Spirit Airlines defeats wiretapping and invasion of privacy class action for failure to plead concrete harm sufficient to satisfy Article III standing.

The Western District of Pennsylvania recently granted Spirit Airlines, Inc. (“Spirit Airlines”)’s Rule 12(b)(1) motion to dismiss a class action brought by a putative class of plaintiffs who visited Spirit Airlines’ website for lack of Article III standing. Smidga, et al., v. Spirit Airlines, Inc., No. 2:22-cv-01578, 2024 WL 1485853 (W.D. Penn. Apr. 5, 2024). The plaintiffs have now appealed that order to the Third Circuit. Smidga, et al., v. Spirit Airlines, Inc., No. 2:22-cv-01578 (W.D. Penn. filed Apr. 23, 2024).

The plaintiffs alleged that Spirit Airlines deployed sessions replay software on its website to track, record, and store the website activity of its visitors, including their mouse movements, clicks, keystrokes, URL website visits, and other electronic communications. 2024 WL 1485853, at *1.  They brought claims against Spirit Airlines under the Maryland Wiretapping and Electronic Surveillance Act (“MESA”), Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”), California Invasion of Privacy Act (“CIPA”), and other corresponding invasion of privacy and state common law claims. Id.

Spirit Airlines filed a Rule 12(b)(1) facial and factual attack on the plaintiffs’ Article III standing, arguing that (1) they failed to allege any concrete harm from Spirit Airlines’ use of the software; and (2) no concrete harm actually occurred because the website did not collect personal identifying information from website visitors and any data collected was anonymized, per a sworn declaration from a Spirit Airlines executive. Id. at *2-3.

To establish standing, the plaintiffs were required to allege they “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016).  Even if a plaintiff alleges statutory violations, Article III standing still requires sufficient allegations of a “concrete” harm. TransUnion LLC v. Ramirez, 594 U.S. 413, 426 (2021).

The district court summarized cases finding that the collection of basic contact information, such as email addresses, phone numbers, and social media usernames, is not a sufficiently concrete harm. Smidga, 2024 WL 1485853, at *4. As a result, the district court found that two of the three plaintiffs, who had alleged only the collection of their basic contact information, suffered no concrete injury sufficient to support Article III standing. Id. at *5.

By comparison, the third plaintiff did allege that she input her credit card data into Spirit Airlines’ website. Id. at *5. While the district court found that these allegations survived a facial attack on jurisdictional standing, the court nonetheless held that the third plaintiff could not survive a factual attack on Article III standing because she did not dispute Spirit Airlines’ sworn assertions that it did not collect or record personalized data from website visitors. Id.

The district court therefore found that all three named plaintiffs failed to allege a concrete injury sufficient to support Article III standing, granted Spirit Airlines’ Rule 12(b)(1) motion, denied its corresponding Rule 12(b)(6) motion as moot, and granted the plaintiffs limited leave to amend their complaint. Id. at *6-7.  After the plaintiffs declined to file an amended complaint, the district court dismissed the action for lack of subject matter jurisdiction.  Smidga, et al., v. Spirit Airlines, Inc., No. 2:22-cv-01578 (W.D. Penn. Apr. 22, 2024). The following day, the plaintiffs noticed their appeal to the Third Circuit.

Takeaways: We will continue to monitor the appeal in Smidga and other class actions where a party mounts an attack to Article III standing.  The decision in Smidga demonstrates that a wiretapping and invasion of privacy class must take seriously the requirement that they allege a sufficiently concrete harm to avoid a facial or factual attack to Article III standing.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their