In Privacy Litigation Over Magazine Subscription, Residency Is a Nonissue
A recent court decision signifies that compliance with state privacy laws cannot always be achieved by looking to the residency of data subjects.
On January 16, 2020, a federal judge held that Michigan's Personal Privacy Protection Act applies to nonresidents who are located outside the state. The decision, Lin v. Crain Communications, No. 19-11889 (E.D. Mich. January 16, 2020), has important implications for the extraterritorial application of state privacy laws and more generally signifies that compliance with these laws cannot always be achieved by simply looking to the residency of data subjects.
Gary Lin, a resident of Virginia, sued Crain Communications under the Michigan Personal Privacy Protection Act, M.C.L. § 445.1712 ("PPPA") for allegedly disclosing information about Lin's magazine subscriptions to various data mining companies. Crain moved to dismiss the lawsuit, arguing that Lin, as a resident of Virginia, lacked standing under the PPPA. The court disagreed, noting that, because the PPPA's definition of a "customer" was not limited solely to Michigan residents, "the PPPA does not impose a residency requirement for customers to have protections under the statute." The court further pointed to the fact that Lin's allegations related to conduct that had supposedly occurred within Michigan, and therefore Lin could properly invoke the PPPA's protections.
The decision in Lin is the most recent example of a court finding that a state's data privacy law protects nonstate residents. Previously, in Monroy v. Shutterfly, No. 16 C 10984 (N.D. Ill. September 15, 2017), a federal court similarly found that a resident of Florida could bring an action under the Illinois Biometric Information Protection Act against an out-of-state defendant based on conduct that had occurred in Illinois.
The Lin decision further evidences a willingness of courts to broadly interpret state privacy protections in some contexts, which adds further complexity to the challenge of complying with state privacy laws. Jones Day will continue to closely monitor the impact of this development on future litigation as courts continue to address these types of issues.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.