Legal Update
Nov 21, 2019
Ninth Circuit Rules That Users, Not Consumers, Must Prove an Authorized Purpose for Obtaining a Consumer Report
Synopsis: Last month, the Ninth Circuit issued an opinion, affirming broad Article III standing and holding that, for permissible-purpose claims, a consumer-plaintiff need allege only that his/her credit report was obtained for a purpose not authorized by the statute to survive a motion to dismiss, regardless of whether the report is published or otherwise used by the third party.
Case Background
In June 2016, Plaintiff Freshta Nayab discovered that a banking institution (“the Bank”) had made several inquiries on her Experian credit report. She sued the Bank alleging that the unauthorized inquiries violated the Fair Credit Reporting Act (“FCRA”) because she never conducted any business with nor incurred any financial obligations to the Bank.
The Bank moved to dismiss the complaint for failure to state a claim. Instead of opposing the motion, Nayab filed an amended complaint where she cited various permissible purposes for obtaining a credit report under the FCRA, and alleged that the Bank did not have any of those permissible purposes to make inquiries on her credit report.
The district court dismissed the case, finding that Nayab did not have standing to pursue her FCRA claim because, even if the Bank’s credit inquiries were impermissible under the FCRA, “absent disclosure to a third party or an identifiable harm from the statutory violation, there is no privacy violation.” Nayab, slip op. at 5. The district court also dismissed Nayab’s complaint for failure to state a claim, finding that “bare allegations that the defendant did not have a permissible purpose for obtaining a credit report, without more, are insufficient.” Id. at 5.
Nayab appealed.
The Ninth Circuit’s Opinion
In an opinion by Judge Rice, the Ninth Circuit considered two issues: (1) whether a consumer suffers a concrete Article III injury in fact when a third-party obtains her credit report for a purpose not authorized by the FCRA, and (2) whether the consumer-plaintiff must plead the third-party’s actual unauthorized purpose in obtaining the report to survive a motion to dismiss. Id. at 4.
The Ninth Circuit rejected the district court’s holding that Nayab lacked standing because she did not suffer concrete harm where the unauthorized inquiries were not disclosed or used by the Bank. Relying on Robins v. Spokeo, Inc. (Spokeo III), the Ninth Circuit reiterated that some statutory violations alone confer Article III standing. 867 F.3d 1108, 1113 (9th Cir. 2017), cert. denied, 138 S. Ct. 931 (2018). In Spokeo III, the Ninth Circuit held that a statutory violation can by itself manifest concrete injury where “the procedural right [was created] to protect a plaintiff’s concrete interests and where the procedural violation presents ‘a risk of real harm’ to that concrete interest.” Spokeo III, 867 F.3d at 1113.
Based on this reasoning, the Ninth Circuit held that Nayab had standing to pursue her FCRA claims because “obtaining a credit report for a purpose not authorized under the FCRA violates a substantive provision of the FCRA,” and thus “Plaintiff need not allege any further harm to have standing.” Nayab, slip op. at 11. The court disagreed with the district court’s finding that a user must disclose or otherwise use the credit report for the consumer to suffer an injury. Id. at 15.
Next, the Ninth Circuit found that the district court erred in holding that Nayab, as the plaintiff, had the burden of pleading the actual purpose behind the Bank’s procurement of her credit report. Id. at 16. The court instead found that the authorized purposes listed under the FCRA were exceptions that the defendant must plead as affirmative defenses. Id. at 20. The Ninth Circuit also determined that placing the burden on Nayab would be unfair because that would require her to plead a negative fact peculiarly within the knowledge of the defendant. Id.
Against this backdrop, the Ninth Circuit found that Nayab pleaded facts sufficient to give rise to a reasonable inference that the Bank obtained her credit report for an unauthorized purpose. Id. The Bank argued that Nayab’s allegations failed because there were numerous possible reasons that the Bank may have accessed her credit report that would be fully lawful under the FCRA. But the Ninth Circuit rejected this argument, noting that Nayab’s factual assertions negating each permissible purpose for which the Bank could have obtained her credit report, together with Nayab’s allegation that the Bank, in fact, obtained her report, stated a plausible claim for relief. Id.
A split Ninth Circuit reversed the district court’s dismissal of Nayab’s FCRA claim and remanded the case to the district court.
Judge Rawlinson partially dissented. Although agreeing that Nayab had standing to pursue her action under the FCRA, Judge Rawlinson took issue with the pleading standard set forth by the majority. Id. at 29. She strongly disagreed that Nayab had laid out a sufficiently plausible case. Id. at 35. Further, Judge Rawlinson found that the majority’s conclusion that Nayab had no obligation to plead the unauthorized purpose for which the credit report was obtained was inconsistent with Twombly and Iqbal.
Implications for Businesses
Businesses obtaining consumer reports, including credit reports or criminal background checks, should review their compliance practices to ensure that the business has procedures in place to ensure that reports are obtained only for permissible purposes only. Businesses may also want to consider having a process for documenting the permissible purpose for each report and for conducting periodic audits to ensure compliance with company policy. Having sound policies and procedures will ensure regular compliance and will limit liability for willful violations, which expose businesses to punitive damages.
Consumer reporting agencies (“CRAs”) furnishing consumer reports, particularly credit reports, should also review their procedures for confirming permissible purpose. All businesses obtaining reports (“users”) should be credentialed and should provide a permissible purpose before receiving any reports. Having procedures in place for periodic review of users will also reduce a CRA’s potential liability risk.