, 815 F.3d 605 (9th Cir. 2016) (holding the opposite)
- United States v. Vergara, 884 F.3d 1309 (11th Cir. 2018) (holding that a warrantless forensic search of an individual’s cell phone at the border did not violate the Fourth Amendment)
- But see United States v. Molina-Isidoro, 884 F.3d 287 (5th Cir. 2018) (holding that “nonroutine” searches at the border require reasonable suspicion); United States v. Kolsuz, 890 F.3d 133 (4th Cir. 2018) (same)
- Byrd v. United States, 138 S. Ct. 1518 (U.S. 2018) (finding that a driver in lawful possession of a rental car has a reasonable expectation of privacy in the contents of the car even if he is not listed an authorized driver on the rental agreement)
- Carpenter v. United States, 138 S. Ct. 2206 (US 2018) (ruling that historical cell phone location records are generally protected under the Fourth Amendment)
- But see United States v. Banks, 884 F.3d 998 (10th Cir. 2018) (finding that exigent circumstances justified pinging defendant’s cell phone to gather location data following credible threat to informant safety)
- Naperville Smart Meter Awareness v. City of Naperville, 900 F.3d 521 (7th Cir. 2018) (finding that collection of electricity data via “smart meter” devices in 15-minute intervals was a reasonable search under the Fourth Amendment)
- United States v. Reddick, 900 F.3d 636 (5th Cir. 2018) (holding that automated scanning of files uploaded to Microsoft SkyDrive for contraband images, and the reporting of “matched” images to law enforcement, was a private search and thus did not implicate the Fourth Amendment)
- Walker v. Coffey, 905 F.3d 138 (3d Cir. 2018) (holding that university employer could consent to search of employee’s workplace e-mails)
- United States v. Correa, __ F.3d ___ (7th Cir. 2018) (finding that repeatedly pressing the button on the electronic garage door opener from defendant’s car to identify his condominium building, using his key fob to enter the building, and testing his mailbox key against mail boxes to identify his unit were all reasonable searches)
- United States v. Brixen, ___ F.3d ___ (7th Cir. 2018) (holding that the act of sending a message to defendant’s social media account and viewing the notification on his phone was not a search under the Fourth Amendment)
- Fifth Amendment
- United States v. Apple MacPro Computer, 851 F.3d 238 (3rd Cir. 2017) (finding no plain error in trial court determination that decryption order did not violate suspect’s Fifth Amendment protection against self-incrimination)
- See also United States v. Robinson, ___ M.J. ___, 2018 WL 1512067 (C.A.A.F. 2018) (finding that initial consent to search cell phone justified subsequent inquiry, after right to counsel was invoked, for the cell phone passcode); State v. Diamond, 905 N.W. 2d 870 (Minn. 2018) (holding that an order requiring defendant to unlock his cellphone using his fingerprint did not violate his privilege against self-incrminiation)
- But see In re Application for a Search Warrant, 236 F. Supp. 3d 1066 (N.D. Ill. 2017) (denying warrant application seeking to force an individual at the subject premises to provide a fingerprint or thumbprint in an attempt to unlock any Apple device that may be found)
- Fourteenth Amendment
- In re: OPM Data Security Breach Litigation, 266 F. Supp. 3d 1 (D.D.C. 2017) (holding that individuals affected by the OPM data breach could not assert a claim for a violation of their constitutional right to informational privacy)
- Weaver v. Myers, 229 So.3d 1118 (Fla. 2017) (holding that the right to privacy under the Florida Constitution protects a patient’s medical records, that the right survives after death and can be asserted by family members, and that a state statute requiring ex parte interviews of doctors in malpractice litigation violated the right)
- Erotic Service Provider Legal Education and Rsch. Project v. Gascon, 880 F.3d 450 (9th Cir. 2018) (state law criminalizing prostitution did not violate the First or Fourteenth Amendments)
- Hancock v. County of Rensselaer, 882 F.3d 58 (2d Cir. 2018) (finding that unauthorized access to prison employee medical records by county officials may have violated individuals’ Fourteenth Amendment privacy rights)
- Arroyo Gonzalez v. Rossello Nevares, 305 F. Supp. 3d 327 (D.P.R. 2018) (holding that the Commonwealth’s Birth Certificate Policy violates the decisional and informational privacy rights of transgender persons’ who wish to correct their birth certificates to reflect their true sex)
Chapter 3: Federal Privacy Statutes
- Article III Standing
- Spokeo v. Robbins(US 2016) (FCRA) (holding that courts must address whether plaintiffs have alleged a “concrete” injury in order to satisfy the Article III “case or controversy” requirement for federal court jurisdiction)
