A federal court in Michigan recently ruled that out-of-state residents have standing to sue under the Michigan Personal Privacy Protection Act (PPPA). In Lin v. Crain Communications, Inc., Case No. 2:19-cv-11889 (E.D. Mich., June 25, 2019), Gary Lin, a Virginia resident, filed a putative class-action lawsuit against Crain Communications, Inc. (Crain), a Michigan-based publishing business. Lin alleged that Crain violated the PPPA by selling his and other subscribers’ personal reading information to third parties without obtaining consent. The U.S. District Court for the Eastern District of Michigan denied Crain’s motion to dismiss, holding that because the PPPA does not impose a residency requirement, the fact that Mr. Lin was not from Michigan did not bar standing. The court explained that the PPPA “provides a cause of action for customers whose information is disclosed in violation” of the statute, and a “customer” is broadly defined as “a person who purchases, rents, or borrows a book or other written material.”[1] Thus, the court concluded that the PPPA “does not impose a residency requirement for customers to have protections under the statute.” The court noted that Michigan’s legislature could have included language limiting PPPA claims to Michigan residents, but notably chose not to. The court’s opinion can be found here.
The question of jurisdictional limits is often asked in the context of state-mandated privacy laws. While the court’s decision opens the door to a possible increase in PPPA litigation filed by non-Michigan plaintiffs, the broad standing rule the court embraced should not apply to similar privacy statutes in other states, such as the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), and the recently signed Virginia Consumer Data Protection Act (VCDPA). The privacy rights created by these statutes extend only to residents of California and Virginia, respectively. Also, unlike the PPPA, none of these statutes provide a private right of action for privacy-related violations. Instead, enforcement authority for such violations belongs to each state’s attorney general.[2] For more information regarding these laws, see Troutman Pepper’s article series on CCPA enforcement available here, an article series on VCDPA enforcement available here, and an article regarding the CPRA available here.
Lawmakers in other states are working on their own privacy legislation, which includes those from Colorado, Massachusetts, Maryland, and Texas; other attempts have failed, such as Congress with the now-stalled federal privacy bill and Washington state with its privacy law failing for the third time. States with pending legislation include CCPA/VCDPA-like consumer rights, such as the right to know personal information collected, the right to opt out of the sale of personal information, and the right to request the deletion of personal information. Some states aim to broaden enforcement powers, such as in Illinois. The Illinois H.B. 3910 would grant the state attorney general enforcement powers, while H.B. 2404 would provide individuals with a private right of action. Massachusetts’ S.B. 1726 would establish a state information privacy commission to handle enforcement. Minnesota’s H.F. 1492 would empower the attorney general the power to take enforcement action against violators. Businesses should stay informed on whether these legislatures follow the Lin case and attempt to create a law with a more national reach by not limiting privacy rights to its borders.
[1] Interestingly, the defendant in this case was based out of Michigan. If a non-Michigan entity is doing business in Michigan, does the conduct of the defendant still need to be connected to the state when there is a non-resident of Michigan asserting a claim? The court did not address this question, but it will be interesting to see whether the issue comes up in the future and likely constitutional challenges.
[2] It’s important to note that while the CCPA, CPRA, or VCDPA do not provide for a private right of action regarding data usage rights, the Virginia statute differs in that California allows consumers to recover damages if a business’ violation of the duty to implement and maintain reasonable security procedures results in a data breach; there is no private right of action under the VCDPA, not even for data breaches. To learn more, check out Troutman Pepper’s VCDPA series by clicking here. For those interested in learning more about the CCPA’s private right of action relating to data breaches, check out Troutman Pepper’s Bloomberg Law article by clicking here.