A procedural violation of a state’s privacy statute is not alone enough to establish Article III standing—a plaintiff must suffer a concrete injury, such as an increased risk of identity theft. The Fourth Circuit’s decision in O’Leary v. TrustedID, Inc., 2023 WL 2125996 (4th Cir. Feb. 21, 2023) confirms this—but also illustrates how Article III standing is a two-edged sword that may allow a plaintiff to defeat a defendant’s attempt to remove a case to federal court.
The plaintiff in O’Leary filed a class action against TrustedID in South Carolina state court for allegedly violating South Carolina’s Financial Identity Fraud and Identity Theft Protection Act, S.C. Code Ann. § 37-20-180. The statute prohibits requiring consumers to use six or more digits of their Social Security numbers to access a website without also requiring some other authentication measure. The plaintiff alleged that TrustedID’s website required him to provide six digits of his Social Security number and did not have any other safety precautions, such as a password requirement.