News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Standing issues in U.S. privacy class actions Related reading: TikTok settlement highlights power of privacy class actions to shape US protections

rss_feed

""

In the U.S., class actions are a popular enforcement mechanism to compensate consumers, including for alleged violations of state and federal privacy laws and data breaches. While there is no federal comprehensive data privacy law in the U.S., there are a number of state and federal privacy-related laws, like Illinois’ Biometric Information Privacy Act, the California Consumer Privacy Act and the federal Fair Credit Reporting Act, that are frequently the basis for class action claims. While these laws offer protection for consumers, the nature of the alleged injuries — often intangible, future harms — has resulted in significant litigation as defendants challenge whether plaintiffs suffered an “injury” and have standing to bring their claims.

The recent U.S. Supreme Court decision in TransUnion LLC v. Ramirez, which addressed the issue of standing in the context of class certification in a FCRA case, is expected to further shape the caselaw regarding recovery for privacy harms.

Standing requirements in U.S. federal courts

In data breach or other privacy-related cases, the specific facts and nature of the alleged harm continue to challenge courts. The claimed damages may be intangible, difficult to quantify or involve a future risk of harm. For example, in the Hanna Andersson data breach case filed last year, the plaintiffs’ alleged injuries included the lost or diminished value of their personal information and the continued and increased risk to their personal information. Professors Danielle Keats Citron and Daniel Solove’s February 2021 paper "Privacy Harms" explores this issue in detail, declaring “Harm has become one of the biggest challenges in privacy law. Law’s treatment of privacy harms is a jumbled, incoherent mess.”

Defendants commonly challenge privacy-related claims by raising the issue of harm and disputing whether plaintiffs have adequate “standing” — a prerequisite to bringing suit that generally requires a plaintiff to have suffered a direct harm. Standing in federal courts, where many class actions are litigated as the Class Action Fairness Act of 2005 expanded federal court jurisdiction over such lawsuits, requires a plaintiff to show they “(1) suffered an injury in fact, (2) to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” To establish an injury in fact, there must be “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”

In a 2016 FCRA case, Spokeo, Inc. v. Robins, the U.S. Supreme Court made it clear “standing requires a concrete injury even in the context of a statutory violation” and “alleging a bare procedural violation” does not meet the standing requirements. The U.S. Supreme Court decision in TransUnion LLC v. Ramirez further confirmed that in federal court, “(n)o concrete harm, no standing.”

Courts are routinely asked to determine whether the alleged injuries in data breach or other privacy lawsuits are sufficiently “concrete” or “imminent” to satisfy the standing requirement. Often, the results differ, making it a tricky landscape for consumers and businesses to navigate.

Is the risk of future harm enough?

A recurring question in privacy class actions is whether the risk of future harm from improper disclosure of personal information is sufficient to establish standing. In February, the 11th Circuit addressed this issue in Tsao v. Captiva MVP Restaurant Partners, LLC, a data breach case. It concluded the plaintiff lacked standing because he had not met his burden of proving a “substantial risk” of future identity theft or that identify theft was “certainly impending.” The plaintiff’s “conclusory allegations” regarding an increased risk of identity theft and misuse of personal data were not sufficient and by cancelling his credit cards immediately, he “effectively eliminat(ed) the risk of credit card fraud in the future.” The court made it clear “(e)vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.”

In April, the 2nd Circuit in McMorris v. Carlos Lopez & Associates, LLC recognized a plaintiff could establish standing based on an “increased risk” of identity theft or fraud theory following an unauthorized data disclosure, but declined to find the plaintiffs had standing based on the specific facts. The court identified three factors “courts should consider” in evaluating standing: (1) whether the plaintiffs’ data was “exposed as the result of a targeted attempt to obtain that data;” (2) whether any portion of the data has been misused, even if the plaintiffs’ data has not; and (3) whether the type of data exposed is sensitive “such that there is a high risk of identity theft or fraud.” Of note, the lower court, not the defendant, raised the issue of standing when considering a motion to approve the parties’ class settlement. It denied the motion and dismissed the case based on a lack of standing, resulting in the appeal to the 2nd Circuit.

Standing arguments applied to state laws

Privacy claims based on state statutes litigated in federal courts likewise face standing challenges. For example, while a statutory violation of BIPA is sufficient in Illinois state court, federal courts considering BIPA claims evaluate whether the allegations regarding harm are sufficient to meet standing requirements, as discussed by attorneys Hannah Makinde and Kristin Bryan, CIPP/US, of Squire Patton Boggs in their article "BIPA and Article III Standing: Where Are We Now?"

