Keywords
data; data privacy; privacy; data breach; standing; privacy standing; Article III; concrete; concreteness; tech; technology; common-law analogue; TransUnion; DPPA; data regulation; information technology; privacy tort; commercial surveillance; cybersecurity
Abstract
In recent years, the Supreme Court has tightened federal court standing requirements for intangible harms, including statutory harms. In TransUnion LLC v. Ramirez, the Court held that a mere statutory violation, absent a common-law analogue, is not sufficiently concrete to grant standing. The Court did not provide clear guidance as to how stringent the common-law analogue analysis must be, other than that it does not require an “exact duplicate.” Because of the ever-evolving nature of digital data, data breach victims attempting to enforce their statutory right to privacy in federal court have struggled to rely on tradition and history to find common law analogues for their harms.
Adding to the confusion, circuit courts have inconsistently applied the common-law analogue analysis, with some conducting a rigid, element by element comparison of the statutory harm and the comparator common-law harm and others conducting a more flexible, adaptive comparison that seeks alignment in kind but not degree. In the context of data breach claims, this analysis often turns on whether the breached data is deemed sufficiently offensive or sensitive.
This Note analyzes a recent string of cases invoking the Driver’s Privacy Protection Act of 1994 (DPPA) to examine how courts can achieve greater consistency in their standing inquiries for data not traditionally seen as sensitive, including driver’s license numbers. Ultimately, this Note calls for widespread adoption of the flexible common-law analogue test for all violations of commercial surveillance statutes, recognizing that historical harms do not and will not adequately map onto the harms consumers face today. The flexible test also would not discriminate between different types of data, respecting the legislature’s role of codifying new rights, and it would remain true to TransUnion’s intended standard. In sum, a more flexible standard promises to ensure that individuals can continue to rely on the law to protect their private rights.
Recommended Citation
Jeeyoon Lim,
Is Your Data Good, Bad, or Neutral?: Redefining Concreteness for Data Breach Harms,
94 Fordham L. Rev. 299
(2025).
Available at: https://ir.lawnet.fordham.edu/flr/vol94/iss1/7
Included in
Administrative Law Commons, Commercial Law Commons, Consumer Protection Law Commons, Entertainment, Arts, and Sports Law Commons, Intellectual Property Law Commons, Internet Law Commons, Jurisprudence Commons, Legislation Commons, Privacy Law Commons, Science and Technology Law Commons, Supreme Court of the United States Commons, Torts Commons