Lessons for a Federal Private Right of Action in US Privacy Law after TransUnion LLC v. Ramirez
Author: Felicity Slater
Felicity Slater is a rising 3L law student at Boston University School of Law and FPF Legal and Policy Intern.
In June 2021, the Supreme Court handed down TransUnion v. Ramirez, 594 U.S. ___ (2021), its latest decision concerning Article III standing, which determines a plaintiff’s eligibility to sue in federal court. Even when a federal law expressly creates a private right of action to enforce a federal right or other violation of the law, Article III of the Constitution requires plaintiffs to demonstrate that they have “standing to sue,” which necessitates proof that plaintiffs suffered a real and individualized harm.
What are the implications of TransUnion for a private right of action in a federal omnibus privacy law? Often, federal proposals for a comprehensive privacy law do not contain a private right of action, instead relying solely on expanding the enforcement powers of the Federal Trade Commission (FTC). However, many proposals, such as The Consumer Online Privacy Rights Act (COPRA) or The Children and Teens’ Online Privacy Protection Act, would define privacy harms broadly and allow individuals to bring lawsuits to challenge most or all violations of the law.
Policymakers considering such proposals should: (1) be aware that after TransUnion, Congressional intent will hold less sway in the current Court when it comes to articulation of privacy harms; (2) consider how statutory privacy and data protection harms may or may not align with harms traditionally recognized by American courts; and (3) note that “material risk of future harm” may provide standing to sue for injunctive relief even when it does not provide standing to sue for financial damages.
The origins of the TransUnion controversy lie in the TransUnion credit reporting agency’s “OFAC Name Screen Alert” product, which matches consumer credit reports with names on the U.S. Treasury’s Office of Foreign Asset Control’s (OFAC) list of terrorists, drug traffickers, and other criminals with whom US entities should not do business. During the time period at issue in this litigation, TransUnion used consumers’ first and last names, but not any of the other consumer data available to them–such as birth dates and social security numbers–to check for matches on the OFAC list.
If a consumer’s first and last name matched a name on the list, TransUnion flagged that consumer as a possible match to a name on the OFAC list on their credit report. For example, the named plaintiff in TransUnion, Sergio Ramirez, had his credit report pulled by a car dealership at which he was shopping. When the dealership saw that TransUnion had (improperly) flagged Ramirez as a possible match, they refused to sell him a car.
Ramirez sued on behalf of himself and other consumers, alleging violations of the Fair Credit Reporting Act (FCRA), and TransUnion challenged plaintiffs’ standing to bring the claim. To establish Article III standing, “a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief” (a standard from Lujan v. Defenders of Wildlife). The class plaintiffs in the TransUnion suit were all individuals whose names had been wrongly matched with names on the OFAC list, although only a subset of them ever had their reports indicating this “potential match” disclosed to a third party business checking their credit.
Prior to the case reaching the Supreme Court, two lower courts found that both of these groups had standing to sue TransUnion for failing to use reasonable procedures to ensure the accuracy of their “match” to names on the OFAC list, as well as for defects in the format of TransUnion’s written communications with them, both causes of action granted by Congress in FCRA. However, a majority of the Supreme Court in TransUnion found that only those plaintiffs whose reports with the faulty flag had actually been shared had suffered an intangible (non-financial and non-physical), concrete harm of the sort that gave them Article III standing to sue TransUnion for financial damages. What lessons does TransUnion provide for how policymakers should structure a private right of action in a comprehensive privacy law?
1. Be aware that after TransUnion, Congressional intent with respect to harms will hold less sway in the current Supreme Court.
After TransUnion, the current Supreme Court is much less likely to defer to Congressional intent in the articulation of procedural or other novel harms. Prior to TransUnion, the (differently made up) Court’s decision in Spokeo v. Robins, 578 U.S. 330 (2016) represented its most current thinking on standing. In Spokeo, the Court proposed a two-part inquiry for determining whether an intangible injury is concrete, noting that, “both history and the judgment of Congress play important roles” in this determination. Justice Kavanaugh, writing for the majority in TransUnion, appears to narrow this inquiry, emphasizing that “an injury in law is not an injury in fact;” and noting that, if Congress could statutorily authorize “unharmed” plaintiffs to sue, this would violate separation of powers principles between the Executive and Legislative branches. Kavanaugh focuses instead almost solely on the history inquiry, which holds that intangible inquiries are concrete when they are related to harms historically recognized by courts.
