In the U.S., class actions are a popular enforcement mechanism to compensate consumers, including for alleged violations of state and federal privacy laws and data breaches. While there is no federal comprehensive data privacy law in the U.S., there are a number of state and federal privacy-related laws, like Illinois’ Biometric Information Privacy Act, the California Consumer Privacy Act and the federal Fair Credit Reporting Act, that are frequently the basis for class action claims. While these laws offer protection for consumers, the nature of the alleged injuries — often intangible, future harms — has resulted in significant litigation as defendants challenge whether plaintiffs suffered an “injury” and have standing to bring their claims.

The recent U.S. Supreme Court decision in TransUnion LLC v. Ramirez, which addressed the issue of standing in the context of class certification in a FCRA case, is expected to further shape the caselaw regarding recovery for privacy harms.

Standing requirements in U.S. federal courts

In data breach or other privacy-related cases, the specific facts and nature of the alleged harm continue to challenge courts. The claimed damages may be intangible, difficult to quantify or involve a future risk of harm. For example, in the Hanna Andersson data breach case filed last year, the plaintiffs’ alleged injuries included the lost or diminished value of their personal information and the continued and increased risk to their personal information. Professors Danielle Keats Citron and Daniel Solove’s February 2021 paper "Privacy Harms" explores this issue in detail, declaring “Harm has become one of the biggest challenges in privacy law. Law’s treatment of privacy harms is a jumbled, incoherent mess.”

Defendants commonly challenge privacy-related claims by raising the issue of harm and disputing whether plaintiffs have adequate “standing” — a prerequisite to bringing suit that generally requires a plaintiff to have suffered a direct harm. Standing in federal courts, where many class actions are litigated as the Class Action Fairness Act of 2005 expanded federal court jurisdiction over such lawsuits, requires a plaintiff to show they “(1) suffered an injury in fact, (2) to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” To establish an injury in fact, there must be “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”

In a 2016 FCRA case, Spokeo, Inc. v. Robins, the U.S. Supreme Court made it clear “standing requires a concrete injury even in the context of a statutory violation” and “alleging a bare procedural violation” does not meet the standing requirements. The U.S. Supreme Court decision in TransUnion LLC v. Ramirez further confirmed that in federal court, “(n)o concrete harm, no standing.”

Courts are routinely asked to determine whether the alleged injuries in data breach or other privacy lawsuits are sufficiently “concrete” or “imminent” to satisfy the standing requirement. Often, the results differ, making it a tricky landscape for consumers and businesses to navigate.

Is the risk of future harm enough?

A recurring question in privacy class actions is whether the risk of future harm from improper disclosure of personal information is sufficient to establish standing. In February, the 11th Circuit addressed this issue in Tsao v. Captiva MVP Restaurant Partners, LLC, a data breach case. It concluded the plaintiff lacked standing because he had not met his burden of proving a “substantial risk” of future identity theft or that identify theft was “certainly impending.” The plaintiff’s “conclusory allegations” regarding an increased risk of identity theft and misuse of personal data were not sufficient and by cancelling his credit cards immediately, he “effectively eliminat(ed) the risk of credit card fraud in the future.” The court made it clear “(e)vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.”

In April, the 2nd Circuit in McMorris v. Carlos Lopez & Associates, LLC recognized a plaintiff could establish standing based on an “increased risk” of identity theft or fraud theory following an unauthorized data disclosure, but declined to find the plaintiffs had standing based on the specific facts. The court identified three factors “courts should consider” in evaluating standing: (1) whether the plaintiffs’ data was “exposed as the result of a targeted attempt to obtain that data;” (2) whether any portion of the data has been misused, even if the plaintiffs’ data has not; and (3) whether the type of data exposed is sensitive “such that there is a high risk of identity theft or fraud.” Of note, the lower court, not the defendant, raised the issue of standing when considering a motion to approve the parties’ class settlement. It denied the motion and dismissed the case based on a lack of standing, resulting in the appeal to the 2nd Circuit.

Standing arguments applied to state laws

Privacy claims based on state statutes litigated in federal courts likewise face standing challenges. For example, while a statutory violation of BIPA is sufficient in Illinois state court, federal courts considering BIPA claims evaluate whether the allegations regarding harm are sufficient to meet standing requirements, as discussed by attorneys Hannah Makinde and Kristin Bryan, CIPP/US, of Squire Patton Boggs in their article "BIPA and Article III Standing: Where Are We Now?"

