Suing technology firms when they mess up is already hard, especially when it’s over privacy violations. Now, Facebook, Google, and the trade groups representing all the big tech firms are asking the Supreme Court to make it even harder for class actions to pursue cases against them.
Facebook, Google, and all the others submitted a filing (PDF) to the Supreme Court this week essentially arguing that if you cannot prove the specific extent to which their screwup injured you, you should not have any grounds to be part of a lawsuit against them.
Class-action suits start with a lead plaintiff—basically a representative of the group who stands in for hundreds or thousands of other individuals in a similar, or theoretically similar—but not necessarily identical—situation. This is particularly key in cases relating to privacy and data, where a small handful of plaintiffs for whom something goes badly wrong may be the reason that hundreds, thousands, or even millions of users then discover that their data is being similarly mishandled.
The tech firms, however, want the court to say that everyone in the class has to be able to prove a similar injury in order to participate—a limitation that would severely curtail lawsuits such as the biometric privacy case Facebook just settled in Illinois from going forward.
The filing comes as a brief to TransUnion v. Ramirez, which the Supreme Court is expected to hear next month.
In 2011, Sergio Ramirez and his wife went out to buy a car. During the transaction, the dealership ran a credit report on both buyers, as is typical. However, the report—from TransUnion—returned that Ramirez’s name matched a terrorist watchlist maintained by the Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the dealership would therefore not sell him a car. (His wife bought the car solo.)
After the incident at the dealership, Ramirez requested a copy of his TransUnion credit report, which did not mention the OFAC warning at all. TransUnion later sent Ramirez a copy of the OFAC notice, but it did not include a mechanism for challenging this incorrect information, which had linked him to two individuals with different middle initials and birth dates.
Ramirez hired a lawyer and got the alert removed from his TransUnion report. Then, in 2012, Ramirez filed a potential class-action suit alleging that TransUnion violated the Fair Credit Reporting Act. The eventual class was determined to have about 8,200 members. The court found in favor of the plaintiffs, determining that each member of the class should receive more than $7,000 in compensation: $984 in statutory damages, and $6350 in punitive damages.
TransUnion appealed, arguing in part that Ramirez’s case was nonrepresentative, as the vast majority of the other class members incurred no specific harm from its behavior. The US Court of Appeals for the 9th Circuit issued an opinion (PDF) in 2020 finding that the original case was valid and upholding the original ruling. The opinion, however, cut the punitive damages awarded per class member roughly in half.
A few months after losing its first appeal, TransUnion then asked the Supreme Court to take the case. In its petition (PDF), TransUnion argued that Article III of the US Constitution or the Federal Rules of Civil Procedure should bar a class from suing unless the members in it can prove they suffered an actual injury.
The Supreme Court agreed to take the case, and oral arguments are scheduled for March 30. Ahead of next month’s hearing, a whole flurry of amicus curiae (friend of the court) briefs have been filed this week in support of one side or the other.
The concerned parties
This is where our familiar tech firm faces come into play. Google, Facebook, eBay, and three different trade groups—the CCIA, the Internet Association, and TechNet, who together represent just about every tech company you’ve ever heard of—all signed on to an amicus brief this week in support of TransUnion.
“Permitting these abusive no-injury class action lawsuits has a particularly negative effect on [big tech firms] due to the broad scale of their operations,” the filing reads. “If any of the millions of individuals” who use Internet platforms in a given day “claims to be injured by a generalized act or practice that allegedly violates a statute that provides a private cause of action and statutory damages, she can, without more, launch and prosecute to a class action on behalf of herself and millions of other ‘similarly situated’ users, without proving that any other member of the class has actually suffered an injury similar to hers—or any risk of injury” at all.
Translated from legalese, Big Tech’s position is that if you can’t prove that their violation of the law actually hurt you personally, you can’t join a class-action suit permitted by that law.
Those cases are already fairly few and far between because there aren’t many state or federal laws that explicitly apply to potentially widespread privacy violations and provide for consumer lawsuits as a venue of relief. Illinois does have one such law on the books, the Biometric Information Privacy Act (BIPA), and as a result, firms that collect or use specific consumer data without clear disclosures and opt-out mechanisms can find themselves in trouble in that state.
Facebook in January reached a settlement over BIPA violation allegations, and a class of 1.5 million Illinois Facebook users will receive about $300 each as a result. Video platform Vimeo is similarly being sued in the Prairie State, as is controversial facial recognition platform Clearview AI.
The amicus filing explicitly cites the Illinois settlement as an example of a case that should not exist. “No plaintiff alleged that he or she had suffered any harm from Facebook’s technology,” the firms wrote, adding that Facebook’s tagging feature includes an opt-out mechanism. “But—according to the complaint—Facebook had not sought the particular kind of consent, or provided putative class members with the particular kind of notice, required by BIPA.”
According to the filing’s reasoning here, Facebook should not have been held liable for violating Illinois law, because doing so didn’t actually hurt anyone, as far as it could tell.
“Commonly,” in lawsuits against tech firms, “many if not most members of the putative class are unaware of the defendant’s technical violation and are entirely unharmed,” the firms wrote.
We will find out sometime in May or June if the Supreme Court decides “no harm, no foul” to be a compelling legal argument.