A federal court in Michigan recently ruled that out-of-state residents have standing to sue under the Michigan Personal Privacy Protection Act (PPPA). In Lin v. Crain Communications, Inc., Case No. 2:19-cv-11889 (E.D. Mich., June 25, 2019), Gary Lin, a Virginia resident, filed a putative class-action lawsuit against Crain Communications, Inc. (Crain), a Michigan-based publishing business. Lin alleged that Crain violated the PPPA by selling his and other subscribers’ personal reading information to third parties without obtaining consent. The U.S. District Court for the Eastern District of Michigan denied Crain’s motion to dismiss, holding that because the PPPA does not impose a residency requirement, the fact that Mr. Lin was not from Michigan did not bar standing. The court explained that the PPPA “provides a cause of action for customers whose information is disclosed in violation” of the statute, and a “customer” is broadly defined as “a person who purchases, rents, or borrows a book or other written material.”[1] Thus, the court concluded that the PPPA “does not impose a residency requirement for customers to have protections under the statute.” The court noted that Michigan’s legislature could have included language limiting PPPA claims to Michigan residents, but notably chose not to. The court’s opinion can be found here.

The question of jurisdictional limits is often asked in the context of state-mandated privacy laws. While the court’s decision opens the door to a possible increase in PPPA litigation filed by non-Michigan plaintiffs, the broad standing rule the court embraced should not apply to similar privacy statutes in other states, such as the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), and the recently signed Virginia Consumer Data Protection Act (VCDPA). The privacy rights created by these statutes extend only to residents of California and Virginia, respectively. Also, unlike the PPPA, none of these statutes provide a private right of action for privacy-related violations. Instead, enforcement authority for such violations belongs to each state’s attorney general.[2] For more information regarding these laws, see Troutman Pepper’s article series on CCPA enforcement available here, an article series on VCDPA enforcement available here, and an article regarding the CPRA available here.

Lawmakers in other states are working on their own privacy legislation, which includes those from Colorado, Massachusetts, Maryland, and Texas; other attempts have failed, such as Congress with the now-stalled federal privacy bill and Washington state with its privacy law failing for the third time. States with pending legislation include CCPA/VCDPA-like consumer rights, such as the right to know personal information collected, the right to opt out of the sale of personal information, and the right to request the deletion of personal information. Some states aim to broaden enforcement powers, such as in Illinois. The Illinois H.B. 3910 would grant the state attorney general enforcement powers, while H.B. 2404 would provide individuals with a private right of action. Massachusetts’ S.B. 1726 would establish a state information privacy commission to handle enforcement. Minnesota’s H.F. 1492 would empower the attorney general the power to take enforcement action against violators. Businesses should stay informed on whether these legislatures follow the Lin case and attempt to create a law with a more national reach by not limiting privacy rights to its borders.

 


[1] Interestingly, the defendant in this case was based out of Michigan. If a non-Michigan entity is doing business in Michigan, does the conduct of the defendant still need to be connected to the state when there is a non-resident of Michigan asserting a claim? The court did not address this question, but it will be interesting to see whether the issue comes up in the future and likely constitutional challenges.

[2] It’s important to note that while the CCPA, CPRA, or VCDPA do not provide for a private right of action regarding data usage rights, the Virginia statute differs in that California allows consumers to recover damages if a business’ violation of the duty to implement and maintain reasonable security procedures results in a data breach; there is no private right of action under the VCDPA, not even for data breaches. To learn more, check out Troutman Pepper’s VCDPA series by clicking here. For those interested in learning more about the CCPA’s private right of action relating to data breaches, check out Troutman Pepper’s Bloomberg Law article by clicking here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Edgar Vargas Edgar Vargas

Edgar is a Certified Information Privacy Professional (CIPP/US). He assists clients on compliance and litigation issues, including issues regarding privacy and cybersecurity laws. He is fluent in Spanish, allowing him to effectively communicate with and serve Spanish speaking clients.

Photo of Joshua Davey Joshua Davey

Josh has nearly two decades of experience representing companies in high-stakes class action litigation, government investigations, and business disputes. A partner in Troutman Pepper’s Privacy + Cyber team and a Certified Information Privacy Professional, he has extensive experience in data breach litigation, having…

Josh has nearly two decades of experience representing companies in high-stakes class action litigation, government investigations, and business disputes. A partner in Troutman Pepper’s Privacy + Cyber team and a Certified Information Privacy Professional, he has extensive experience in data breach litigation, having served as one of the court-appointed lead defense counsel for a cloud software company in one of the largest data breach multidistrict litigation proceedings in the U.S. Josh regularly litigates claims under numerous privacy laws, including the FCRA, the DPPA, and the California Consumer Privacy Act.