Federal courts are also applying the standing rules to CCPA claims. The U.S. District Court for the Central District of California dismissed a data breach class action against Marriott in January for lack of standing that included CCPA and California Unfair Competition Law claims. While names and addresses were part of the data breach, “no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.” Relying on the 9th Circuit’s analysis from In re Zappos.com, Inc., the court in Rahman v. Marriott noted “(t)he sensitivity of the personal information, combined with its theft are prerequisites to finding that plaintiffs’ adequately alleged an injury in fact.”  The court concluded the plaintiff could not meet the standing requirements because the breach did not involve the requisite sensitive information.

It is worth considering whether the definition of “personal information” in the CCPA’s private right of action provision, Section 1798.150, may satisfy the 9th Circuit’s “sensitive information” requirement. The CCPA’s private right of action is limited to nonencrypted and nonredacted personal information “subject to an unauthorized access and exfiltration, theft, or disclosure,” and uses the more limited definition of “personal information” from California’s Customer Records Act, Section 1798.81.5(d)(1)(A). This definition includes an individual’s name in combination with data elements like social security number, driver’s license number, account numbers, medical or health insurance information, and unique biometric data. While the decision in Rahman v. Marriott did not address the CCPA claim specifically, in its pleadings Marriott challenged whether the information at issue satisfied the definition of “personal information” in the CCPA’s private right of action provision. It will be interesting to see how courts evaluate CCPA standing challenges where this definition is met.

The impact of TransUnion LLC v. Ramirez

In June, the U.S. Supreme Court issued its opinion on TransUnion LLC v. Ramirez. This decision addressed the issue of standing and the requirement of concrete harm in a FCRA case involving inaccurate information in credit files. Agreeing with TransUnion, the Supreme Court concluded “class members whose credit reports were not provided to third-party businesses did not suffer a concrete harm and thus do not have standing. ...” In its decision, the court considered and rejected the “risk of future harm” argument made by the plaintiffs. The court determined that because the plaintiffs did not demonstrate the risk of future harm materialized or that they suffered an injury from being exposed to the risk itself, they had no standing. It did distinguish plaintiffs’ ability to assert this argument when seeking damages versus a plaintiff making a claim for injunctive relief and seeking to prevent harm from occurring.

It is unclear how the TransUnion decision will impact standing challenges in privacy-related cases going forward, particularly with respect to the “risk of future harm” argument. While the court rejected this theory, the facts of this FCRA case are different from a data breach case. In TransUnion LLC v. Ramirez, the credit files at issue were never disclosed to third parties. Where there is a data breach, personal information is disclosed. In addition, as discussed in McMorris, where data “has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data,” the risk of future identity theft or fraud may not be considered speculative.

In rejecting the plaintiffs’ argument that libel and slander per se are examples of cases where a risk of harm is enough to establish damages, the court focused on the fact that “for those torts, publication is generally presumed to cause a harm, albeit not a readily quantifiable harm.” Is the disclosure of personal information in a data breach case sufficient to meet this threshold, such that the analysis of federal courts in cases like Tsao, McMorris and Rahman still have applicability?

The TransUnion decision also noted the plaintiffs’ failure to “factually establish a sufficient risk of future harm to support Article III standing.” The discussion seems to suggest that if plaintiffs demonstrated “a sufficient likelihood” the misleading credit information would be disclosed and/or the plaintiffs were aware of the risk of such a disclosure, the result may have been different. 

Conclusion

It will be interesting to watch how courts interpret TransUnion’s “no concrete harm, no standing” rule in privacy cases going forward. Defendants can be expected to use the decision to bolster their challenges to damages claims based on a “risk of future harm” theory and plaintiffs likely will focus on the specific facts to establish they have in fact suffered “concrete harm.” Even where a plaintiff may have a statutory remedy, the standing analysis in federal court could be a significant barrier to recovery.

As data breaches continue to expose large volumes of personal information and entities fail to comply with their privacy obligations to consumers, what “harm” this causes and whether it is or should be compensable will be an ongoing discussion.

Photo by Bill Oxford on Unsplash