The U.S. Supreme Court’s 5-4 decision in TransUnion LLC v. Ramirez may make the road to privacy class actions harder. But recent decisions in the wake of Ramirez suggest the full impact of the decision remains to be seen.
The plaintiffs argued the credit bureau generated credit reports that erroneously flagged law-abiding people as potential terrorists and drug traffickers. In doing so, the plaintiffs argued, the credit bureau violated several provisions of the Fair Credit Reporting Act (FCRA) that entitle consumers to accuracy in credit-reporting procedures, to receiving information in their credit files, and to receiving a summary of their rights.
Justice Kavanaugh delivered the opinion, which Justices Alito, Gorsuch, Barrett, and Roberts joined. They held that only plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing to seek damages against that private defendant in federal court. They had “no trouble” concluding that 1,853 class members suffered a concrete harm because the credit bureau provided third parties with credit reports labeling those class members as potential terrorists.
But the remaining 6,332 class members did not suffer a concrete harm because the credit bureau never provided those plaintiffs’ credit information to any potential creditors. Those plaintiffs argued there was a risk that the their credit information—with the misleading alerts—could be disseminated to third parties in the future. They also argued formatting defects in mailings sent to them by the credit bureau put them at risk of not learning about the misleading alert.
The majority rejected these arguments, holding that a risk of future harm on its own is not enough to support Article III standing for the plaintiffs’ damages claim.
The Court ultimately reversed the judgment of the Ninth Circuit—which included a class damages award of about $40 million—and remanded the case. Justices Thomas, Breyer, Sotomayor, and Kagan dissented.
The road from Spokeo
The Ramirez decision follows the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins.  The plaintiff in Spokeo alleged violations of the Fair Credit Reporting Act, of a proposed class of individuals. In Spokeo, the Court specified that a plaintiff must allege a harm that is both “concrete and particularized.” This means that a plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.” Article III standing is a requirement for bringing a lawsuit in federal court.
While the Spokeo decision identified that a bare procedural violation without a concrete harm would not be enough for Article III standing, it left unsaid whether the plaintiff in Spokeo had satisfied that threshold. Instead, the Court remanded to the Ninth Circuit to consider whether the plaintiff’s injury was both concrete and particularized. On remand, the district court dismissed the plaintiff’s complaint for lack of standing, but the Ninth Circuit reversed, and determined that Robins had alleged injuries that were sufficiently concrete and particularized.
What impact has Ramirez already had?
Federal district courts have already begun trying to grapple with the decision in Ramirez. In one case, Judge Samuel H. Mays, Jr. of the Western District of Tennessee looked at Ramirez to hold that alleged procedural violations of the Fair Debt Collection Practices Act (FDCPA), taken alone, are not injuries in fact sufficient to confer standing for a putative class action. Judge Mays acknowledged that the Sixth Circuit previously relied on the risk-of-harm inquiry under Spokeo. But, he reasoned, the Supreme Court’s decision in Ramirez modified those decisions by clarifying that “the risk-of-harm analysis applies only in suits seeking injunctive relief and cannot be used to establish standing in a suit for damages.” Because the plaintiff in the case before him relied on the risk-of-harm analysis to support her claim for damages, Judge Mays dismissed the case for lack of standing.
Meanwhile, a California district judge distinguished Ramirez as “involv[ing] a claim akin to defamation, not invasion of privacy.” In that case , a man brought a putative class action against Miniclip SA and Apple Inc., claiming, in part, that they invaded his privacy under the California Constitution via an iPhone app developed by Miniclip. U.S. District Judge William Shubb of the Eastern District of California rejected Miniclip’s argument that the plaintiff needed to allege Miniclip shared or otherwise disseminated his private information in order to satisfy Article III’s standing requirement.
But in a case out of the Central District of California, Judge Dale S. Fischer remanded a putative class action alleging violations of the FCRA because the lawsuit was “merely one to vindicate procedural violations of applicable credit reporting laws,” which did not establish Article III standing under Ramirez. 
Interestingly, in two other cases—one out of South Carolina and one out of Minnesota—the district court judges suggested Ramirez may not impact a court’s injury-in-fact analysis at the motion to dismiss stage. In Blackbaud, Inc., Customer Data Breach Litig., Judge Michelle Childs suggested this in a footnote, stating: “[T]his case is procedurally distinguishable from Ramirez because the court does not have the ‘helpful benefit of a jury verdict’ at this phase of the litigation.”
These cases suggest that the impacts of Ramirez may not be as clear cut as they may seem at first blush. Given the evolving landscape of data related litigation, Ramirez’s full impact remains to be seen.
Thompson Coburn’s Cybersecurity, Privacy and Data Governance attorneys are closely monitoring the developments.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.
 The court ultimately dismissed the plaintiff’s claim for invasion of privacy under the California Constitution because any alleged intrusion did not rise to the level of a “egregious breach of social norms” that is “highly offensive” as required under California precedent.
 See Christian Lab. Ass'n v. City of Duluth, No. CV 21-227 (DWF/LIB), 2021 WL 2783732, n. 13 (D. Minn. July 2, 2021); and Blackbaud, Inc., Customer Data Breach Litig., No. 3:20-MN-02972-JMC, 2021 WL 2718439, at *6 n. 15 (D.S.C. July 1, 2021)