Whether plaintiffs in FCRA and other privacy suits can establish standing based on a violation of their statutory rights and whether a class can be certified under Federal Rule of Civil Procedure 23 where a putative class representative has suffered additional injuries not borne by other class members.
This case concerns whether federal courts have jurisdiction over a case brought against a company for violations of an individual’s rights under a federal privacy law. Article III of the U.S. Constitution provides the federal courts have jurisdiction over “Cases” and “Controversies” that arise under federal law. The U.S. Supreme Court has held that standing requires, in part, that the suit be based on an actual or imminent alleged injury that is concrete and particularized. Traditionally, cases brought by plaintiffs to vindicate their private rights would necessarily meet this standard. Congress has the power to enact laws that create new legal rights and that allow individuals to sue when those rights are violated. But the Supreme Court recently cast doubt on Congress’s power to do so. In Spokeo v. Robins, the Court implied that courts should assess whether particular injuries are sufficiently “concrete” to establish standing. This has led to confusing and absurd results in the lower courts, especially in privacy cases that necessarily implicate “intangible” interests. Companies that are subject to privacy lawsuits have argued that federal courts do not have jurisdiction to rule in these cases because there are no tangible harms caused by their privacy violations. And some courts have interpreted Spokeo as empowering them to second-guess the judgment of Congress and dismiss suits even when the defendant companies have unambiguously violated the law and Congress provided for direct enforcement through civil litigation.
The named plaintiff and putative class representative in this case, Sergio Ramirez, sued after he was prevented from buying a car because a credit reporting agency incorrectly flagged him as being on a terrorist watchlist. He and a class of thousands of others sued TransUnion for violating the Fair Credit Reporting Act (FCRA), a federal law that creates privacy rights for individuals to help them maintain control over their personal information. The class action lawsuit went to trial, and a jury ruled that TransUnion had violated FCRA. TransUnion appealed, arguing that the plaintiffs did not have standing to sue because they did not allege that the violation of their FCRA rights caused them to suffer any additional harms, since most of the class could not show that TransUnion shared incorrect credit information about them with others. The Court of Appeals rejected this argument. The plaintiffs had standing because TransUnion’s actions harmed their legally-protected interests; they did not have to allege any additional harm. TransUnion appealed. The case is currently before the U.S. Supreme Court.
The Fair Credit Reporting Act (FCRA) protects the rights of individuals whose data is compiled and used by Credit Reporting Agencies. The law establishes rights for these individuals and regulates the process through which CRAs (like TransUnion) create, compile, and disclose personal data. The plaintiffs in this case alleged violations of three particular FCRA sections: § 1681e(b), which protects privacy rights by requiring companies to follow “reasonable procedures” when preparing credit reports to ensure that they are accurate; and § 1681g(a) and (c)(2), which work together to protect peoples’ interests in having access to information in their reports and understanding how to correct inaccurate information, respectively.
The FCRA is one of numerous federal privacy laws that provide enforceable privacy rights to individuals and impose corresponding obligations on the entities that handle their information. Congress enacted these laws to protect privacy, but the rights provided by these laws are only effective if they can be enforced. Many privacy laws allow individuals to enforce their rights through litigation. When a company violates the law, individuals can sue to vindicate their privacy rights.
A recent Supreme Court ruling has led to troublesome decisions that threaten the ability of individuals to enforce of these rights. To sue in federal court, a plaintiff must establish that they have standing. One element of standing is that the plaintiff has suffered a legal injury, and the plaintiff bears the burden of showing this to the court. In a 2016 decision, the U.S. Supreme Court considered a claim under FCRA’s accuracy requirement. In Spokeo, Inc. v. Robins, the Court held that while Congress has the power to pass laws that create new legal rights, plaintiffs cannot always establish standing based on a violation of those rights (a “legal injury”). The Court said that certain “bare procedural violations” are not sufficiently “concrete” to satisfy the case and controversy requirement of Article III. The Court held that lower courts must decide whether a plaintiff’s alleged injury is sufficiently “concrete” to establish standing, and advised courts to look to traditional harms recognized historically by courts and to Congress’s judgment to decide.
But the Spokeo decision has led to confusing and absurd results. Some courts have held that plaintiffs alleging violations of privacy rights or other “intangible injuries” must prove additional, consequential harm stemming from the statutory violation to establish standing. Other courts have held that certain privacy rights are too far removed from the rights recognized at common law, or that the violations of the privacy rights are not concrete because Congress did not clearly create them to protect against concrete, downstream harms. Courts in these cases tend to second-guess the policy determinations motivating these privacy laws, and the resulting judicial speculation leads to disparate interpretations of the same statutory language. One court may apply Spokeo to find that the violation of a privacy law like the Telephone Consumer Privacy Act (TCPA) causes a concrete injury after a single robocall, while another applies the case to find that one call is not concrete enough. In the years since the decision, lower courts have reinterpreted the clear protections provided under privacy laws in confusing, contradictory, and often arbitrary ways. This has ultimately weakened privacy rights which Congress sought to protect.
