Supreme Court Clarifies Standing Requirements – Implications for Class Action Defendants in Data Security, Privacy, and False Advertising Cases
On June 25, the Supreme Court held in a 5-4 decision that Article III prohibits certification of a class and a damages award where the majority of class members lack actual injury. In TransUnion v. Ramirez, the Ninth Circuit Court of Appeals had previously concluded that a class of over 8,000 individuals who could prove violations of the Fair Credit Reporting Act—and had actually proved them at trial—had standing to pursue damages at trial, even if they had not demonstrated that they had suffered concrete harm. The Ninth Circuit reasoned that violations placed the class members at sufficient risk of harm to confer standing. The Supreme Court reversed, and in so doing, reinforced its earlier holdings that Article III compels each plaintiff to show concrete harm.
As readers of our Data Security Law and Misbranded blogs know, we have closely followed the proceedings in TransUnion—which we previously covered here and here—because the Supreme Court’s recent pronouncements on Article III standing have been enormously consequential in shaping the landscape of consumer products, data security, and privacy class action litigation. Now that the dust has settled and lower courts have had almost two months to implement the Supreme Court’s latest standing decision, we offer a few insights into the decision and its reverberations.
First things first, what was TransUnion about?
In TransUnion, a class of consumers claimed that the consumer credit reporting agency had miscategorized them as potential “hits” on the OFAC (short for “Office of Foreign Assets Control”) list, a list that identifies possible national security threats. The Supreme Court held that only consumers whose information had actually been sent to third parties suffered a concrete harm and had standing to sue for damages. The Court then held that the remaining plaintiffs—more than 6,000 consumers—who had been falsely tagged as national security threats, but whose information was not shared with any third parties, were out of luck. Even though they had proved a violation of federal law, they could not show that they had been actually injured. Because they failed to satisfy the “injury-in-fact” requirement, the Court held that they did not have standing to file suit.
What is the key takeaway from TransUnion?
The majority opinion succinctly boiled it down to: “No concrete harm, no standing.” In particular, the Court reaffirmed the rule that a statutory violation, standing alone, is not enough to give a plaintiff standing to sue. The Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins held that plaintiffs who established a “risk of future harm” could potentially establish standing. TransUnion now makes clear that a “risk of harm,” even a material one, is not enough to sustain a claim for monetary damages (though it may still be enough where plaintiffs seek an injunction, if the risk of injury is imminent).
What types of cases and claims does TransUnion affect?
TransUnion is about the jurisdiction of federal courts, so all federal lawsuits must clear the TransUnion threshold in one way or another. While that may be easy in a typical case where one party is indisputably aggrieved, we expect TransUnion to have its biggest impact in class action cases, particularly where plaintiffs and putative classes seek statutory damages. TransUnion reiterates the Spokeo rule that so-called bare procedural violations of statutory rights do not suffice to establish standing. Instead, plaintiffs must allege—and eventually prove—that they suffered a concrete and specific injury.
Although TransUnion was not a data breach case, its guidance on how “concrete” an injury must be to confer standing is directly relevant to data breach class action standing. In practice, TransUnion suggests that a mere data breach is not enough, even if the breach violates a statute or results in personal information being leaked or stolen. The plaintiff has to show actual injury—in the data breach context, perhaps evidence of actual identity theft or monetary losses.
What does “concrete harm” mean in different contexts?
The majority opinion explained that a harm is sufficiently concrete when it bears a “close relationship” to a traditionally recognized basis for lawsuits in American courts. Given the TransUnion facts, which involved a credit report with incorrect and highly damaging information, the majority analogized the potential claim to defamation. Under defamation law, an unpublished statement—even if incorrect—is not defamatory without publication. Under this theory, the majority of class members lacked standing because their credit reports were never disseminated to third parties, i.e., no publication.
Applying this standard to the data privacy context, one might think about dignitary torts such as portrayal in a false light or unreasonable publicity given to one’s private life, perhaps even just garden-variety negligence. We expect this issue to be heavily litigated, since it is unlikely that old common law torts will map perfectly onto data privacy lawsuits.
TransUnion reinforces the notion that plaintiffs cannot simply sue to enforce compliance with labeling regulations, data privacy statutes, or indeed, any other statutes or regulations, unless they can identify a harm specific to them. Plaintiffs that want to make sure that the “truth” is out there or that labels are “accurate” will typically not have standing. The TransUnion decision is very clear that it is not “within the purview of private plaintiffs (and their attorneys) . . . [who] are not accountable to the people” to enforce “general compliance with regulatory law.”
As for what “common law” analogues one might apply to consumer protection claims, the most obvious choices are fraud or negligent misrepresentation, but critically, for these types of claims the plaintiff must plead and show deception, reliance, and causation—elements that are typically already required in most consumer protection statutes.
How will TransUnion affect class action defense strategy?
Class action defendants often argue that plaintiffs lack Article III standing because they have not adequately pled injury. False advertising plaintiffs often allege that they paid a “price premium” for a product due to a claimed product attribute that the consumer later discovers is untrue. Defendants frequently learn in the course of discovery that the story is quite different. For example, a consumer may not have suffered any injury or even truly cared about the attribute that, according to their pleadings, was important in their purchasing decision. In these instances, defendants have a strong defense that the plaintiff lacks standing, which TransUnion further strengthens.
In the data security context, plaintiffs suing companies in the wake of a data breach frequently establish standing by arguing that the breach subjected them to a heightened risk of fraud and identity theft. Plaintiffs have also used this theory to claim standing based on technical violations of data privacy statutes, such as the Illinois Biometric Privacy Act and the California Consumer Privacy Act. That argument hinged on Spokeo’s suggestion that a material risk of harm can be sufficiently concrete to confer Article III standing, an argument that TransUnion calls into question. We expect defendants in data breach class actions will make use of TransUnion to close the door on data breach plaintiffs who cannot establish that they were actually injured as a result of the breach, even if they would otherwise be entitled to statutory damages.
Another thing to keep in mind is that Article III standing is an ever-present requirement, and it must exist for the duration of the case. Because subject matter jurisdiction cannot be waived, we expect that defendants will raise lack of Article III standing and invoke TransUnion early and often: at the motion to dismiss, summary judgment, and class certification stages.
What happens to material risk of harm?
Following Spokeo, circuit courts have split as to whether data breach class action plaintiffs faced with a material risk of harm have standing. The Sixth, Seventh, and Ninth Circuits in particular found that data breaches can create a material risk of future harm that confers standing. In light of TransUnion’s apparent limitation of the risk-of-harm analysis, we would not be surprised to see those circuits reconsider their holdings and reject the argument that mere risk of harm, such as fraud or identity theft, without more, is sufficient to confer standing.
Is there anything else you find notable in the opinion?
TransUnion left a few questions unanswered, such as whether standing is required of all class members at the class certification stage, an issue on which lower courts have occasionally disagreed. This isn’t the first time we have seen the Court sidestep that question. But the decision does hold that all class members who collect damages must have Article III standing in the form of concrete harm.
Also, while TransUnion underscores the need for plaintiffs to demonstrate concrete harm to bring suit in federal court, it is unclear exactly what this will mean at the motion to dismiss stage. TransUnion—which was decided after a jury trial—requires that “the specific facts set forth by the plaintiff to support standing ‘. . . be supported adequately by the evidence adduced at trial.’” At least one federal court has observed that such an inquiry may be appropriate only after a proceeding on the merits or discovery, and not at the pleading stage.
It remains to be seen how other courts apply TransUnion at the motion to dismiss and class certification stages, but there can be no doubt that the decision adds a significant new weapon to the arsenal of class action defendants.