In today’s world nearly everyone’s name, address and various other pieces of arguably personal information reside on many companies’ computer servers. Sharing of such information between companies has resulted in countless class action suits, in many of which the alleged harm is negligible at best. The Supreme Court’s decision on Article III standing in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) (my blog post), set some ground rules for these types of suits. It has led to extensive debate in the lower courts regarding how to apply the Court’s test in cases alleging invasion of privacy. The Third Circuit recently weighed in, with the majority of the panel concluding that the fact that information was passed on to a single third-party vendor for a ministerial purpose was insufficient to establish standing.
In Barclift v. Keystone Credit Services, LLC, No. 22-1925, – F.4th –, 2024 WL 655479 (3d Cir. Feb. 16, 2024), the plaintiff sued under the Fair Debt Collection Practices Act (FDCPA), alleging that the defendant debt collector violated the FDCPA by providing certain information to a third-party mailing vendor for the purpose of sending the plaintiff a debt collection letter. The plaintiff alleged that this purportedly “caused her embarrassment and stress, invaded her privacy, and inflicted reputational harm.” The plaintiff further alleged that the vendor maintained such data electronically for years, and had once had a data breach (unrelated to her information). The district court held that this was insufficient to establish standing, and the Third Circuit affirmed in a 2-1 decision.
The only issue in dispute was whether, for purposes of standing, the plaintiff had alleged an “injury in fact,” which must be “concrete and particularized.” The Third Circuit explained that “intangible harms can give rise to concrete injuries when they bear ‘a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,’ such as ‘reputational harms, disclosure of private information, and intrusion upon seclusion.’” In applying this rule, the courts of appeals have applied one of two approaches: (1) an ”element-based approach,” focused on whether the plaintiff alleged all of the elements of a common law tort; or (2) a harm-based approach, focused on “compar[ing] the kind of harm a plaintiff alleges with the kind of harm caused by the comparator tort.” The Third Circuit adopted the harm-based approach as more closely in line with TransUnion.
Applying the harm-based approach, the Third Circuit held that “[i]nformation transmission that neither travels beyond a private intermediary nor creates a sufficient likelihood of external dissemination cannot compare to a traditionally recognized harm that depends on the humiliating effects of public disclosure.” The court further concluded that “the mere assertion that [the vendor’s] employees could access and broadcast [plaintiff’s] personal information to the public is far too speculative to support standing.”
This decision will be helpful to defendants faced with the wave of privacy suits. The debate about where to draw the line, however, will undoubtedly persist. Judge Matey dissented in large part, first criticizing TransUnion, then agreeing with the majority that the harm-based approach was the correct standard, but applying it differently in this case. The dissent would have held that the common law tort of disclosure of private information historically would have found a violation even if the disclosure was to a third party performing a ministerial role, such as a stenographer.