Stephanie Daniel, on behalf of herself and all others similarly situated, Plaintiff-Appellant,
National Park Service; Does, 1-10, Defendants-Appellees.
and Submitted December 5, 2017 Seattle, Washington
from the United States District Court for the District of
Montana Susan P. Watters, District Judge, Presiding DC. No.
Timothy M. Bechtold (argued), Bechtold Law Firm PLLC,
Missoula, Montana, for Plaintiff-Appellant.
B. Stern (argued) and Henry C. Whitaker, Appellate
Michael W. Cotter, United States Attorney; Chad A. Readier,
Acting Assistant Attorney General; Civil Division, United
States Department of Justice, Washington, D.C.; for
Before: Michael Daly Hawkins, M. Margaret McKeown, and Morgan
Christen, Circuit Judges.
Credit Reporting Act
panel affirmed the district court's dismissal of a suit
brought pursuant to the Fair Credit Reporting Act, 15 U.S.C.
§ l68lc(g), against the National Park Service alleging
that the Service violated the Act by failing to redact
plaintiff's debit card expiration date from her purchase
alleged that when she purchased an entrance pass to
Yellowstone National Park, the Park Service printed a receipt
bearing her full debit card expiration date. According to
plaintiff, the Park Service violated the Act's
prohibition that "no person that accepts credit
cards or debit cards for the transaction of business shall
print more than the last 5 digits of the card number or
the expiration date upon any receipt provided to the
cardholder at the point of the sale or transaction." 15
U.S.C. § l68lc(g) (emphases added). Plaintiff alleged
that after the Yellowstone transaction, her debit card was
used fraudulently and she suffered damages from her stolen
identity. She also alleged that the fraudulent use of her
debit card was caused in part by the inclusion of the
card's expiration date on her Yellowstone receipt.
panel held as an initial matter, that plaintiff lacked
standing because her complaint made only conclusory
allegations that her stolen identity was traceable to the
Park Service's alleged violation of the Act. The panel
further held that giving plaintiff leave to amend the
complaint would be futile because the Act does not waive the
federal government's sovereign immunity from plaintiffs
McKEOWN, Circuit Judge:
appeal is one of many in which plaintiffs seek redress for
violation of a federal law that requires redaction of certain
credit and debit card information on printed receipts.
Stephanie Daniel alleges that identity thieves made
fraudulent charges on her debit card at some unspecified time
after she visited Yellowstone National Park. Daniel sued the
National Park Service for issuing a receipt showing her debit
card's expiration date, a violation of the Fair Credit
Reporting Act ("FCRA"). 15 U.S.C. § 1681 c(g).
affirm the district court's dismissal of Daniel's
suit. As an initial matter, Daniel lacks standing because her
complaint makes only conclusory allegations that her stolen
identity was traceable to the Park Service's alleged FCRA
violation. Nonetheless, giving Daniel leave to amend the
complaint would be futile because the FCRA does not waive the
federal government's sovereign immunity from Daniel's
Daniel purchased an entrance pass to Yellowstone National
Park, the National Park Service (the "Park
Service") printed a receipt bearing her full debit card
expiration date. According to Daniel, the Park Service
violated the FCRA's prohibition that "no
person that accepts credit cards or debit cards for
the transaction of business shall print more than the last 5
digits of the card number or the expiration date
upon any receipt provided to the cardholder at the point of
the sale or transaction." 15 U.S.C. § l68lc(g)
(emphases added). The receipt otherwise complied with the
FCRA's card-number redaction requirements-it did not
print more than the last five digits of the debit card
sued the Park Service, on behalf of herself and a putative
class, under one of the FCRA's enforcement provisions:
"Any person who willfully fails to comply with [the
FCRA] with respect to any consumer is liable to that
consumer" for statutory damages of between $100 and $1,
000 per violation or "any actual damages sustained by
the consumer, " costs and attorneys' fees, and
potential punitive damages. Id. § 168In. Daniel
claimed that after the Yellowstone transaction, her debit
card was used fraudulently and she suffered damages from her
stolen identity. She also alleged that the fraudulent use of
her debit card was caused in part by the inclusion of the
card's expiration date on her Yellowstone receipt.
district court granted the Park Service's motion to
dismiss on the grounds that the FCRA does not waive the U.S.
government's sovereign immunity. The court concluded that
"including the United States as a 'person' every
time the term is used in the FCRA would lead to inconsistent
usage and potentially absurd results." Accordingly,
Congress did not "speak unequivocally" as is
required to waive sovereign immunity.