In February 2011, Ramirez tried to purchase a car. The dealership refused after a credit report produced by TransUnion incorrectly flagged Ramirez as a match on a government terrorist list. Ramirez requested a copy of his report, and TransUnion sent him two separate letters in reply, one of which informed him of the terrorist list match but not of how to remove the false match from his credit information. TransUnion had sent the same letter to over eight thousand individuals who had similarly requested their reports.
In February 2012, Ramirez filed a class action lawsuit alleging TransUnion’s matching practices violated multiple provisions of FCRA by failing to ensure the accuracy of their credit information, disclose the inaccurate terrorist list match upon request, and include a notice of their rights under FCRA.
The district court certified the class, which included the thousands of people who had received the letter notifying them of a terrorist list match but who did not all demonstrate that their incorrect report was disclosed to a third party, as Ramirez had experienced with the car dealership. The case eventually went to trial, where a jury ruled for the class and assessed a $60 million verdict in statutory damages against TransUnion.
On appeal, the U.S. Court of Appeals for the Ninth Circuit held that the plaintiffs had standing to sue because their legal rights were injured by TransUnion’s FCRA violations. TransUnion unsuccessfully argued that they could not all have standing to sue, since some members had their inaccurate reports disclosed to others, while others experienced no secondary harm from the inaccurate matches because their reports stayed between them and TransUnion. TransUnion focused on the downstream harms stemming from the inaccurate information—since about six- of the eight-thousand members did not experience some additional harm beyond the FCRA violations, they were not injured and lacked standing. The court flatly disagreed, finding that the FCRA violations on their own were injury enough. For those who did not prove their report was ever shared with others, they still experienced a legal injury when TransUnion failed to ensure the accuracy of their reports, disclose any inaccuracies, and provide them notice of their rights as FCRA required; these violations increased the risk that incorrect information could be used against them, which was the exact type of privacy harm FCRA was designed to prevent.
TransUnion appealed to the Supreme Court, arguing that the Ninth Circuit misapplied Spokeo to find that these alleged FCRA violations alone could confer standing.
EPIC advocates for strong privacy rights protections to legislatures and in the courts. EPIC is the leading advocate for comprehensive federal data protection laws and a federal data protection agency. EPIC routinely participates as amicus in cases concerning data protection and has filed numerous briefs on the issue of standing to sue for privacy rights violations. EPIC submitted an amicus brief in Spokeo, Inc. v. Robins, arguing that plaintiffs have standing when a company misuses their personal information in violation of federal law. EPIC has also participated in a host of post-Spokeo cases, including Patel v. Facebook concerning Illinois Biometric Information Privacy Act violations, Eichenberger v. ESPN concerning Video Privacy Protection Act violations, Gubala v. Time Warner Cable concerning Cable Communications Policy Act violations, and Attias v. CareFirst, Inc. and In re SuperValu Customer Data Security Breach Litigation which both involved various legal protections against data breach harms.
