Skip to main content
Article

TransUnion LLC v. Ramirez : Positive News for Companies Hit With Privacy Class Actions

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Robin Ann Nowicki | November 19, 2021

While organizations grapple with expanded privacy rules and regulations, the Supreme Court may have provided some insulation from costly class action claims.

While organizations of all sizes and across all industries are grappling with expanded privacy rules and regulations, the Supreme Court may have provided some insulation from costly class action claims alleging privacy violations. On June 25, 2021 the United States Supreme Court ruled in TransUnion LLC v. Ramirez (“TransUnion”)1, that an injury-in-fact under Article III standing, which is a legal right to sue, for a claim brought under the Fair Credit Reporting Act (“FCRA”)2 requires actual harm, not just a mere existence of potential harm. The Court made clear that class members must suffer concrete harm, not just a high probability of harm, to have standing to bring claims; it is not enough to simply allege a violation of law or regulation, even if the law or regulation grants statutory damages.

Prior to TransUnion, the Supreme Court in Spokeo, Inc v. Robins (“Spokeo”)3, addressed whether an assertion of a private right of action for a willful violation of the FCRA, absent a claim of damages, or actual harm, creates sufficient injury to satisfy Article III Standing. The Spokeo decision requires a concrete injury “even in the context of a statutory violation,” and plaintiffs cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement.”4 The Court also held that intangible injuries could be concrete, but it does not necessarily satisfy the injury-in-fact requirement even when a statute provides the right to sue. The question Spokeo left unanswered was, does the risk of future harm constitute injury-in-fact? The Circuits were split on the answer to this question with the Sixth, Seventh, Ninth & D.C. Circuits holding that an increased risk of future harm may constitute injury-in-fact under Article III while the Second, Fourth, Eighth, and Eleventh Circuits held that the risk of future harm does not constitute injury-in-fact.5 The TransUnion decision has now clarified what “concrete” harm is in relation to statutory privacy violations.

To understand this “concrete harm,” we look to the facts of TransUnion. In 2011, Sergio Ramirez (“Ramirez”) attempted to buy a car which resulted in the dealership running a credit check. The TransUnion report sent to the dealership suggested that Ramirez was on the Treasury Department’s Office of Foreign Assets Control (“OFAC”) sanctions list - meaning he was barred from conducting business in the United States.6 Ramirez followed up with TransUnion who sent Ramirez two additional mailings indicating that his name was a potential match for two names on the OFAC list.

Ramirez filed a class action lawsuit in federal court against TransUnion, LLC alleging willful violations of FCRA and sought statutory damages and injunctive relief. Ramirez claimed that TransUnion erroneously placed a terrorist alert on his credit report and the credit reports of 8,185 individuals alleging they were included in the OFAC sanctions list. His complaint alleged TransUnion willfully violated FCRA by failing to use reasonable procedures to ensure the accuracy of their credit files. The complaint also alleged TransUnion sent out certain mailings to the class with formatting defects. It was agreed to by the parties that only 1,853 class members had their credit report with the OFAC designated alert provided to third parties during the class period and the other 6,332 class members reports were not disseminated. The district court certified the 8,185-member class and a jury awarded each class member almost $1,000 in statutory damages and over $6,000 in punitive damages equating to a verdict of about $60 million.

TransUnion appealed the verdict to the Ninth Circuit Court of Appeals alleging the verdict should be overturned because only the named plaintiff, Ramirez, suffered concrete harm because of TransUnion’s practices and there was no guarantee that each class member suffered the kind of injury required by the Constitution to sue. The Ninth Circuit affirmed the lower court holding that each class member had standing because of TransUnion’s reckless handling of plaintiffs’ personal information “exposed each class member to a real risk of harm to their concrete privacy, reputational, and informational interests protected by the FCRA.”7 The Ninth Circuit upheld the statutory damages and reduced the punitive damages award.

The Supreme Court granted TransUnion’s petition for certiorari and reversed the Ninth Circuit. The Court stated the following:

For standing purposes, therefore, an important difference exists between (i) a plaintiff’s statutory cause of action to sue a defendant over the defendant’s violation of federal law, and (ii) a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law. Congress may create causes of action for plaintiffs to sue defendants who violate those legal prohibitions or obligations. But under Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court. (emphasis in original).

The Court then went on to state that when determining concreteness, a court must decide whether the harm is like those harms traditionally recognized by courts, like physical harm, monetary harm, and intangible harms like reputational harm.

The TransUnion decision then concluded that 1,853 class members suffered a concrete harm that qualifies as an injury-in-fact when their credit reports containing OFAC alerts were sent to third parties and the remaining 6,332 class members only had a theoretical risk of future harm, which was not sufficient as concrete harm under Article III standing, when their reports were flagged with the OFAC alert but not disseminated to third parties.

While TransUnion assessed standing under the FCRA, the Supreme Court’s ruling will likely have far-reaching impact upon matters brought in Federal Court under statutes like the Fair Debt Collection Practices Act (“FDCPA”), the Telephone Consumer Practices Act (“TCPA”), the California Consumer Privacy Act (“CCPA”), and the Illinois Biometric Information Privacy Act (“BIPA”), to name a few, as well as others. TransUnion will likely keep Federal class actions that do not allege concrete injuries from moving past the class certification stage, and if they do, these cases may be dismissed early on. Only time will tell how this ruling will affect the number and frequency of privacy class actions filed in Federal Court, but it does give companies a little breathing room when faced with a privacy event or alleged privacy violation.

Footnotes

1 TransUnion LLC v. Ramirez, 141 S. Ct. 1682 (June 25, 2021).

2 To sue in federal court, a plaintiff must show they have Article III standing which includes the plaintiff suffered concrete injury in fact. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-561 (1992).

3 FCRA regulates consumer reporting agencies that compile and disseminate personal information regarding consumers. 15 U.S.C. § 1681 et. seq. FCRA creates a cause of action for consumers to sue and recover damages for violations. 15 U.S.C. § 1681n(a).

4 Spokeo, Inc v. Robins, 136 S. Ct. 1540 (2016).

5 Id. at 1549.

6 See https://www.dandodiary.com/2021/08/articles/cyber-liability/guest-post-first-there-was-litigation-and-then-there-was-standing/

7 THE OFAC sanctions list is a list of individuals and companies that the department deems a “threat to the national security, foreign policy or economy of the United States” and are barred from engaging in transactions. See U.S. Department of the Treasury Website at https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information.

8 Ramirez v. TransUnion LLC, 951 F.3d 1008, 1037 (9th Cir. 2020).

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Author

North America Cyber Product Coverage Analyst

Related Solutions

Contact Us