U.S. Supreme Court Once Again Limits Standing in Privacy-Related Suit
On June 25, the Supreme Court, in a narrow, 5-4 decision, substantially limited a class action against TransUnion, one of the three major credit-reporting agencies in the United States. The Court held that while a limited number of class members whose credit information was given to a third party have a legal right to sue under the theory that TransUnion failed to follow proper procedures, the vast majority of class members whose information was not disclosed do not. The ruling will significantly reduce a $40 million verdict against TransUnion. However, the opinion should be used by businesses in other types of privacy-related cases as it likely will further limit class-action lawsuits filed in federal court. The main thrust of the Court’s opinion centered around Article III standing, which requires a plaintiff to show concrete harm (rather than simply a violation of a statute) to be able to sue in federal court. The Court made clear that even when Congress has provided a cause of action through federal law, the mere fact that the law has been violated will not, without a demonstrable injury to the plaintiff, provide standing to sue in federal court.
The case, TransUnion v. Ramirez, 20-297, arose out of a dispute where the named plaintiff attempted to buy a car from a dealership. After running a credit check, the dealership found that the TransUnion credit report suggested that Ramirez was on a list of suspected terrorists and other serious criminals with whom U.S. companies are barred from doing business. The credit report proved false. Ramirez then sued in federal court on behalf of approximately 8,100 other consumers who had been identified as potential matches to individuals on the list over a seven-month period in 2011. Plaintiffs argued that TransUnion had not done enough to guarantee that “alerts labeling them as potential terrorists were not included in their credit files,” and violated the Fair Credit Reporting Act (“FCRA”) as a result.
A jury rendered a verdict in excess of $60 million in favor of the consumers, though the Ninth Circuit later reduced the verdict to $40 million. TransUnion appealed the verdict and argued that the case should not have been allowed to go forward as a class action because there was no guarantee that each class member had suffered the kind of concrete injury required by the Constitution to be able to sue.
The majority held that plaintiffs must show an injury “that the defendant caused and the court can remedy.” Physical financial injuries are the most common and obvious ones, but intangible injuries, such as an injury to a plaintiff’s reputation or the disclosure of private information, can also qualify. Justice Kavanaugh wrote that although Congress has passed statutes that give a plaintiff a “cause of action” when a federal law has been violated, the cause of action is not enough by itself to give a plaintiff the right to sue in federal court. “Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.”
The Court then turned to the actual claims pled. Taking the evidence that TransUnion had not done enough as true, the majority wrote that the 1,853 members of the class whose credit reports were actually sent to businesses had suffered the kind of concrete harm that would give them standing to sue. However, the other 6,332 class members had not suffered such a harm because TransUnion had not sent their credit information to anyone during the time period at issue in the lawsuit. The inaccurate information in the class members’ credit files is not, without more, the kind of concrete harm that will give them a right to sue in federal court. The Court also rejected the plaintiffs’ argument that the risk of future dissemination of the inaccurate information was enough to satisfy standing either. However, the Court reiterated its prior holdings that a plaintiff may obtain injunctive relief but not damages when there is an immediate risk of future harm. The Court also rejected separate claims by the plaintiff class that certain incorrectly formatted mailings sent to them violated could create standing because the incorrect format constituted “bare procedural violations, divorced from any concrete harm.” The Court remanded the case back to the Ninth Circuit for new proceedings in light of its ruling. The majority suggested that the Ninth Circuit may consider whether it is proper for the case to go forward as a class action “in light of our conclusion about standing.”
As previously reported here, courts are taking a closer look at Article III standing that will likely limit the types of privacy-related class actions that can proceed in federal court. From class actions arising out of ransomware and other data breaches to FCRA and TCPA claims, plaintiffs will need to think twice before filing such suits in federal court (as Illinois and other state courts do not have the same Article III standing requirements as federal court). In light of this recent trend limiting standing, Defendants will also need to be cautious removing such suits from state court (as the court may not have Article III standing to hear the case) even though in many jurisdictions defendants would prefer to litigate in federal court.