- Subscriber Privacy
- Deacon v. Pandora Media, Inc.,885 N.W.2d 628 (Mich. 2016) (state VPPA equivalent) (finding that a user of a streaming service was not a customer who rented or borrowed sound recordings within the meaning of the Preservation of Personal Privacy Act)
- Yershov v. Gannett Satellite Info. Network, Inc.,820 F.3d 482 (1st Cir. 2016) (VPPA) (finding that user data disclosed by the USA Today Mobile App was “personally identifiable information” under the VPPA and that the user who downloaded and installed the app was a “consumer” under the statute)
- But see Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2018) (finding that similar data collected by the “WatchESPN” app was not PII and adopting the “ordinary person” test from the Third Circuit); In re Nickelodeon(3rd Cir. 2016) (holding that the IP address information collected by the Nickelodeon website was not PII “because the term includes only information that ‘readily permit[s] an ordinary person to identify a [particular individual as having watched certain videos]”)
- Privacy Act
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (holding that plaintiffs who brought suit under the Privacy Act and APA following breaches of their personal information at the Department of Veteran Affairs could not establish Article III standing)
- But see Welborn v. IRS, 218 F. Supp. 3d 64 (D.D.C. 2016) (finding that plaintiffs who alleged that they suffered fraud as a result of the improper disclosure of their tax information had standing to sue for monetary damages, but could not pursue a negligent disclosure claim under the Privacy Act)
- Ames v. DHS, 861 F.3d 238 (D.C. Cir. 2017) (holding that disclosure of an investigative report from the DHS OIG to the NGA OIG was a permissible ‘routine use’ under the Privacy Act)
- In re: OPM Data Security Breach Litigation, 266 F. Supp. 3d 1 (D.D.C. 2017) (finding that individuals affected by the OPM data breach could not establish Article III standing and had not stated a claim of actual economic harm under the Privacy Act)
- Freedom of Information Act
- Detroit Free Press Inc. v. DOJ, 829 F.3d 478 (6th Cir. 2016) (en banc) (holding that individuals have a privacy interest in their booking photos for the purposes of FOIA exemption 7(C))
- Drivers’ Privacy Protection Act
- McDonough v. Anoka Cnty, 799 F.3d 931 (8th Cir. 2015) (finding that the statute of limitations period for DPPA claims runs from the date that the alleged violation occurs and that plaintiffs must allege “high volumes and suspicious timing of access” in order to plausibly state a claim of impermissible access based on audit reports)
- See also Foundy v. Miami-Dade Cnty, Fla., 823 F.3d 590 (11th Cir. 2016) (same holding with respect to the statute of limitations)
- Arkansas State Police v. Wren, 491 S.W.3d 124 (Ark. 2016) (finding that vehicle accident reports are not motor vehicle records and the personal information in those reports are thus not protected under the DPPA)
- United States v. Hastle, 854 F.3d 1298 (11th Cir. 2017) (holding that e-mail addresses are included in the DPPA definition of “personal information”)
- Family Educational Rights and Privacy Act
- Appeal of Farmington School District, 138 A.3d 496 (N.H. 2016) (applying the FERPA guidelines as incorporated by school board policy)
- Kendrick v. Advertiser Company, 213 So.3d 573 (Ala. 2016) (holding that disclosure of information regarding loss or reduction of athletic financial aid for students participating in football program was prohibited by FERPA)
- Krakauer v. Montana, 381 P.3d 524 (Mont. 2016) (finding that student disciplinary records were protected under FERPA)
- Oregon Health & Sci. Univ. v. Oregonian Publishing Co., LLC, 403 P.3d 732 (Or. 2017) (holding that personal information related to alleged patient tort claims against state university constituted “protected health information” under HIPPA)
Health Information Portability and Accountability Act
- Federal Trade Commission Act
- FTC v. AT&T Mobility LLC, 883 F.3d 848 (9th Cir. 2018) (en banc) (holding that the FTC exemption for common carriers does not bar the agency from regulating non-common-carriage activities by companies that also engage in common-carriage activities)
- LabMD, Inc. v. FTC, 894 F.3d 1221 (11th Cir. 2018) (finding in data security case that the prohibitions contained in the FTC’s cease and desist orders must be specific in order to be enforceable)
- Right to Financial Privacy Act
- Hohman v. Eadle, 894 F.3d 776 (6th Cir. 2018) (holding limited liability corporation taxpayers do not fall within the plain meaning of “customers” under the RCPA and thus could not assert a cause of action against the IRS)
