On June 25, 2021, the U.S. Supreme Court in TransUnion LLC v. Ramirez (No. 20-297, slip op.) clarified that for standing purposes in federal courts, an important difference exists between (i) a plaintiff’s statutory cause of action to sue over a violation of law, and (ii) a plaintiff suffering concrete harm because of the violation of law. The Court stated that “an injury in law is not an injury in fact” and held that only those plaintiffs who suffer a “concrete injury” apart from the violation of law alone have standing to sue. This case involved TransUnion’s alleged inaccurate reporting of class members as potential threats to America’s national security. Only a subset of the class, however, was the subject of these incorrect reports provided to third parties, and the Court acknowledged only these individuals as having standing to sue.
The implication of Ramirez is that California Consumer Privacy Act (CCPA) claims brought in federal courts will likely not satisfy the standing requirement if based on the sole fact that a violation of the CCPA has occurred. Procedural violations of the CCPA may not be sufficient, and only plaintiffs who have been concretely harmed by a CCPA violation will be permitted to sue in federal court.
This was illustrated earlier in the year when a California district court dismissed, for lack of standing, the Arifur Rahman v. Marriott International Inc. lawsuit (No. 8:20-cv-00654) alleging violations of the CCPA. In this case, the court found plaintiff suffered no injury in fact despite defendant’s security breach that allowed plaintiff’s and other Marriott customers’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers to be accessed without authorization. The court held that since the breach did not involve “sensitive information,” the plaintiff had not suffered an injury in fact and did not meet standing requirements.
Taken together, these cases may work to significantly limit federal court jurisdiction for alleged CCPA violations, but the outlook is not entirely clear. Businesses should nonetheless maintain reasonable security procedures and practices, especially if processing sensitive information, to mitigate the risk of being subject to federal court jurisdiction for alleged CCPA violations