Dangerous Digital Standing: Applying Spokeo and TransUnion to Online Privacy Harms
Michael E. Ten Eyck | 27 Vand. J. Ent. & Tech. L. 589 (2025)
In recent years, the California Invasion of Privacy Act (CIPA) has been used to sue website-holding companies for utilizing chat bots that record online conversations. Such claims have already generated high-profile class actions and multidistrict litigations, with many more expected. Because CIPA violations often occur writ large when websites retain data from their chat boxes, and the statute imposes relatively high damages, there exists an incentive for plaintiffs’ attorneys to seek out aggregated claims, generating time-consuming litigation. Meanwhile, the harms suffered by those bringing suit fall under the category of intangible privacy harms. The US Court of Appeals for the Ninth Circuit’s case law regarding standing shows a broader allowance for potentially nominal harms. This differs from the US Supreme Court’s norm following TransUnion LLC v. Ramirez’s emphasis on an injury’s concreteness to confer standing. While recent decisions show that the effectiveness of CIPA in chatroom-type class actions is limited, at least one court has found a CIPA plaintiff to have standing absent any seemingly concrete harm.
This Note describes the potentially illusory claims giving rise to mass litigation in California federal courts. It then analyzes the common injuries under a proposed reading of TransUnion that denies standing to most intangible harms. It ultimately concludes that appellate review should compel the revival of limited standing applied to intangible, digital harms in the Ninth Circuit. However, the TransUnion decision may rest on shaky Constitutional ground. Justice Thomas has advanced a dissenting view, rooted in history, which emphasizes the nature of the rights at issue. This view might have gained traction with a more originalist judiciary and could eventually prevail. While Justice Thomas’s view would allow seemingly frivolous suits for statutory damages, this Note argues it could also inform legislatures about the best ways to frame causes of action when they aim to protect digital privacy rights.