TransUnion v. Ramirez: Why state enforcement will be central to the success of a future federal privacy law

In June, the Supreme Court handed down TransUnion v. Ramirez, a landmark decision with huge implications for the enforcement of privacy law. For decades, the Supreme Court has slowly narrowed the threshold for standing in federal court – requiring plaintiffs to demonstrate not only that they have suffered an injury, caused by the defendant, that is redressible by the court, but also that their injury constitutes “an invasion of a legally protected interest which is 1) concrete and particularized and 2) actual and imminent. …” In TransUnion, the majority narrowed the injury prong further still, holding that “an asserted risk of future harm” without more is not sufficiently concrete to support standing in federal court, and that Congress’s ability to establish an injury in fact through law is limited. Moving forward, consequently, even when a legal right is created through a statute, the judiciary holds the ultimate authority to determine when a violation of that right has resulted in an injury.

The decision prompted widespread response from the legal community, with many voicing concern regarding the potential difficulties it will pose to bringing claims pursuant to a private right of action, especially in areas of the law where harms are less tangible, such as privacy law. This means bringing a claim in federal court under statutes such as the Fair Credit Reporting Act or the Privacy Act may be rendered nearly impossible in some instances. If Congress succeeds in making a federal comprehensive privacy law a reality, lawmakers must consider the TransUnion decision, and take steps to ensure that victims of privacy harms will be able to bring claims based on statutorily created rights in state courts.

TransUnion v. Ramirez arose from a 2011 incident involving credit reporting agency TransUnion and its Office of Foreign Asset Control (OFAC) Name Screen Alert service, which cross-checked credit reports with the U.S. Treasury Department’s list of “‘specially designated nationals’ who threaten American national security.” Through the OFAC service, TransUnion incorrectly identified thousands of individuals as potential terrorists or drug dealers. Named plaintiff Sergio Ramirez found this out the hard way when he was denied credit to purchase a car because his name was incorrectly flagged. Ramirez and a class of 8,185 plaintiffs sued in federal court, arguing TransUnion violated the Fair Credit Reporting Act (FCRA) by failing to “follow reasonable procedures to assure [the] maximum possible accuracy” of a consumer report. Of the 8,185 plaintiffs, 1,853 suffered reputational harm or were denied credit when their incorrect reports were disseminated to third parties. TransUnion moved to dismiss the action, however, arguing that the remaining 6,332 whose incorrect information was maintained by TransUnion, but not transferred to a third party, were not injured and did not have standing to sue in federal court.

On appeal, the Court conceded that TransUnion violated the FCRA, but definitively asserted “[n]o concrete harm, no standing.” The majority opinion reasoned that in claims for statutory damages such as this, being inaccurately labeled a criminal without dissemination to a third party does not constitute a concrete harm, even though Congress explicitly intended for it to be recoverable under the FCRA’s private right of action. However, in the eyes of the Court, violating the law is simply not enough for an offender to be held accountable for its actions, despite the clear intent of Congress. Therefore, the Court held, only the plaintiffs whose information was transferred to a third party had Article III standing, and the remaining 6,332 were precluded from bringing suit until they suffered a sufficiently “concrete” harm as a result of the mislabeling, such as being denied credit.

In a powerful dissent, Justice Clarence Thomas sharply disagreed with his conservative colleagues, criticizing the majority for “second guessing” the legislature and asserting that “one need only tap into common sense to know that receiving a letter identifying you as a potential drug trafficker or terrorist is harmful.” Thomas argues, and leading scholars agree, that historically, for violations of private rights such as trespass to land, plaintiffs only needed to claim a violation of the right without proving injury. However, when it comes to violations of privacy rights, courts have held plaintiffs to a higher standard and required a “special” type of harm. This privacy exceptionalism, as it is sometimes deemed, makes it more difficult for victims to recover, and makes little sense when compared to traditional injuries recognized by the law.

While the TransUnion holding is troubling, it may not be as detrimental to the future of federal privacy law as it seems at first glance. In footnote 9, Thomas dubs the majority’s decision a “pyrrhic victory” for TransUnion, suggesting a solution for victims of intangible statutory harms no longer considered adequate to establish Article III standing in federal court: the states. Unlike federal courts, state courts have general jurisdiction to hear all cases not specifically reserved for the federal courts by statute or the constitution. As Thomas explains, even when litigating issues of federal law, state courts are not beholden to Article III standing requirements, and are free to fashion their own rules of justiciability. As a result of the Court's decision, he asserts, state courts may become the sole forum for claims brought pursuant to violations of the FCRA and similar statutes.

In working to pass a comprehensive federal privacy law, Congress must acknowledge the impact of the TransUnion majority decision and Justice Thomas’s dissent and include a private right of action enforceable in state courts. However, the debate over including a private right of action in a federal privacy law is central to why passing one has been so difficult in the first place. Privacy advocates consider a private right of action to be an essential element of enforcement, arguing it alleviates the regulatory burden on administrative agencies, reduces the risk of agency capture, and places greater pressure on companies to comply. Industry representatives, on the other hand, sharply reject the inclusion of a private right of action, citing concerns over “nuisance lawsuits” and the potential for uncapped damages. Despite the polarizing opinions surrounding the necessity of a private right of action, many of the most promising privacy bills introduced in the last two Congressional sessions contain provisions that would allow claims to be brought in state court as Thomas suggests, where plaintiffs are not constrained by the TransUnion holding.

Four Democrat-backed proposals, the Consumer Online Privacy Act of 2019 (Cantwell, D-WA), the Online Privacy Act of 2019 (Eshoo, D-CA), the Data Accountability and Transparency Act of 2020 (Brown, D-OH), and the Privacy Bill of Rights Act (Markey, D-MA), all include a private right of action that empower citizens to bring statutory claims in state court, even in instances where the TransUnion precedent precludes them from having standing in federal court as Justice Thomas anticipated. Lawmakers have been aware of the constraints the Court’s Article III interpretation places on statutory harms — Markey and Brown’s bills even explicitly articulate that a violation of the statute is an “injury in fact” in an attempt to preserve access to private enforcement. However, under the TransUnion holding, even this language does not go far enough. If lawmakers want to ensure that victims of privacy harms will still have access to the courts, they must include language that explicitly provides for state court jurisdiction over violations. While this does not completely eliminate the risk to the private enforcement of privacy rights (some state courts have adopted Article III standing requirements even absent a constitutional requirement), it is still a step in the right direction and way to ensure this importance enforcement mechanism is not completely extinguished by the Court’s decision in TransUnion.

As lawmakers continue to debate what a federal privacy law in the U.S. should look like, including a private right of action enforceable in state courts is an imperfect, but important step in holding offenders accountable, encouraging democratic participation and retaining the essential benefits private enforcement provides. Placing authority in the hands of the FTC alone is insufficient. Victims of privacy harms must be able to recover for their injuries, even in instances that the TransUnion Court refuses to recognize.