U.S. Supreme Court Clarifies Circuit Split – Privacy Suits Require Concrete Harm for Article III Standing

July 2021

Privacy In Focus®

On June 25, the U.S. Supreme Court decided TransUnion LLC v. Ramirez, holding that only plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing to seek damages against the private defendant, even in data security and privacy cases. TransUnion sheds additional light on a persistent circuit split over standing based on a risk of future harm claim and builds on Spokeo’s “concrete” and “particularized” injury requirement. This decision will impact privacy litigation as well as ongoing debates over federal legislation.

TransUnion provided third parties with credit reports containing alerts from the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for 1,853 of the class members. The Court found that this subset of class members suffered concrete reputational harm and thus have Article III standing under the Fair Credit Reporting Act (FCRA or Act). 

The remaining 6,332 class members’ credit files contained misleading OFAC alerts, but the parties stipulated that TransUnion, LLC (TransUnion) did not provide those plaintiffs’ credit information to any potential creditors. The Court rejected the plaintiffs’ claims, finding that these class members lack Article III standing because the existence of inaccurate information in the internal credit files alone does not constitute a concrete harm.

The case also involved two other claims, where all 8,185 class members alleged defects in TransUnion’s mailings. The Court determined that class members other than the named plaintiff, Sergio Ramirez, did not demonstrate that the alleged errors caused them concrete harm. Therefore, Ramirez is the only class member who has standing as to those two claims.

Background

As we previewed, in this case, a class of 8,185 individuals sued TransUnion, a credit reporting agency (CRA), in federal court under the Fair Credit Reporting Act (FCRA or Act).[1] The Act imposes several requirements on CRAs. First, the Act requires CRAs to “follow reasonable procedures to assure maximum possible accuracy” in consumer reports.[2] Second, CRAs must disclose all information in the consumer’s file to the consumer upon his or her request.[3] Third, CRAs must provide a “summary of rights” from the Consumer Financial Protection Bureau (CFPB) to the consumer with each written disclosure sent to the consumer.[4] The Act also provides a cause of action for consumers to sue and recover damages.[5]

As a CRA, TransUnion prepares consumer reports with personal and financial information about individual consumers and sells those reports to banks, landlords, car dealerships, and other entities that request information about an individual’s credit. In 2002, TransUnion added a product, OFAC Name Screen Alert, to compare a consumer’s name against an OFAC list of terrorists, drug traffickers, and other serious criminals. If the consumer’s first and last name matched the first and last name of a person on OFAC’s list, TransUnion would add an alert on the credit report stating that the consumer’s name was a “potential match” to a name on the OFAC list.

On February 27, 2011, Sergio Ramirez attempted to buy a car. When the dealership ran a credit check, Ramirez’s credit report from TransUnion contained the OFAC alert stating that the input name matched a name on the OFAC database. The salesman would not sell Ramirez the car. When Ramirez asked TransUnion for a copy of his credit file, TransUnion sent Ramirez his credit file and the statutorily required summary of rights from the CFPB but did not mention the OFAC alert. TransUnion sent Ramirez a letter the next day noting that his name was considered a potential match to names on the OFAC list and did not include a copy of the summary of rights.

Ramirez brought the case on behalf of himself and others similarly situated in federal court against TransUnion, alleging willful violations of the FCRA and seeking statutory damages and injunctive relief. He alleged that, under the FCRA, TransUnion (1) failed to follow reasonable procedures to ensure the accuracy of information in his credit file; (2) did not provide him with all of the information in his credit file upon request; and (3) did not include his summary of rights with each written disclosure.

The district court certified the 8,185-member class who had each received a letter from TransUnion indicating that their name was a “potential match” to one on the OFAC list. The parties stipulated that only 1,853 members of the class, including Ramirez, had their credit reports sent to potential creditors from January 1, 2011 to July 26, 2011. The district court found that all 8,185 class members had Article III standing. The jury awarded each class member almost $1,000 in statutory damages and over $6,000 in punitive damages, for a total verdict of over $60 million. 

The U.S. Court of Appeals for the Ninth Circuit affirmed in relevant part.[6] The court found that all members of the class had Article III standing to recover damages for all three claims. The court also determined that Ramirez’s claims were typical of a class’s claims for purposes of Rule 23 of the Federal Rules of Civil Procedure. But, the Ninth Circuit reduced the punitive damages award to about $4,000 per class member, reducing the total verdict to $40 million. 

The Supreme Court granted TransUnion’s petition for certiorari (141 S. Ct. 972 (2020). Justice Kavanaugh wrote the majority opinion for the 5-4 decision; Justice Thomas and Justice Kagan each wrote dissenting opinions.

Prior Law

Article III of the Constitution constrains federal judicial power to the resolution of “cases” and “controversies.” In Lujan v. Defenders of Wildlife, the Court held that establishing standing requires the plaintiff to show (1) a concrete, particularized, and actual or imminent injury; (2) that the injury was likely caused by the defendant; (3) and the injury would likely be redressed by judicial relief. Federal courts must resolve only real controversies impacting real people.

The TransUnion case focused on the Article III requirement that the plaintiff’s injury be “concrete.” A prior Supreme Court case, Spokeo v. Robins, held that courts should assess whether the alleged injury to the plaintiff has a “close relationship” to a harm “traditionally” recognized as providing a cause of action for a lawsuit in American courts. Spokeo lays out a balanced approach – the holding does not require an exact match to a lawsuit in American history, but also does not permit federal courts to relax Article III standing requirements based on “contemporary, evolving beliefs about what kinds of suits should be heard in federal courts.”

Intangible harms may be concrete – especially for injuries which have a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. This includes reputational harms and disclosure of private information.

Courts must also give proper deference to Congress’ decisions to grant plaintiffs a cause of action through statutes. However, although Congress can “elevate” harms to legally recognizable injuries, Congress may not use its lawmaking power to transform something “not remotely harmful into something that is.” Courts must still evaluate whether a plaintiff has suffered concrete harm under Article III when Congress has created a statutory prohibition or obligation that leads to a cause of action. Otherwise, Congress could authorize any citizen to bring a statutory damages lawsuit against any defendant, violating separation of powers principles.

Previously, the Sixth, Seventh, Ninth, and D.C. Circuits have held that the increased risk of future harm may constitute injury-in-fact under Article III. The Second, Fourth, Eighth, and Eleventh Circuits have taken the opposite approach. 

Analysis and Holding

The Court reversed the judgment of the U.S. Court of Appeals for the Ninth Circuit and held that the 1,853 class members whose credit reports were provided to third-party businesses suffered a concrete harm and therefore have Article III standing for the reasonable procedures claim. None of the 8,185 class members – other than the named plaintiff Ramirez – suffered a concrete harm for the claims pertaining to the format of TransUnion’s mailings. The case is remanded to the Ninth Circuit to determine whether class certification is appropriate based on the Court’s holding.

a.) First Claim – The plaintiffs alleged that TransUnion failed to follow reasonable procedures to assure maximum possible accuracy of the plaintiffs’ credit files.

First, the Court found that the 1,853 class members whose inaccurate reports were disseminated to third-party businesses had standing because the injury bears a close relationship to reputational harm traditionally recognized by U.S. courts in defamation cases. Under such cases, an individual is injured when a defamatory statement subjects him or her to “hatred, contempt, or ridicule.”

TransUnion argued the OFAC alerts on the credit reports merely identified a consumer as a “potential match” but the Court determined that the harm of labeling a consumer a “potential terrorist” closely relates to the harm of labelling a consumer a “terrorist.” Therefore, the 1,853 class members suffered a concrete injury in fact under Article III.

For the remaining 6,332 class members, the parties stipulated that TransUnion did not provide their credit information to any potential creditors from January 1, 2011 to July 26, 2011. Absent dissemination of this information, the class members could not have suffered the harm traditionally recognized in defamation cases as publication is “essential to liability” in a defamation suit.

Because the 6,332 class members cannot demonstrate the misleading information in the internal credit files amounts to concrete harm recognized in defamation cases, the plaintiffs also argued they experienced a risk of future harm. The plaintiffs relied on language from Spokeo, but the majority opinion points out that Spokeo discusses the risk of future harm in the context of suits for injunctive relief. A plaintiff’s standing to seek injunctive relief does not necessarily mean that the plaintiff has standing to seek retrospective damages. 

The risk of future harm never materialized – the inaccurate OFAC alerts in the 6,332 plaintiffs’ credit files were never provided to third parties and did not cause a denial of credit. As a result, the Court determined that the risk of dissemination to third parties was too speculative to support Article III standing. No evidence in the record suggested that TransUnion was likely to intentionally or accidentally release the information to third parties. 

The plaintiffs also did not suffer some other injury, such as an emotional injury, from the risk that their credit reports would be provided to a third-party business. In fact, the plaintiffs did not present evidence that the 6,332 class members knew about the OFAC alerts in their internal TransUnion credit systems.

b.) Second and Third Claims – The plaintiffs alleged that TransUnion breached its obligation under the FCRA to provide them with complete credit files upon request and to provide a summary of rights in all mailings.

Next, the Court held that none of the plaintiffs, except for the named plaintiff Ramirez, suffered a concrete harm for the claims of missteps related to the format of TransUnion’s mailings.

The plaintiffs did not demonstrate that the format of TransUnion’s mailings caused them a harm with a close relationship to a harm traditionally recognized by U.S. courts as the basis for a lawsuit. Except for Ramirez, the plaintiffs also did not prove that a harm occurred at all – they did not show evidence that they opened the dual mailings or that they were “confused” or “distressed” based on the information.  

The Court also rejected plaintiffs’ argument that the formatting violations created a risk of future harm. The plaintiffs did not demonstrate that the formatting error prevented them from contacting TransUnion to correct any errors before misleading credit reports were disseminated to third-party businesses. The asserted “informational” injury did not cause adverse effects to satisfy Article III.

Dissenting Opinions Preview Future Disputes and Open Issues

Justice Thomas noted that despite previous cases against TransUnion involving incorrect OFAC alerts, TransUnion did not make changes to its process for matching – it did not start to compare birth dates, middle initials, or citizenship status to ensure more accurate matches. He disagreed with the majority’s sole focus on whether a “concrete” injury occurred and distinguishes between public and private rights. Justice Thomas found that a statute that creates a private right along with a cause of action is enough to create a case or controversy. Justice Thomas argued that each class member established a violation of his or her private rights because TransUnion violated three separate duties created by statute. He noted that the language of the statute itself also shows that CRAs owe duties to specific individuals, not to the larger public. He also criticized the majority identifying TransUnion’s OFAC disclosures as mere “formatting” errors, emphasizing that the jury found TransUnion willfully failed to accurately disclose the OFAC information and the necessary summary of rights under a federal statute. Furthermore, Justice Thomas reasoned that TransUnion charged its clients more to receive credit reports with the OFAC designation and the Court should have identified some financial injury for standing purposes.

Justice Kagan disagreed with Justice Thomas slightly on his view that violations of individual rights created by Congress give rise to standing. She focused on Congress’ role in deciding when an action causes a harm or risk of harm in the real world. Unless Congress could not have reasonably thought that a suit would contribute to preventing the harm at issue, she argues that courts should defer to congressional judgments on what constitutes harm or a risk of harm. Justice Kagan also disagreed with the majority’s view that it was “too speculative” that TransUnion would sell a credit report to a third party. Under the FCRA, Justice Kagan would have found standing and a risk of real harm because TransUnion’s business centers on selling credit reports to third parties.

Conclusion and Impact on Data Privacy Litigation

This decision comes amidst a major debate about enforcement mechanisms and private rights of action for privacy and security incidents. As we have written, some members of Congress advocate for creating private rights of action through legislation to allow plaintiffs to sue. Others argue that private rights of action have limited usefulness for consumers and can undermine consistency in application of the law. The debate is playing out at the state level – Virginia declined to adopt a private right of action in its comprehensive privacy legislation, while the Illinois Biometric Information Privacy Act authorized private rights of action with liquidated damages, even absent economic harm to an individual. Congress may need to address whether consumers should have a private right of action and if so, what “harm” standard they should have to meet.

Members of Congress in both chambers are also considering incident reporting legislation, which would mandate the reporting of cyber incidents to the U.S. Department of Homeland Security for certain government contractors, cybersecurity response companies, and critical infrastructure operators. The Administration recently released an Executive Order on Cybersecurity, and the White House advises all companies to take steps to secure their networks and information against threats posed by ransomware attacks. Lawsuits over technical violations or omissions, without demonstrable harm, could prove vexatious to private companies.

The Court’s decision will shape data security and privacy class action litigation by providing defendants with a powerful defense in cases where alleged privacy and security violations do not result in a disclosure of information. The TransUnion ruling suggests that merely alleging a violation of the FCRA or other data protection law is likely not enough for consumers to sue for monetary damages. Instead, plaintiffs must allege a concrete injury, such as actual disclosure of information. The decision also weakens plaintiffs’ “risk of future harm” claims by reminding litigants that they cannot invoke speculative risks. 

Clarification of these issues was much needed post-Spokeo, though the Court’s standing jurisprudence, and debates among the Justices over deference to congressional judgments about harm, confirm that litigation over privacy and security is here to stay.

---

[1] 15 U.S.C. 1681 et seq.

[2] 15 U.S.C. 1681e(b).

[3] 15 U.S.C. 1681g(a)(1).

[4] 15 U.S.C. 1681g(c)(2)(A).

[5] 15 U.S.C. 1681n, 1681o.

[6] Ramirez v. TransUnion LLC, 951 F.3d 1008, 1017 (9th Cir. 2020).