TransUnion LLC v. Ramirez

Whether plaintiffs in FCRA and other privacy suits can establish standing based on a violation of their statutory rights and whether a class can be certified under Federal Rule of Civil Procedure 23 where a putative class representative has suffered additional injuries not borne by other class members.
  • Supreme Court Limits Standing to Sue in Credit Reporting Case:

    The U.S. Supreme Court issued a decision today in TransUnion LLC v. Ramirez, an important case about the ability of individuals to bring privacy cases in federal court. The Court, in a controversial 5-4 decision authored by Justice Kavanaugh, held that proof of "concrete harm" is required to establish standing to sue under Article III of the U.S. Constitution. The jury in this case found that TransUnion had willfully violated the Fair Credit Reporting Act (FCRA) when it falsely flagged the credit reports of thousands of individuals for being "Specially Designated Nationals" under the Office of Foreign Asset Controls list that includes terrorists, drug trafficers, and other sanctioned individuals. The Supreme Court held that the group of individuals who could prove that these false credit reports had been disclosed to third parties had standing to sue, but the group who did not provide evidence that their reports had been disclosed did not meet the burden under Article III.

    This decision will have significant implications for individuals seeking redress in federal court for privacy violations that do not involve the improper disclosure of personal information. EPIC filed an amicus brief in TransUnion, urging the Court to hold that people can sue when their privacy rights are violated, regardless of whether they allege that the violation led to other harms. Justice Thomas, joined by three other members of the Court, agreed and would have ruled that standing exists in any case brought by an individual to vindicate a violation of their private rights. EPIC's Executive Director, Alan Butler, said that "the Supreme Court's decision in TransUnion does not close the door on all privacy claims, but it certainly makes it more difficult for individuals to seek redress in privacy cases that don't involve improper disclosure of information." EPIC previously filed an amicus briefs on this issue with the Supreme Court in Spokeo v. Robbins and frequently files amicus briefs in cases interpreting standing under a variety of privacy laws.

    (Jun. 25, 2021)
  • More top news »
  • Supreme Court Won’t Disturb Data Breach Decision » (Mar. 25, 2019)
    The Supreme Court today declined to review, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges.
  • EPIC Defends Privacy Laws in Supreme Court Brief » (Sep. 8, 2015)
    In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.


This case concerns whether federal courts have jurisdiction over a case brought against a company for violations of an individual's rights under a federal privacy law. Article III of the U.S. Constitution provides the federal courts have jurisdiction over "Cases" and "Controversies" that arise under federal law. The U.S. Supreme Court has held that standing requires, in part, that the suit be based on an actual or imminent alleged injury that is concrete and particularized. Traditionally, cases brought by plaintiffs to vindicate their private rights would necessarily meet this standard. Congress has the power to enact laws that create new legal rights and that allow individuals to sue when those rights are violated. But the Supreme Court recently cast doubt on Congress's power to do so. In Spokeo v. Robins, the Court implied that courts should assess whether particular injuries are sufficiently "concrete" to establish standing. This has led to confusing and absurd results in the lower courts, especially in privacy cases that necessarily implicate "intangible" interests. Companies that are subject to privacy lawsuits have argued that federal courts do not have jurisdiction to rule in these cases because there are no tangible harms caused by their privacy violations. And some courts have interpreted Spokeo as empowering them to second-guess the judgment of Congress and dismiss suits even when the defendant companies have unambiguously violated the law and Congress provided for direct enforcement through civil litigation.

The named plaintiff and putative class representative in this case, Sergio Ramirez, sued after he was prevented from buying a car because a credit reporting agency incorrectly flagged him as being on a terrorist watchlist. He and a class of thousands of others sued TransUnion for violating the Fair Credit Reporting Act (FCRA), a federal law that creates privacy rights for individuals to help them maintain control over their personal information. The class action lawsuit went to trial, and a jury ruled that TransUnion had violated FCRA. TransUnion appealed, arguing that the plaintiffs did not have standing to sue because they did not allege that the violation of their FCRA rights caused them to suffer any additional harms, since most of the class could not show that TransUnion shared incorrect credit information about them with others. The Court of Appeals rejected this argument. The plaintiffs had standing because TransUnion's actions harmed their legally-protected interests; they did not have to allege any additional harm. TransUnion appealed. The case is currently before the U.S. Supreme Court.


Legal Background

The Fair Credit Reporting Act (FCRA) protects the rights of individuals whose data is compiled and used by Credit Reporting Agencies. The law establishes rights for these individuals and regulates the process through which CRAs (like TransUnion) create, compile, and disclose personal data. The plaintiffs in this case alleged violations of three particular FCRA sections: § 1681e(b), which protects privacy rights by requiring companies to follow “reasonable procedures” when preparing credit reports to ensure that they are accurate; and § 1681g(a) and (c)(2), which work together to protect peoples’ interests in having access to information in their reports and understanding how to correct inaccurate information, respectively.

The FCRA is one of numerous federal privacy laws that provide enforceable privacy rights to individuals and impose corresponding obligations on the entities that handle their information. Congress enacted these laws to protect privacy, but the rights provided by these laws are only effective if they can be enforced. Many privacy laws allow individuals to enforce their rights through litigation. When a company violates the law, individuals can sue to vindicate their privacy rights.

