Two cases, one from the U.S. Supreme Court and one from the Illinois Supreme Court, have set the venue for the enforcement and interpretation of an Illinois privacy law squarely in the Illinois state courts, to the exclusion of the federal courts. This situation is likely to spread as other states move to pass their own privacy and cybersecurity laws. As such, state courts are likely to be on the forefront of enforcing state privacy and cybersecurity laws, especially those that provide procedural protections to guard against harms that are difficult to quantify.

The story starts with the Supreme Court’s decision in Spokeo v. Robins, 136 S.Ct. 1540 (2016), a case involving allegations of violations of the Fair Credit Reporting Act. In Spokeo, the Supreme Court reiterated that to have standing to bring a claim in federal court under Article III of the U.S. Constitution, the plaintiff, among other things, must have suffered an injury in fact. That is, he or she must have suffered an invasion of a legally protected interest that is concrete and particularized and actual and imminent, not conjectural or hypothetical. The court stated that to be concrete, an injury must be real and not abstract, although it does not necessarily have to be tangible. While the court noted that Congress can elevate intangible harms to meet the injury in fact requirement, plaintiffs do not “automatically satisfy the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Thus, plaintiffs cannot meet the Article III standing requirement by alleging “a bare procedural violation, divorced from any concrete harm.”