Co-authored by summer associate Gabriel Carolan.

In its June 25, 2021 decision in TransUnion v. Ramirez, the Supreme Court of the United States limited the scope of a class-action lawsuit against TransUnion for its alleged violations of the Fair Credit Reporting Act, holding that a substantial portion of the class did not have Article III standing.

The plaintiffs argued that TransUnion failed to comply with its statutory obligations to:

  • follow reasonable procedures to ensure the accuracy of credit files so that the files would not include Office of Foreign Assets Control alerts labeling the plaintiffs as potential terrorists; and
  • provide a consumer, upon request, with their complete credit file, including a summary of rights.

In relation to the first category of claims, the Court found that 1,853 class members whose erroneous credit reports were provided to third-party businesses had suffered a concrete harm and thus have standing, but that the remaining 6,332 plaintiffs whose incorrect reports were not disseminated to third-party businesses did not suffer a concrete harm.

As for the second category of claims, the Court held that none of the 8,185 plaintiffs except for Mr. Ramirez had standing as he was the only plaintiff who had suffered a concrete harm from TransUnion’s insufficient disclosures.

Standing after TransUnion

The starting point of the Article III standing analysis is that a plaintiff must show that:

  • they suffered an injury in fact that is concrete, particularized, and actual or imminent;
  • the injury was likely caused by the defendant; and
  • the injury would likely be redressed by judicial relief.

With respect to the concrete-harm requirement, the standing inquiry looks to whether the alleged injury to the plaintiff is closely related to a harm traditionally recognized as a basis for a lawsuit in American courts.

In its Spokeo decision from 2016, the Court emphasized that Article III standing is not satisfied without a showing of a concrete injury in fact, even when a person has been granted a statutory right and even if the statute authorizes that person to sue to vindicate that right. TransUnion affirms this position and provides additional detail as to what harms qualify as concrete.

Regarding the first group of claims, the Court concluded that only those plaintiffs whose information was disseminated to third-party businesses had suffered a concrete injury in fact. The Court found that the mere presence of an inaccuracy in an internal credit file, if it is not disclosed to a third party, does not cause a concrete harm.

In addition, it is insufficient for standing purposes that the plaintiffs had suffered an injury in law by virtue of TransUnion’s failure to abide by the Fair Credit Reporting Act because the Article III concreteness requirement demands a showing of an injury in fact.

In addressing the second set of claims, the Court rejected standing for the claims stemming from insufficient disclosures that were mailed to consumers. It found that receiving the misleading report was not a concrete harm because there was no evidence that any of the plaintiffs apart from Mr. Ramirez had even opened the dual mailings, much less that they suffered any confusion or distress, or that they relied on the inaccurate information in any way.

Importantly, the Court refuted plaintiffs’ arguments that the requirement of concreteness was satisfied due to the risk of real harm. Although the Court acknowledged in Spokeo that a “material risk of harm” can satisfy the concreteness element of Article III standing, TransUnion clarifies that such possibility exists only in a suit for injunctive relief, not a suit for damages. A plaintiff may have standing to pursue forward-looking, injunctive relief to prevent the material risk of harm, but the plaintiff “must demonstrate standing separately for each form of relief sought.”

The TransUnion plaintiffs could not show that the risk of harm had ever materialized.

Implications for privacy law

The TransUnion decision represents a significant inflection point in US privacy law and data breach lawsuits in three ways.

  • It solidifies the position that the requirements for Article III standing exist independent of Congressional action, including statutes that grant rights and private causes of action to uphold those rights, stressing that injury in fact cannot exist merely as a statutory construct, but must constitute a concrete harm.
  • It clarifies the “material risk of harm,” limiting plaintiffs in similar lawsuits to potentially having standing to pursue injunctive relief if they are subject to an internal data breach that does not involve the dissemination of their information to third parties.
  • It could open the door for new defenses against class certification on Rule 23 questions of commonality and typicality. Although the Court noted that it was not passing judgment on whether every class member must show Article III standing before the class certification stage, it stated that “[e]very class member must have Article III standing in order to recover individual damages."

In the near term, the TransUnion decision is likely to push litigants confronting similar circumstances to file actions in state courts. This may ultimately slow the frequency of privacy claims as the plaintiffs’ bar works to identify critical mass and allege harms sufficient to justify suits. It may also result in an expanding diversity of privacy standing and harm doctrines.

Time will tell whether such trends will be sufficient to further incentivize Congressional action on a national privacy law. Whether that law is eventually passed, the TransUnion holding’s emphasis on injury in fact will need to be a salient consideration for the establishment of rights of action in any such legislation.