Article III standing and sovereign immunity are threshold
jurisdictional issues that we review de novo. See Raines
v. Byrd, 521 U.S. 811, 818 (1997); FDIC v.
Meyer, 510 U.S. 471, 475 (1994). In this instance, we
analyze both issues because dismissal of the case on standing
grounds leaves open whether Daniel could amend her complaint
to satisfy standing requirements. That route is foreclosed,
however, because a suit dismissed on sovereign immunity
grounds cannot be salvaged. See United States v.
Mitchell, 463 U.S. 206, 212 (1983) ("It is
axiomatic that the United States may not be sued without its
consent and that the existence of consent is a prerequisite
for jurisdiction."). Daniel's complaint fails on
the constitutional threshold of Article in standing, Daniel
must allege that she "(1) suffered an injury in fact,
(2) that is fairly traceable to the challenged conduct of
[the Park Service], and (3) that is likely to be redressed by
a favorable judicial decision." Spokeo, Inc. v.
Robins, 136 S.Ct. 1540, 1547 (2016). Although Daniel
alleged a sufficient injury of identity theft, she failed to
allege that her injury was "fairly traceable" to
the Park Service's issuance of the receipt. Without this
link, Daniel's suit must be dismissed.
Daniel Alleged a Concrete Injury of Identity Theft
recently considered whether "receiving an overly
revealing credit card receipt-unseen by others and unused by
identity thieves-[is] a sufficient injury to confer Article
in standing." See Bassett v. ABM Parking Servs.,
Inc., 883 F.3d 776, 777 (9th Cir. 2018). Bassett's
theory of injury-an "exposure" to identity theft
"caused by [the issuer's] printing of his credit
card expiration date on a receipt that he alone
viewed"-did not "have 'a close relationship to
a harm that has traditionally been regarded as providing a
basis for a lawsuit in English or American courts.'"
Id. (quoting Spokeo, 136 S.Ct. at 1549).
Nor did Congress "elevat[e] to the status of legally
cognizable injuries concrete, de facto injuries that
were previously inadequate in law." Id. at
781-82 (quoting Lujan v. Defenders of Wildlife, 504
U.S. 555, 578 (1992)). It was no stretch to conclude that a
receipt showing the credit card expiration date, by itself,
was not a concrete injury. Id. at 780.
contrast to Bassett, Daniel alleged a concrete,
particularized injury by claiming that after the Yellowstone
transaction, her debit card was used fraudulently and she
suffered damages from her stolen identity. Identity theft and
fraudulent charges are concrete harms particularized to
Daniel and establish a sufficient injury at the pleading
stage. See generally Spokeo, 136 S.Ct. at 1548-50;
In re Zappos.com, Inc., 888 F.3d 1020, 1028 (9th
Cir. 2018) (holding that specific allegations of hackers
accessing a plaintiffs personal information that "could
be used to help commit identity fraud or identity theft"
are a sufficient injury).
DANIEL'S IDENTITY THEFT IS NOT FAIRLY TRACEABLE TO THE
PARK SERVICE'S RECEIPT
trickier question is whether the fraudulent charges on
Daniel's debit card and her stolen identity are
"fairly traceable" to the Park Service's
printing of a receipt showing the expiration date of that
debit card. At the pleading stage, Daniel does not need to
prove proximate causation. See Lexmark Int'l, Inc. v.
Static Control Components, Inc., 134 S.Ct. 1377, 1391
n.6 (2014). But she still bears the burden of
"demonstrating that her injury-in-fact is . . . fairly
traceable to the challenged action"-here, the Park
Service's issuance of the receipt. Davidson v.
Kimberly-Clark Corp., - F.3d -, 2018 WL 2169784, at *7
(9th Cir. May 9, 2018) (citing Monsanto Co. v. Geertson
Seed Farms, 561 U.S. 139, 149 (2010)). Daniel's
threadbare allegations fall short of demonstrating that link.
complaint contains only two generic statements that attempt
to draw a connection between the receipt and her later
identity theft. She alleged: "After this debit card
transaction, Plaintiff Daniel's personal debit card was
used fraudulently and she suffered damages from the stolen
identity." She went on to claim: "Based on
information and belief, the fraudulent use of Plaintiff
Daniel's debit card was caused in part by the inclusion