- Fair Credit Reporting Act
- Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017) (finding that an individual had Article III standing to challenge the dissemination of false information about him in violation of the FCRA)
- But see Owner-Operator Independent Drivers Association, Inc. v. DOT, 879 F.3d 339 (D.C. Cir. 2018) (holding that drivers did not have standing to challenge the maintenance of inaccurate information in a government database, but did have standing to challenge dissemination of that information to a potential employer in violation of FCRA); Dreher v. Experian Information Solutions, Inc., 856 F.3d 337 (4th Cir. 2017) (holding that consumers did not have standing to challenge the failure to disclose the true source of information on their credit reports); Groshek v. Time Warner Cable, Inc., 865 F.3d 884 (7th Cir. 2017) (holding that an individual does not have standing to challenge the sufficiency of FCRA-required disclosures by a prospective employer who intends to obtain a credit report); Long v. SEPTA, 903 F.3d 312 (3d Cir. 2018) (same); Syed v. M-I, LLC, 853 F.3d 492 (9th Cir. 2017) (same)
- In re Horizon Healthcare Serv. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017) (finding that plaintiffs had de facto standing to sue for violation of FCRA in data breach case)
- Bassett v. ABM Parking Serv., Inc., 883 F.3d 776 (9th Cir. 2018) (finding that consumers do not have standing to challenge alleged violations of the FCRA’s credit card expiration date redaction requirement); Crupar-Weinmann v. Paris Baguett Am., Inc., 861 F.3d 76 (2d Cir. 2017); Meyers v. Nicolet Restaurant of De Pere, LLC, 843 F.3d 724 (7th Cir. 2016) (same)
- Telephone Consumer Protection Act
- Balsden v. Credit Adjustments, Inc., 813 F.3d 338 (6th Cir. 2016) (finding that prior express consent given to a healthcare provider can be valid consent under the TCPA to future calls from a company seeking to collect the debt incurred to that provider)
- Patriotic Veterans, Inc. v. Zoeller, 845 F.3d 303 (7th Cir. 2017) (holding that a state-law prohibition on automated telephone calls was a constitutionally valid time, place, and manner speech restriction)
- Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017) (finding that the TCPA permits consumers to revoke their prior express consent to be contacted)
- Bais Yaakov of Spring Valley v. FCC, 852 F.3d 1078 (D.C. Cir. 2017) (holding that the FCC regulation requiring businesses to include opt-out notices on solicited fax messages was unlawful under the TCPA)
- ACA Int’l v. FCC, 885 F.3d 687 (D.C. Cir. 2018) (granting in part and denying in part petitions challenging an FCC declaratory order under the TCPA; finding that the FCC interpretation of “called party” to include the actual recipient was permissible but rejecting the “one-call safe habor”; rejecting the FCC’s definition of an automatic telephone dialing system because it could conceivably include conventional smartphones; and upholding the agency’s broad interpretation of consent revocation mechanisms)
Chapter 4: Federal Surveillance Law
- Smith v. Obama(9th Cir. 2016)
Chapter 5: International Privacy Law
- EU General Data Protection Regulation (GDPR) (EU 2018) (The European Union’s comprehensive data protection reform came into effect May 25, 2018.)
- Microsoft v. United States, 138 S.Ct. 1186 (2018) (finding moot the question of extraterritorial application of Stored Communications Act warrants, in light of the new Clarifying Lawful Overseas Use of Data Act (CLOUD Act))
- Big Brother Watch v. UK (ECHR, 2018) (finding that UK bulk surveillance violated the uled that the UK surveillance system violated the rights to privacy and free expression under the European Convention on Human Rights due to inadequate legal safeguards)
- Modernized Convention on Privacy – “Convention 108+” (COE, 2018) (Council of Europe updated international Privacy Convention to require prompt data breach notification, establish national supervisory authorities, permit transfers abroad only when personal data is sufficiently protected, and provide new user rights)
- Justice K.S. Puttaswamy (Retd.) v. Union of India (“Aadhaar Judgment”) (India, 2018) (striking down provisions of the Indian biometric identification system permitting private entities to demand Aadhar for identification, requiring Aadhar to register for education, and more)
- Convention on Cybercrime Reform (COE, 2017) (drafting of a new protocol to address cross border law enforcement access to data began)
- Opinion 1/15(CJEU, 2017) (finding that the EU-Canada Passenger Name Record Agreement permitting retention and transfer of passengers’ personal data violates multiple protections under EU, including the EU Charter right to privacy