Thus, after TransUnion, the primary focus of the concreteness inquiry will likely be on an asserted harm’s relatedness to historically recognized harms. Put more bluntly, Kavanaugh’s opinion emphasizes that unharmed plaintiffs do not have Article III standing, no matter what Congress has to say about it. This may represent a shift from Spokeo, and could mean that Congressionally-granted private rights of action for intangible harms face greater scrutiny than they have previously. TransUnions’s holding suggests that the legislative text is not the last word on what privacy harms are legally cognizable, even if such harms are statutorily defined.
2. Consider how privacy and data protection harms align (or don’t align) with traditionally recognized harms.
TransUnion makes clear that intangible harms can be concrete when they have a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” Justice Kavanaugh provides a series of examples of intangible concrete harms, many of them traditional privacy harms, including: reputational harms, disclosure of private information, intrusion upon seclusion, and infringement of free exercise. The Court then concludes that the subset of the class who had the false information about them disclosed had suffered a reputational injury, a type of concrete, intangible injury analogous to the harm suffered by victims of defamation.
If a federal omnibus privacy law includes a private right of action, it will be important to consider how it may apply to the wide variety of individual rights and business obligations that must be enforced. Most federal omnibus privacy bills provide individual rights to access, delete, and correct personal data held about them by companies analogous to those provided by FCRA. In addition, these bills typically grant rights to opt-out or opt-in to the collection, use, sharing, or sale of certain types of data and impose business obligations such as: transparency, fair processing, data minimization, the obligation to avoid secondary uses. TransUnion suggests that the cognizability of such rights and obligations will be dependent on the nature of the data at issue and how individualized this data is, as well as the nature of any disclosures.
For example, improper collection or sharing of sensitive health data, or data from the home may align with historically recognized harms such as defamation, public disclosure of private facts, intrusion upon seclusion, or trespass. In contrast, although standards are evolving, the historical analog for rights such as data minimization rights, especially when for data that is not sensitive or harmful, is less clear. Thus, drafters of a comprehensive federal privacy law should recognize that plaintiffs may not have standing to enforce broad data access, minimization, deletion, and correction rights in federal court. As such, they should conceive of alternate enforcement mechanisms for these rights, including robust agency enforcement.
Notably, linking causes of action to historical violations may constrain the drafting of such a law in significant ways. For example, because the tort of defamation requires sharing or publication of information, TransUnion demonstrates that the mere existence of inaccurate first-party data may never provide sufficient standing for financial damages. Similarly, the torts of “intrusion upon seclusion” and “publicity given to private life” in the 2nd Restatement of Torts are constrained by the “highly offensive” standard, meaning that, unless a disclosure of personal data would have been highly offensive to the reasonable person, plaintiffs may not have standing.
3. Note that, even absent concrete harm in the context of a suit for damages, “material risk of future harm” may still provide standing for injunctive relief.
The Court in TransUnion held that plaintiffs whose designation as a “potential match” to a person on the OFAC list had not been disclosed did not have standing to sue, because they had not been concretely harmed. Objecting to the notion that they did not have standing, these plaintiffs argued that TransUnion’s misflagging of their reports, even without disclosure, had exposed them to “material risk of future harm.” The court rejected the argument that risk of future harm was a sufficiently concrete injury to sue for damages, but noted that it could have been grounds for an injunction “to prevent the harm from occurring.”
Noting this, drafters of federal omnibus privacy legislation should be mindful that injunctive relief, even without statutory damages, may provide a powerful tool in situations where the statutory violation increases individual risk of future harm. This might include, for example, collection of biometric data, or other violations of collection limits. Congress could thus provide a private right of action for injunctive relief individuals exposed to “material risk of future harm” through data collection, even if that data had not yet been used for anything. To have standing to sue for damages, such plaintiffs will have to establish that they have suffered some concrete harm, such as emotional distress (an example Kavanaugh raises in dicta), in addition to being exposed to future harm.
4. What else?
The TransUnion opinion might impact class certification analysis, could influence judicial interpretation of other longstanding federal privacy laws, such as the Telephone Consumer Protection Act (TCPA), and could mean that certain plaintiffs begin to favor state court forums that do not require plaintiffs to show that they have Article III standing. Furthermore, Justice Thomas and Justice Kagan’s strong dissents in TransUnion suggests a different, and more plaintiff-friendly, way forward. There will doubtlessly be many who push for the view expressed in Justice Thomas’ dissent to become the law, and this case will likely have influence in the privacy space for decades to come.