Federal courts are also applying the standing rules to CCPA claims. The U.S. District Court for the Central District of California dismissed a data breach class action against Marriott in January for lack of standing that included CCPA and California Unfair Competition Law claims. While names and addresses were part of the data breach, “no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.” Relying on the 9th Circuit’s analysis from In re Zappos.com, Inc., the court in Rahman v. Marriott noted “(t)he sensitivity of the personal information, combined with its theft are prerequisites to finding that plaintiffs’ adequately alleged an injury in fact.”  The court concluded the plaintiff could not meet the standing requirements because the breach did not involve the requisite sensitive information.

It is worth considering whether the definition of “personal information” in the CCPA’s private right of action provision, Section 1798.150, may satisfy the 9th Circuit’s “sensitive information” requirement. The CCPA’s private right of action is limited to nonencrypted and nonredacted personal information “subject to an unauthorized access and exfiltration, theft, or disclosure,” and uses the more limited definition of “personal information” from California’s Customer Records Act, Section 1798.81.5(d)(1)(A). This definition includes an individual’s name in combination with data elements like social security number, driver’s license number, account numbers, medical or health insurance information, and unique biometric data. While the decision in Rahman v. Marriott did not address the CCPA claim specifically, in its pleadings Marriott challenged whether the information at issue satisfied the definition of “personal information” in the CCPA’s private right of action provision. It will be interesting to see how courts evaluate CCPA standing challenges where this definition is met.

The impact of TransUnion LLC v. Ramirez

In June, the U.S. Supreme Court issued its opinion on TransUnion LLC v. Ramirez. This decision addressed the issue of standing and the requirement of concrete harm in a FCRA case involving inaccurate information in credit files. Agreeing with TransUnion, the Supreme Court concluded “class members whose credit reports were not provided to third-party businesses did not suffer a concrete harm and thus do not have standing. ...” In its decision, the court considered and rejected the “risk of future harm” argument made by the plaintiffs. The court determined that because the plaintiffs did not demonstrate the risk of future harm materialized or that they suffered an injury from being exposed to the risk itself, they had no standing. It did distinguish plaintiffs’ ability to assert this argument when seeking damages versus a plaintiff making a claim for injunctive relief and seeking to prevent harm from occurring.

It is unclear how the TransUnion decision will impact standing challenges in privacy-related cases going forward, particularly with respect to the “risk of future harm” argument. While the court rejected this theory, the facts of this FCRA case are different from a data breach case. In TransUnion LLC v. Ramirez, the credit files at issue were never disclosed to third parties. Where there is a data breach, personal information is disclosed. In addition, as discussed in McMorris, where data “has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data,” the risk of future identity theft or fraud may not be considered speculative.

In rejecting the plaintiffs’ argument that libel and slander per se are examples of cases where a risk of harm is enough to establish damages, the court focused on the fact that “for those torts, publication is generally presumed to cause a harm, albeit not a readily quantifiable harm.” Is the disclosure of personal information in a data breach case sufficient to meet this threshold, such that the analysis of federal courts in cases like Tsao, McMorris and Rahman still have applicability?

The TransUnion decision also noted the plaintiffs’ failure to “factually establish a sufficient risk of future harm to support Article III standing.” The discussion seems to suggest that if plaintiffs demonstrated “a sufficient likelihood” the misleading credit information would be disclosed and/or the plaintiffs were aware of the risk of such a disclosure, the result may have been different. 

Conclusion

It will be interesting to watch how courts interpret TransUnion’s “no concrete harm, no standing” rule in privacy cases going forward. Defendants can be expected to use the decision to bolster their challenges to damages claims based on a “risk of future harm” theory and plaintiffs likely will focus on the specific facts to establish they have in fact suffered “concrete harm.” Even where a plaintiff may have a statutory remedy, the standing analysis in federal court could be a significant barrier to recovery.

As data breaches continue to expose large volumes of personal information and entities fail to comply with their privacy obligations to consumers, what “harm” this causes and whether it is or should be compensable will be an ongoing discussion.

Photo by Bill Oxford on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Cathy Cosgrove Nonmember Contributor
Tags
U.S.
Privacy Law
Westin Research Center
1 Comment

If you want to comment on this post, you need to login.

  • comment Michael Sneberger • Aug 26, 2021 
    Except in rare cases where identity theft has actually occurred and is averred I think TransUnion means diverse defendants can knock out a claim under 1798.150 with a motion to dismiss in federal court. The problem for plaintiffs is that all actions that include 1798.150 claims without concrete damages also include common law claims that support federal diversity which means that the actions will still be removable thereby blocking a separate California state court action to pursue any statutory-based claims averring only the statutory damages intended by 1798.150. Non-diverse defendants will be stuck litigating in California state court, but diverse defendants now have a huge hammer to disrupt the pursuit claims under 1798.150.
Related Stories
Related Stories
Tags
U.S.
Privacy Law
Westin Research Center
Recent Comments