United States Supreme Court, No. 20-297
- Petition Stage
- TransUnion’s Petition for a Writ of Certiorari (Sept. 2, 2020)
- Amicus Briefs in Support of Petition
- Brief of Respondent Ramirez in Opposition (Nov. 6, 2020)
- Reply Brief of Petitioner TransUnion (Nov. 24, 2020)
- Merits Stage
- Brief of Petitioner TransUnion on the Merits (Feb. 1, 2021)
- Amicus Briefs in Support of Petitioner
- Brief of Retail Litigation Center, Inc. (Feb. 8, 2021)
- Brief of Consumer Data Industry Association (Feb. 8, 2021)
- Brief of Washington Legal Foundation (Feb. 8, 2021)
- Brief of eBay, Inc., Facebook, Inc., Google LLC, Computer & Communications Industry Association, The Internet Association, and Technology Network (Feb. 8, 2021)
- Brief of The Home Depot, Inc. and UnitedHealth Group (Feb. 8, 2021)
- Brief of the National Association of Manufacturers et al. (Feb. 8, 2021)
- Brief of Professional Background Screening Association (Feb. 8, 2021)
- Brief of U.S. Chamber of Commerce and National Federation of Independent Business (Feb. 8, 2021)
- Brief of the National Consumer Reporting Association, Inc. (Feb. 8, 2021)
- Brief of the Product Liability Advisory Council, Inc. (Feb. 8, 2021)
- Brief of ACA International (Feb. 8, 2021)
- Amicus Briefs in Support of Neither Party
- Brief of the United States (Feb. 8, 2021)
- Brief of Respondent Ramirez on the Merits (Mar. 3, 2021)
- Amicus Briefs in Support of Respondent
- Brief of EPIC (Mar. 8, 2021)
- Brief of Public Justice (Mar. 9, 2021)
- Brief of Constitution Accountability Center (Mar. 10, 2021)
- Brief of Electronic Frontier Foundation (Mar. 10, 2021)
- Brief of National Consumer Law Center et al. (Mar. 10, 2021)
- Brief of Complex Litigation Law Professors (Mar. 10, 2021)
- Brief of Public Citizen and Public Citizen Foundation (Mar. 10, 2021)
- Brief of National Association of Consumer Advocates (Mar. 10, 2021)
- Brief of Legal Scholars (Mar. 10, 2021)
- Brief of American Association for Justice (Mar. 10, 2021)
- Brief of Impact Fund, NAACP Legal Defense & Educational Fund, Inc., and 24 Civil Rights Organizations (Mar. 10, 2021)
- Brief of Owner-Operator Independent Drivers Association, Inc. (Mar. 10, 2021)
- Brief of the Committee to Support the Antitrust Laws (Mar. 10, 2021)
- Brief of UC Berkeley Center for Consumer Law and Economic Justice et al. (Mar. 10, 2021)
- Reply Brief of Petitioner TransUnion (Mar. 19, 2021)
- Opinion (June 25, 2021)
United States Court of Appeals for the Ninth Circuit (No. 11-56843)
- Opinion (Feb. 27, 2020)
United States District Court for the Northern District of California (No. 3:12-cv-00632-JSC)
- Order Granting Motion to Certify Class (July 24, 2014)
- Order Denying Motion to Decertify Class (Dec. 17, 2016)
- Order Denying TransUnion’s Motion for Summary Judgment (Mar. 27, 2017)
- Order Denying Motion for Judgment as Matter of Law (Nov. 7, 2017)
- Allison Frankel, Supreme Court grants review of ‘no-injury’ class action. This could be big, Reuters (Dec. 16, 2020)
- Holly Barker, SCOTUS Grants TransUnion’s Challenge to $40 Million Class Award, Bloomberg Law (Dec. 16, 202)
- Emma Whitford, Justices To Weigh Class’s Standing In TransUnion FCRA Suit, Law360 (Dec. 16, 2020)
- Christina Lamoureux, BREAKING: Supreme Court Grants Cert on Major FCRA Standing Issue, National Law Review (Dec. 16, 2020)
- Burt M. Rublin, SCOTUS agrees to review FCRA class action judgment where most class members suffered no actual injury, Consumer Finance Monitor (Dec. 17, 2020)
- David Singh and Neeckaun Irani, SCOTUS to Review Ninth Circuit Holding on Injury Standings for Class Members to Establish Standing, American Bar Association (Jan. 8, 2021)
- Lauren Berg, TransUnion Asks Justices To Ax Standing For FCRA Class, Law360 (Feb. 2, 2021)
- Ben Kochman, Facebook, Google, EBay Urge Justices To Limit Privacy Suits, Law360 (Feb. 9, 2021)
- Allison Frankel, Business lobby wants SCOTUS to rein in ‘uninjured’ classes, DOJ wary of ‘atypical’ plaintiff, Reuters (Feb. 9, 2021)
- Allison Grande, TransUnion ‘Belittling’ Harms In FCRA Fight, High Court Told, Law360 (Mar. 3, 2021)
- Philip R. Stein and Brian Trujilo, With Supreme Court Privacy Case Pending, Silicon Valley Weighs In, JD Supra (Mar. 3, 2021)
- Thomas Cunningham et al., Standing on Thin Ice? New Guidance on Standing for Data Breach Claims, JD Supra (Mar. 8, 2021)
- Allison Grande,EPIC Urges High Court To Let Consumers Press Privacy Suits, Law360 (Mar. 9, 2021)
- Jake Holland, Privacy Violation Confers Standing, Group Argues in SCOTUS Brief, Bloomberg Law (Mar. 9, 2021)
- Allison Frankel, Unlikely bedfellows in TransUnion SCOTUS case: Justice Thomas and class action fans, Reuters (Mar. 11, 2021)
Whether courts have jurisdiction to review cases brought by individuals based on violations of their federal privacy rights
By artificially tightening Article III standing requirements and refusing to exercise jurisdiction over a growing number of cases, federal courts have made it difficult for individuals to vindicate their privacy rights.
FCRA was enacted in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies.