Supreme Court Issues Data Privacy Standing Decision in TransUnion v. Ramirez
In TransUnion LLC v. Ramirez, the Supreme Court held that a statute providing a private cause of action and a statutory penalty for violation does not confer Article III standing unless the plaintiff can demonstrate concrete, imminent harm besides the statutory damages. TransUnion thus clarifies and expands upon the Court’s 2016 privacy standing jurisprudence articulated in Spokeo v. Robins.
The road to privacy law ran through the Office of Foreign Assets Control (“OFAC”). OFAC maintains a list of “specially designated nationals” who threaten national security — such as terrorists, drug traffickers, or other serious criminals. Based on this list, the credit-scoring company TransUnion offered a product called Name Screen, whereby it would compare consumer’s first and last names (and nothing more) with names on OFAC’s list. If a consumer applying for credit shared a first and last name with a suspected terrorist, drug trafficker, or other serious criminal applied for credit, TransUnion would identify the person as a “potential match.”
“Unsurprisingly,” the Court wrote, “TransUnion’s Name Screen product generated many false positives.” In particular, the plaintiff, Sergio Ramirez, discovered some of the flaws in TransUnion’s protocols when he tried to buy a car, and the car dealer informed him that he was on a “terrorist list.” He ended up having to purchase the car in his wife’s name, and he also cancelled a trip to Mexico out of an abundance of caution.
Litigation ensued. Ramirez’s attorney brought a class action lawsuit pursuant to the Fair Credit Reporting Act consisting of 1,853 people about whom TransUnion had disseminated misleading credit reports based on its Name Screen product. The class also consisted of 6,332 individuals to whom TransUnion had sent a mailing about the error during a seven-month period that did not comport with the Fair Credit Reporting Act requirements. TransUnion moved to dismiss for lack of standing but lost before the district court and the Ninth Circuit Court of Appeals.
In a 5-4 decision, the Supreme Court held that the 1,853 class members for whom TransUnion provided misleading credit reports to third-party businesses had demonstrated Article III standing. The Court ruled that the injury of having misleading credit reports sent to a third party bore a “close relationship” to the reputational harm associated with the tort of defamation that the American courts typically recognized. Therefore, the Court had “no trouble concluding” that the dissemination of a misleading credit report inflicted a harm similar to defamation, and therefore, the 1,853 plaintiffs had shown Article III standing.
However, the Court held that the 6,332 class members for whom TransUnion had not disseminated misleading credit reports, but who had received notifications that did not comply with the FCRA, had not demonstrated a concrete injury, because the misleading information had not been published anywhere. Without publication, the Court held, there was no reputational harm, and thus, no standing. The Court further ruled that the risk of future harm from the credit report could not support standing without a separate concrete harm. (Notably, the plaintiffs had sought only damages, a retroactive relief, rather than the forward-looking relief of an injunction, which may have supported standing.) The 6,332 plaintiffs also alleged that they had received the flawed FCRA notification, but the Court held that they had not shown how this statutory violation harmed them enough to establish standing.
TransUnion should resolve a circuit split as to the injury necessary to support standing in data privacy litigation. Previously, the District of Columbia, Sixth, Seventh, and Ninth Circuits held that a defendant’s failure to properly secure the plaintiffs’ data subjected the plaintiff to a risk of identity theft sufficient to support standing. By contrast, the Second, Third, Fourth, and Eighth Circuits required a data privacy plaintiff to allege additional facts that would “push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” The Supreme Court seems to have firmly taken the latter, more restrictive view of standing. Indeed, a recent Second Circuit ruling emphasizing concrete injury other than the breach itself seems to point to a post-TransUnion path forward for data breach litigation.
TransUnion also leaves open a question of particular interest to data breach litigants: whether the type of data compromised, i.e., Social Security numbers, can pose a sufficiently imminent threat of injury to satisfy Article III. Recently, a New York federal court answered this question affirmatively, but it remains to be seen whether a risk, without actual injury, permits standing in a case seeking only money damages.
Future data privacy plaintiffs will probably try to squeeze through a TransUnion loophole by seeking injunctive relief, for which the risk of injury by definition is not concrete. By seeking both monetary damages and injunctive relief, data privacy plaintiffs might plead themselves into federal court. Even so, some defendants may be able to defeat injunctive relief, and by extension federal jurisdiction, by voluntarily ceasing the problematic action, as TransUnion did.