District Court Says Supreme Court Ruling on Standing in Class Actions Does Not Apply to Privacy Claims
July 29, 2021
Authored by: Daniel Rockey
On June 25, 2021, the Supreme Court issued an important decision on Article III standing in class actions that will have a significant impact on the way class actions are certified – and will likely scuttle numerous settlements that have not yet received final approval. In TransUnion LLC v. Ramirez (2021) 141 S.Ct. 2190, the Supreme Court reversed a Ninth Circuit decision certifying a class of 8,185 individuals as to whom TransUnion had erroneously placed an Office of Foreign Assets Control alert into their credit files – in effect, labeling them as a terrorist, narco-trafficker, or serious criminal — in violation of the Fair Credit Reporting Act (“FCRA”). Through FCRA, Congress imposed a requirement on credit reporting agencies to make reasonable efforts to ensure the accuracy of credit reports and created a private right of action which makes “Any person who willfully fails to comply with any [FCRA] requirement … liable to that consumer” for actual damages, statutory damages, punitive damages and attorney’s fees. § 1681n(a). A jury ultimately awarded the class $60 million in statutory and punitive damages.
The Supreme Court reversed. The Court first clarified that all class members, not just representative class members, must demonstrate Article III standing, reversing decisions such as Neale v. Volvo Cars of North America, LLC (3d Cir. 2015) 794 F.3d 353, 362 and Melendres v. Arpaio (9th Cir. 2015) 784 F.3d 1254, 1264, which held that only named class members must have standing. Next, expanding on its decision in Spokeo, Inc. v. Robins, 578 U. S. 330, 340, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), the Court held that the fact that Congress created a private right of action for violation of the FCRA and provided for statutory damages does not relieve a FCRA plaintiff from independently demonstrating standing, stating that “[o]nly those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” TransUnion LLC v. Ramirez (2021) 141 S.Ct. 2190, 2205.
Applying these principles to the case before it, the Court held that only those class members whose erroneous credit files had actually been disseminated to “third party businesses” in response to credit inquiries had standing. Class members whose credit files had not been shown to have been provided to third party businesses had not suffered a concrete injury from TransUnion’s FCRA violations, despite that they were unreasonably labeled as a potential terrorists, TransUnion failed to comply with statutorily required notice requirements when providing plaintiffs a copy of their reports, and TransUnion had shared the erroneous reports with employees and vendors. TransUnion, 141 S.Ct. 2190, 2212. In so holding, the Court analogized the undisseminated credit files to a tree falling in a forest that no one hears; in other words, unless the erroneous report was shared in a way that would cause embarrassment, opprobrium, or other concrete harm, plaintiff lacks standing.
A key question in the wake of TransUnion is the extent to which it will make maintenance of privacy class actions more difficult. In the absence of fraudulent charges or other financial injury, Plaintiffs in such cases often struggle to articulate a concrete harm from access to their data. A requirement to show that all class members suffered such injuries is likely to lead to dramatically smaller classes, smaller settlements, and lower fee awards for plaintiff’s counsel. A key question arises, however, regarding the extent to which the Supreme Court’s “falling tree” analogy will be extended to privacy claims. For example, will plaintiffs in ransomware cases have to show that all class members had their data viewed by third parties to have standing? Is it enough to allege that Tech Co. X surreptitiously collected browser referral header data, or must plaintiff also show that such data was communicated to a third party? A new decision by a federal court in California suggests that TransUnion’s concrete injury analysis will be limited to claims sounding in defamation.
In Mastel v. Miniclip Sa et al., (E.D. Cal., July 15, 2021, No. 221CV00124WBSKJN) 2021 WL 2983198, plaintiff alleged that an app created by Miniclip secretly captured notes made by iPhone users in Apple’s Pasteboard application in violation of the California Invasion of Privacy Act, the Stored Communications Act, the Unfair Competition Law, and the California Constitution. Miniclip argued that plaintiff’s conclusory allegation of a privacy violation, without an allegation that Miniclip shared or otherwise published Mastel’s private information, was insufficient to confer Article III standing under TransUnion. The district court rejected this argument, distinguishing TransUnion as involving a statute which the Supreme Court likened to a defamation claim, which requires publication, and holding that the closest historical analogue to plaintiff’s privacy claims was invasion of privacy torts, such as intrusion upon seclusion, which do not require publication of the information. Mastel v. Miniclip Sa et al., 2021 WL 2983198, at *6. Although the Mastel court addressed TransUnion specifically in the context of plaintiff’s claim under the California Constitution, its holding suggests that courts may interpret TransUnion’s “falling tree” analogy narrowly and find that plaintiffs in privacy class actions need not allege any harm beyond unauthorized access, assuming they meet other requirements for standing. It remains to be seen, however, whether other courts will follow suit.
1 In Melendez, the Ninth Circuit held that only named representatives must have standing through the class certification stage. In TransUnion, the Supreme Court held that in order for a class to be certified, all class members must have standing. 141 S.Ct. at 2208, fn 4.