The Supreme Court heard arguments Tuesday morning, March 30, regarding class certification related to Article III standing in TransUnion v. Ramirez, where only 25% of a certified class suffered injury.  In its briefing and in yesterday’s arguments, TransUnion argued that class certification should only apply where every class member has standing and the lead plaintiff does not allege atypical injuries.

Oral Argument in TransUnion v Ramirez

In TransUnion v. Ramirez, plaintiff Ramirez alleged that he suffered injury in violation of the Fair Credit and Reporting Act (“FCRA”) as a result of TransUnion, a credit reporting company, incorrectly matching his name with a similar name on a government “terrorist list.”  His alleged injuries included difficulty obtaining credit, cancelation of a vacation, and embarrassment.  Ramirez sued TransUnion on behalf of 8,100 individuals.  Of that group, only 25% had their credit report disseminated to any third party with incorrect or misleading information, were denied credit, or faced other injuries similar to those alleged by Ramirez.  In the lower courts, a jury awarded Ramirez $8.1 million in statutory fines and $52 million in punitive damages for the class.  The Ninth Circuit approved class-wide standing but reduced the punitive damages amount.[1]

The Supreme Court subsequently granted cert to answer the question: “Whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”  Oral argument primarily focused on the typicality issue—inquiring which of Plaintiff Ramirez’s injuries compared to the injuries of the class and whether that is enough to certify the class.

A few justices, however, raised the application of Spokeo[2] in evaluating arguments regarding risk of future harms relevant to Article III standing as applied to the 75% of class members who were otherwise uninjured.  Justice Amy Coney Barrett suggested material risk of harm could be framed as moot if new facts develop or class members remain uninjured after a period of time, rather than framing the issue as a determination of concreteness of an injury.  And Justice Brett Kavanaugh commented: “I hadn’t thought risk of harm would get you standing for damages claims [in most cases].”

These comments from the panel preview the importance of this case not only on issues of class certification, but on the larger issue of Article III standing.  Accordingly, the outcome of the case has the potential to resolve a circuit split regarding Article III standing, and change the landscape of large consumer privacy and data breach class actions going forward.  If the Court were to determine that a large class cannot be certified where a majority of its members are uninjured—or vastly less injured than the lead plaintiff—it could affect whether data breach class actions can be dismissed in early court proceedings based on insufficient class-wide standing.

Background: Article III Standing Circuit Split

The oral argument came at the heels of the Eleventh Circuit cementing the circuit split regarding Article III standing in data privacy cases.[3] Circuits have been split as to what harms constitute injury under Article III in the data breach context, particularly where the harms alleged are based on fears of potential future—not actual—harms and related mitigation efforts, such as lost time and costs associated with cancelling credit cards and monitoring for possible identify theft.

The Second, Third, Fourth, Eighth and Eleventh Circuit Courts have held that mere allegations of fear of future identity theft and related manufactured injuries (waste of time and annoyance to monitor credit or cancel payment cards) are insufficient to confer standing absent allegations of actual fraud or misuse of information.  For example, conclusory allegations of actual injury (e.g., “unauthorized charges”) suffered by class members have been found to be insufficient without specific evidence of at least some misuse of a class member’s data.  These circuits have dismissed cases at the pleading stage because speculative allegations of fear of future identity theft cannot constitute injury-in-fact, even where plaintiffs allege actual fraud or misuse of their personal information.[4]  Moreover, where plaintiffs face only a hypothetical, non-imminent harm, plaintiffs’ mitigation efforts—such as cancelling payment cards and monitoring for identity theft—have been viewed as voluntary and, therefore, insufficient to confer standing.

The D.C., Sixth, Seventh and Ninth Circuits, in contrast, have allowed cases to proceed past the pleading stage by finding injury-in-fact where the plaintiffs alleged fear of future disclosure of personal information if the plaintiffs also alleged at least some actual fraud or misuse of information to support that fear.

Significance

While the primary focus of this case is class certification in the FCRA context, the outcome has the potential to influence the circuit split on Article III standing for data privacy cases, which could change the viability of data breach actions as well as class certification.  While there is no guarantee the Supreme Court’s resulting decision will address the Article III standing issue or provide the bright line rule many businesses are looking for, businesses will be watching closely for the way that the decision could affect the future of data privacy class actions.

[1] Ramirez v. TransUnion LLC, 951 F.3d 1008 (9th Cir. 2020), cert. granted in part, No. 20-297, 2020 WL 7368280 (U.S. Dec. 16, 2020) (mem.).

[2] Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (holding injury-in-fact sufficient for Article III standing must be “concrete and particularized.”).

[3] Tsao v. Captiva MVP Restaurant Partners, 2021 U.S. App. LEXIS 3055 (11th Cir., Feb 4, 2021) (dismissing data breach class action for lack of Article III standing where plaintiff’s allegations of threat of future harm were not “certainly impending” and there was no “substantial risk of such harm” because plaintiff only alleged hackers may have accessed his credit card information and did not allege theft of fraud as a result.)

[4] See, e.g., In re SuperValu, 870 F.3d 763, 769-71 (8th Cir. 2017).