The United States District Court for the Eastern District of Michigan has allowed a putative class action under Michigan law to proceed against several magazine publishers that allegedly sold lists of their customers’ names, addresses, and subscription choices to third parties. Earlier this week, in a case styled Halaburda v. Bauer Publishing Co., Judge Steeh of the Eastern District denied a motion to dismiss by defendants Bauer, Hearst Communications and Time, Inc., which had argued that the plaintiffs’ lacked standing to sue in federal court and that the complaint did not state a claim upon which relief could be granted.
The plaintiffs sued under the Michigan Video Rental Privacy Act (“VRPA”), a statute that, despite its name, generally prohibits companies “engaged in the business of selling at retail, renting or lending books or other written materials, sound records, or video recordings” from disclosing “a record or other information concerning the purchase, lease, rental, or borrowing of those materials by a customer that indicates the identity of the customer.” The plaintiffs alleged that the publisher defendants “sell[] at retail . . . written materials” and that the defendants have disclosed information about subscription choices in violation of the statute’s disclosure prohibition.
In their motion to dismiss, the defendants argued that the plaintiffs had not sufficiently alleged standing to bring their suit because the complaint did not plead a cognizable “injury” to plaintiffs. The court rejected this argument, holding that because the VRPA allows a plaintiff to recover statutory damages, no allegation of actual injury is necessary for standing under the U.S. Constitution or under the statute itself. In reaching this conclusion, the court distinguished Sterk v. Best Buy Stores (N.D. Ill Oct. 17, 2012), which held that plaintiffs suing under the federal Video Privacy Protection Act (“VPPA”) had failed to establish an injury sufficient for standing. The court noted that while the VPPA contains language requiring an actual injury (plaintiffs must be “aggrieved” to recover), the VPRA does not.
The court also rejected defendants’ arguments that the plaintiffs had failed to allege the elements of a claim under the VRPA. Most notably, the court held that the defendants’ argument that online materials (presumably privacy policies) sufficiently informed subscribers about the defendants’ use of the information they collect (such that plaintiffs impliedly consented to disclosure of that information) was “premature” and more appropriate for a summary judgment motion.
The case is noteworthy not only because it involves a little-known (yet facially broad) statute, but also because it implicates the world of “offline” data collection and sharing that is increasingly of interest to legislators, regulators, and the plaintiffs’ bar. From Congress’s and the FTC’s scrutiny of so-called “data brokers” to the wave of litigation over the collection of ZIP codes and other personal information at the point of sale in brick-and-mortar stores, the focus on offline data practices is growing. The court’s decision in Halaburda surely will encourage an even tighter focus on these practices.