In order to pursue a case in court, especially federal court, a potential plaintiff must demonstrate that they have suffered a concrete, personal, demonstrable harm. When it comes to potential class action privacy litigation, this requirement of “standing” may mean that they are left at the courthouse door, despite the fact that Congress has expressly provided both a duty on the part of their data’s custodian to maintain privacy and a “private right of action” – a right to sue. A case soon to be argued before the United States Supreme Court examines when those impacted by privacy violations can actually seek redress in federal courts.
One of the earliest data privacy related laws in the United States is the Fair Credit Reporting Act (FCRA) which essentially requires credit reporting agencies to maintain accurate records and provides remedies – including a right to sue in federal court – for violations of these requirements. However, if a credit reporting agency does not keep accurate records but nobody (other than the credit agency itself) actually sees or relies on the inaccurate information, is the associated consumer actually harmed in any legally significant way? Can they – and more importantly, a class of similarly situated individuals – exercise their statutory right to sue? Do they have “standing?” That question is being considered in TransUnion, LLC v. Ramirez, the case currently before the Supreme Court.
In Ramirez, credit reporting giant TransUnion improperly listed thousands of people as being on a Treasury Department “terrorist” watch list, because they only compared people’s names against the list, not their dates of birth or other biographical information. As a result, people with names that were similar to those on the list had their profiles flagged in error. The FCRA requires accurate information, and gives a right to sue, so a class action lawsuit was filed. Some class members, like Sergio Ramirez, were denied credit when a potential creditor saw their names on the terrorist list. But other class members whose names were erroneously flagged never applied for credit during the time that the information was inaccurately on the list, and therefore the false information was never seen. So did class action plaintiffs whose records had the erroneous terrorist flag on them suffer a “concrete” and “particularized” harm of the kind that Congress for which gave them a right to sue?
Just five years ago, in a case called Spokeo v. Robins, the Supreme Court found that a person whose erroneous information (the wrong zip code) was actually disseminated by an entity covered by the FCRA did not demonstrate standing, not because he failed to prove that his own data was erroneous (particularized harm), but because he did not show that he suffered an “injury in fact” (concreteness).
All of this is of particular concern for class action cases – which often result from small or even negligible “injuries” to a large number of people. Entities that handle large amounts of personal data, like Google, Facebook, Amazon, eBay and others, may be subject to large lawsuits where each individual may not be able to prove a specific injury in fact resulting from an action that may violate a statute. Unsurprisingly, these tech giants have also petitioned the Supreme Court to throw out Ramirez’ class action privacy litigation.
This reflects a larger trend diminishing the inherent value of privacy and private information. When personal privacy is invaded, courts often look to secondary harm, rather than recognizing loss of privacy as a harm in and of itself. Exposure of your name, social security number and credit card information may not be a “concrete” injury unless you can show that the numbers were used in some way that caused you damage. Similarly, improper access to your medical records through negligence may also be insufficient to establish injury unless it causes job loss or other more concrete harm.
“Damages” and “injury” are slightly different. A person can suffer intangible – but concrete – harm and injury (like loss of privacy) sufficient to get them standing to sue, but ultimately may not be able to demonstrate a dollar value of “damages.” The problem in both Spokeo and Ramirez is that Congress has already spoken by requiring the information to be accurate. If YOUR information is inaccurate, they have breached their duty to you. If the court rules that you have to show a specific injury to yourself resulting from the breach of the statute (and for every member of a class), data breach lawsuits, privacy lawsuits, HIPAA lawsuits and any other forms of class action privacy litigation that rely on misuse or failure to protect data, may have a hard time getting in to court despite clear Congressional intent to the contrary.
Other data privacy statutes that give those “affected” a right to sue (even as a class) include the Electronic Communications Privacy Act, the Stored Communications Act, the Video Privacy Act and the Telecommunications Privacy Act, each of which protects the privacy of different kinds of information in different ways. For example, the Fair and Accurate Credit Transactions Act requires merchants to truncate credit card numbers on receipts, and outlines statutory damages for violations – exposing consumers to a greater risk of credit card fraud. Applying the rules of standing, one could imagine the courthouse doors being closed to consumers unable to show that their credit card numbers were actually compromised – not what Congress intended.
The problem of standing and “concreteness” of injury is not limited to the privacy arena. For example, when a statute mandated that job seekers be given the opportunity to challenge information in a credit report prior to it being viewed by a potential employer and the credit reporting agency did not provide that opportunity, the 9th Circuit federal court in Dutta v. State Farm, found the violation to be a “bare procedural violation” which caused no concrete injury to the job seeker where the underlying credit information was accurate. Similarly, where a law gives someone a right to access information which is improperly denied, that too may not give rise to a “concrete” injury and therefore standing to sue. Robertson v. Allied Solutions, LLC.
Without standing, the individual or the class is effectively shut out of the courthouse. That’s good news for potential defendants, and bad news for plaintiffs – especially where the violation of a statute is clear. It amounts to a court shrugging its shoulders and saying “so what?” There’s a difference between injuries that are hard to quantify and those that don’t exist at all. If Congress imposes a duty to do something, and you fail to do it, should you be able to keep people from suing because they can’t show that your breach of the duty caused them a specific and concrete harm?
Certainly there are frivolous lawsuits and frivolous class action suits in which the members of the class suffered no real harm, and the lawyers seek a payout for themselves. But when Congress requires a regulated entity to do something, and provides a right of action for violations, any personal injury – even an ephemeral one – should be sufficient to get a class action through the courthouse door. Whether it stays there ultimately depends on the underlying merits of the case.
If you have any questions regarding class action privacy litigation or any of the subjects covered in this article, please contact Mark Rasch (firstname.lastname@example.org / 301.547.6925) or Alex Welsh (email@example.com / 216.736.7263).
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.