The U.S. Supreme Court Raises the Bar on Standing in Privacy and Data Breach Class Actions
On Friday, a sharply divided U.S. Supreme Court issued a ruling, which significantly impacts the plaintiffs’ ability to pursue privacy and data breach class actions in federal courts. In TransUnion LLC v. Ramirez, Case No. 20-297, the Court opined that most of the plaintiffs failed to show a “concrete” injury and thus had no standing to pursue their claims because they did not suffer real, personal harm. Reaching beyond the specific facts of the case, this opinion bolstered the companies’ legal defense in federal privacy class actions. Despite curtailing the plaintiffs’ ability to pursue their claims in a federal court, however, this ruling does not entirely preclude such lawsuits. Rather, the plaintiffs must now carefully evaluate their likelihood of success in a federal forum before filing their case, or risk facing a heavy motion practice and ultimate dismissal on standing grounds.
The facts of the Ramirez case are as interesting as the ruling itself. In Ramirez, the plaintiffs sued TransUnion after it mislabeled them as possible terrorists in credit reports, which prevented the lead plaintiff from buying a car. The plaintiffs with a terrorist watchlist designation sued and—following a lengthy legal battle and a rare jury verdict—ultimately won a $40 million award, which the company then appealed all the way to the Supreme Court. In its June 25, 2021 opinion, the Court decided that the vast majority of the plaintiffs suffered no cognizable injury when it ruled that only some plaintiffs had standing. Specifically, only the plaintiffs whose credit reports were actually disseminated to third parties could sue, while the rest did not suffer a “concrete” harm and thus had no standing.
This case was closely watched by the plaintiffs’ lawyers and the privacy defense bar because privacy harms are notoriously difficult to establish, and there was little guidance from the Court to date on the meaning of a “concrete harm.” As we previously reported, the Supreme Court had issued a key ruling on this topic in Spokeo v. Robins in May 2016, holding that the plaintiffs must allege a concrete injury in order to have standing to sue for a statutory violation. In simple terms, this meant that mere procedural violations would not suffice to assert statutory privacy claims, and that tangible losses had to be alleged. After Spokeo, however, the courts have grappled with the precise meaning of the “concrete” injury.
Spokeo required the courts to analyze whether the claimed injuries were sufficient to support the alleged violations of various federal and state consumer privacy statutes such as the Federal Credit Reporting Act, Telephone Consumer Protection Act, and Biometric Information Privacy Act, to name a few. It also impacted standing in data breach class actions. Yet, Spokeo did not give sufficient guidance on this issue. Ultimately, this led to inconsistent rulings across the nation and to significant forum shopping by consumer attorneys. Last Friday, the Ramirez majority finally shed light on the intended meaning of Spokeo—this time making it abundantly clear that the harm is concrete only if the plaintiffs can adequately plead that they have been personally harmed by the alleged conduct.
Ramirez resulted in a partial victory for some plaintiffs. The opinion made it clear that the “Court has no trouble concluding that the 1,853 class members suffered a concrete harm that qualifies as an injury in fact.” In a sharp contrast, however, despite the fact that the “credit files of the remaining 6,332 class members also contained misleading OFAC alerts,” the “mere existence of inaccurate information, absent dissemination, traditionally has not provided the basis for a lawsuit in American courts,” and those “plaintiffs cannot demonstrate that the misleading information in the internal credit files itself constitutes a concrete harm.”
It remains unclear how the lower courts will apply Ramirez in the context of data breach class actions. In those actions, the plaintiffs typically allege that their personal information was exposed as a result of a breach or a ransomware attack. They do not always assert, however, that the data was actually misused. Thus companies facing data breach class actions in a federal court may now have a stronger argument for dismissal under Ramirez. Ultimately, however, even if this argument is successful, it simply leads to the re-filing on the case in a state court. For this very reason, the dissenting opinion in Ramirez dabbed the ruling “a pyrrhic victory,” explaining that it “does not prohibit Congress from creating statutory rights for consumers; it simply holds that federal courts lack jurisdiction to hear some of these cases,” potentially leaving state courts “as the sole forum for such cases, with defendants unable to seek removal to federal court.”
There are often significant advantages for both sides to litigating data breach class actions and other privacy actions in a federal court. They include, for example, greater efficiency, expediency, predictability, preservation or resources, and potentially even reduced litigation costs. Thus companies facing such lawsuits may want to think twice before invoking Ramirez as a defense. Depending on the specifics of their case and the jurisdiction that governs it, defendants in a federal privacy class action should work closely with their defense lawyers to analyze and pursue the most optimal strategy.