A recent Supreme Court ruling has led to troublesome decisions that threaten the ability of individuals to enforce of these rights. To sue in federal court, a plaintiff must establish that they have standing. One element of standing is that the plaintiff has suffered a legal injury, and the plaintiff bears the burden of showing this to the court. In a 2016 decision, the U.S. Supreme Court considered a claim under FCRA's accuracy requirement. In Spokeo, Inc. v. Robins, the Court held that while Congress has the power to pass laws that create new legal rights, plaintiffs cannot always establish standing based on a violation of those rights (a "legal injury"). The Court said that certain "bare procedural violations" are not sufficiently "concrete" to satisfy the case and controversy requirement of Article III. The Court held that lower courts must decide whether a plaintiff's alleged injury is sufficiently "concrete" to establish standing, and advised courts to look to traditional harms recognized historically by courts and to Congress's judgment to decide.

But the Spokeo decision has led to confusing and absurd results. Some courts have held that plaintiffs alleging violations of privacy rights or other "intangible injuries" must prove additional, consequential harm stemming from the statutory violation to establish standing. Other courts have held that certain privacy rights are too far removed from the rights recognized at common law, or that the violations of the privacy rights are not concrete because Congress did not clearly create them to protect against concrete, downstream harms. Courts in these cases tend to second-guess the policy determinations motivating these privacy laws, and the resulting judicial speculation leads to disparate interpretations of the same statutory language. One court may apply Spokeo to find that the violation of a privacy law like the Telephone Consumer Privacy Act (TCPA) causes a concrete injury after a single robocall, while another applies the case to find that one call is not concrete enough. In the years since the decision, lower courts have reinterpreted the clear protections provided under privacy laws in confusing, contradictory, and often arbitrary ways. This has ultimately weakened privacy rights which Congress sought to protect.

Factual Background

In February 2011, Ramirez tried to purchase a car. The dealership refused after a credit report produced by TransUnion incorrectly flagged Ramirez as a match on a government terrorist list. Ramirez requested a copy of his report, and TransUnion sent him two separate letters in reply, one of which informed him of the terrorist list match but not of how to remove the false match from his credit information. TransUnion had sent the same letter to over eight thousand individuals who had similarly requested their reports.

In February 2012, Ramirez filed a class action lawsuit alleging TransUnion’s matching practices violated multiple provisions of FCRA by failing to ensure the accuracy of their credit information, disclose the inaccurate terrorist list match upon request, and include a notice of their rights under FCRA.

The district court certified the class, which included the thousands of people who had received the letter notifying them of a terrorist list match but who did not all demonstrate that their incorrect report was disclosed to a third party, as Ramirez had experienced with the car dealership. The case eventually went to trial, where a jury ruled for the class and assessed a $60 million verdict in statutory damages against TransUnion.

On appeal, the U.S. Court of Appeals for the Ninth Circuit held that the plaintiffs had standing to sue because their legal rights were injured by TransUnion’s FCRA violations. TransUnion unsuccessfully argued that they could not all have standing to sue, since some members had their inaccurate reports disclosed to others, while others experienced no secondary harm from the inaccurate matches because their reports stayed between them and TransUnion. TransUnion focused on the downstream harms stemming from the inaccurate information—since about six- of the eight-thousand members did not experience some additional harm beyond the FCRA violations, they were not injured and lacked standing. The court flatly disagreed, finding that the FCRA violations on their own were injury enough. For those who did not prove their report was ever shared with others, they still experienced a legal injury when TransUnion failed to ensure the accuracy of their reports, disclose any inaccuracies, and provide them notice of their rights as FCRA required; these violations increased the risk that incorrect information could be used against them, which was the exact type of privacy harm FCRA was designed to prevent.

TransUnion appealed to the Supreme Court, arguing that the Ninth Circuit misapplied Spokeo to find that these alleged FCRA violations alone could confer standing.

EPIC's Interest

EPIC advocates for strong privacy rights protections to legislatures and in the courts. EPIC is the leading advocate for comprehensive federal data protection laws and a federal data protection agency. EPIC routinely participates as amicus in cases concerning data protection and has filed numerous briefs on the issue of standing to sue for privacy rights violations. EPIC submitted an amicus brief in Spokeo, Inc. v. Robins, arguing that plaintiffs have standing when a company misuses their personal information in violation of federal law. EPIC has also participated in a host of post-Spokeo cases, including Patel v. Facebook concerning Illinois Biometric Information Privacy Act violations, Eichenberger v. ESPN concerning Video Privacy Protection Act violations, Gubala v. Time Warner Cable concerning Cable Communications Policy Act violations, and Attias v. CareFirst, Inc. and In re SuperValu Customer Data Security Breach Litigation which both involved various legal protections against data breach harms.

Legal Documents

United States Supreme Court, No. 20-297

United States Court of Appeals for the Ninth Circuit (No. 11-56843)

United States District Court for the Northern District of California (No. 3:12-cv-00632-JSC)

EPIC Resources


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security