A procedural violation of a state’s privacy statute is not alone enough to establish Article III standing—a plaintiff must suffer a concrete injury, such as an increased risk of identity theft. The Fourth Circuit’s decision in O’Leary v. TrustedID, Inc., 2023 WL 2125996 (4th Cir. Feb. 21, 2023) confirms this—but also illustrates how Article III standing is a two-edged sword that may allow a plaintiff to defeat a defendant’s attempt to remove a case to federal court.
The plaintiff in O’Leary filed a class action against TrustedID in South Carolina state court for allegedly violating South Carolina’s Financial Identity Fraud and Identity Theft Protection Act, S.C. Code Ann. § 37-20-180. The statute prohibits requiring consumers to use six or more digits of their Social Security numbers to access a website without also requiring some other authentication measure. The plaintiff alleged that TrustedID’s website required him to provide six digits of his Social Security number and did not have any other safety precautions, such as a password requirement.
TrustedID removed the suit to federal court under the Class Action Fairness Act. While TrustedID’s motion to dismiss was pending, the plaintiff filed a motion asking the court to decide whether he had Article III standing to bring his claims in light of TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), which had been recently decided. The district court held that the plaintiff had standing, but it dismissed the case on the merits.
The Fourth Circuit reversed the district court’s ruling on standing and ordered that the case be remanded back to state court. In the court’s view, the plaintiff lacked standing because he could not establish that entering six digits of his Social Security number—as opposed to five—meaningfully raised the risk of identity theft. The court also rejected the argument that the plaintiff could establish standing based solely on an abstract privacy interest in his Social Security number. Intangible harms are sufficient to confer standing if they bear a close relationship to a traditional or common law analog—such as “intrusion upon seclusion” or “disclosure of private information.” But the court held that neither of those analogs was relevant because the plaintiff voluntarily disclosed his Social Security number to TrustedID.
Importantly, the Fourth Circuit’s decision did not result in a dismissal of the plaintiff’s claim—its decision addressed only federal jurisdiction, not the merits—so the outcome was an order that the case be remanded to state court.
The Fourth Circuit’s decision confirmed that a plaintiff seeking to present a claim in federal court premised on violations of state privacy statutes must show a more concrete harm than merely the fact that the statute was violated. However, as this decision illustrates, the benefits of this standing doctrine do not flow in just one direction: plaintiffs may be able to rely on lack of federal standing to protect their choice of a state forum.