The robust doctrine known as Article III standing derives from the Constitution’s limit that federal courts may decide only “Cases” and “Controversies.”1 In 2021, the Supreme Court decided TransUnion LLC v. Ramirez,2 holding that violations of statutory rights alone are not always sufficient to establish standing.3 To meet standing’s concrete injury requirement, an alleged statutory harm must be closely analogous to a harm traditionally recognized at common law.4 Recently, in Hunstein v. Preferred Collection & Management Services, Inc.,5 the Eleventh Circuit interpreted TransUnion to require plaintiffs to meet each of the “essential element[s]”6 of the common law analogue.7 While the court acceptably applied TransUnion, the decision reflects a trend in which the judiciary has made it increasingly difficult for plaintiffs to establish standing in privacy litigation. As new technologies transform in ways that either evolve faster than or do not comport with existing invasion of privacy torts, the effect of Hunstein’s strict “essential elements” test is to close off federal courts as an important remedial route for enforcing federal privacy rights.
Following his son’s medical treatment at Johns Hopkins All Children’s Hospital, Richard Hunstein failed to pay the resulting hospital bill.8 The hospital transferred the debt to a collection agency, Preferred Collection and Management Services.9 Preferred, in turn, hired a commercial mail vendor, CompuMail Information Services, Inc., to communicate with Hunstein.10 Preferred provided CompuMail with personal information about Hunstein, including his name, his son’s name, and the amount due.11 CompuMail used this information to populate a form, which it then mailed to Hunstein in a letter.12
Upon receiving the letter, Hunstein sued Preferred, alleging that it violated the Fair Debt Collection Practices Act13 (FDCPA) by disclosing personal information about his debt to CompuMail.14 The FDCPA forbids communicating, “in connection with the collection of any debt, with any person other than the consumer.”15 Hunstein argued that Preferred had violated this provision by transmitting “sensitive medical information” to a third-party vendor.16
The district court granted Preferred’s motion to dismiss for failure to state a claim.17 The court found that Hunstein had not sufficiently alleged that Preferred’s actions violated the FDCPA because the data transmission did not qualify as a communication “in connection with the collection of any debt.”18
On the first appeal, a panel of the Eleventh Circuit requested supplemental briefing on standing.19 The panel agreed with the district court that Hunstein had standing20 but reversed the dismissal for failure to state a claim.21 However, after the Supreme Court issued TransUnion,22 the panel vacated its own opinion, though it issued a new opinion that ultimately reached the same result.23 The Eleventh Circuit then voted to take the case en banc.24
The Eleventh Circuit vacated and remanded.25 Writing for the majority, Judge Grant26 held that Hunstein failed to allege a concrete harm and thus lacked standing.27 She explained that TransUnion requires that a new harm be “similar to an old harm.”28 While an exact duplicate is not required, new allegations “cannot be missing an element ‘essential to liability’ under the comparator tort.”29 Judge Grant concluded that Hunstein’s new alleged harm (disclosure to a private party) was insufficiently similar to the cited traditional harm (disclosure to the public).30
Judge Grant began by outlining the constitutional foundations for standing.31 Article III’s “‘Cases’ and ‘Controversies’” limitation requires injury in fact and not merely injury in law.32 While Congress can elevate intangible harms to legally cognizable injuries by enshrining them in statutes,33 courts cannot hear causes of action based on legal violations that are inherently nonharmful.34 TransUnion managed this separation of powers tension by comparing new statutory causes of action with traditional common law harms.35 Judge Grant interpreted this rule as requiring an element-by-element comparison.36
Applying this rule to the facts of Hunstein’s case, Judge Grant rejected Hunstein’s comparison with the common law tort of public disclosure because Hunstein’s case lacked the essential element of being “public.”37 She found nothing in Hunstein’s complaint indicating that Hunstein’s personal information would reach any party besides CompuMail.38 Rather, the information went straight back to his own home.39 Further, the information was automatically populated into a standard form, suggesting that even CompuMail employees, despite having access, may not have read the information.40 Therefore, Judge Grant characterized the facts as “an electronic transfer between two companies.”41 Hunstein was “simply no worse off” from Preferred’s actions, and thus there was no harm.42
Judge Grant concluded by briefly responding to the dissent’s accusation that this holding would create a circuit split.43 She highlighted that some of the dissent’s cited cases preceded TransUnion while others were decided afterwards.44 Further, the cited cases differed in their facts, alleged harms, and common law analogues, so the dissent’s assertion that they employed a uniform test was faulty.45
Chief Judge William Pryor concurred.46 He wrote separately to reject the dissent’s assertion that the only element in dispute was “publicity.”47 Instead, he argued that all three elements of the traditional harm of public disclosure were absent from Hunstein’s case.48 Taken together, Hunstein’s injury was a “mere personal offense.”49
Judge Newsom dissented.50 First, Judge Newsom argued that the majority’s holding conflicted with TransUnion.51 He began by emphasizing the difference in procedural posture.52 TransUnion was a ruling on the merits whereas Hunstein’s case was on a motion to dismiss, requiring the court to accept the facts alleged by Hunstein as true and draw reasonable inferences in his favor.53 Instead, the court chose to assume that no CompuMail employees saw his information, despite Hunstein not having had the benefit of a trial to negate this inference.54 Judge Newsom also argued that the majority’s “essential element” framework would be functionally equivalent to the “exact duplicate” test rejected by TransUnion.55 Further, he criticized the majority for never convincingly explaining why the near falsity (misleading information) in TransUnion was “close enough,” but Hunstein’s near publicity was not.56 Second, Judge Newsom outlined the “kind-degree” framework employed by sister circuits,57 arguing that this framework better preserves congressional flexibility than does the majority’s “essential elements” test.58 Finally, Judge Newsom emphasized that Preferred had “disclosed information . . . to the employees of an unauthorized third-party mail house.”59 This fact was key to Judge Newsom’s argument that there had been public disclosure of private information because a large number of employees at the mail vendor could have seen or did see Hunstein’s private information.60
While Hunstein’s “essential elements” test for injury in fact falls within the acceptable scope of TransUnion’s rule, it reflects the larger trend of increasingly stringent standing requirements that make it difficult for plaintiffs to seek remedial action in the federal courts.61 The ramifications are especially salient in privacy litigation, where invasive new technologies and data-collection practices transform faster than privacy torts in common law can accommodate. TransUnion, as applied in Hunstein, creates a test for standing that is likely to leave victims of violations of federal privacy statutes without a cause of action in federal courts.
TransUnion’s rule statement on Article III standing is vague, specifying only that a new statutory harm must be “close enough” to a traditional common law harm.62 In TransUnion itself, the Supreme Court held that misleading statements were close enough to the false statements required for defamation, but that their lack of dissemination failed defamation’s publicity requirement.63 But as the application of TransUnion in Hunstein shows, the contours of the Court’s reasoning are unclear. For example, how does a court determine which elements of a traditional harm are “essential” and which are not?64 And once the essential elements are defined, is “close enough” a descriptive term for when a new harm meets all the essential elements? Or is “close enough” a standard to strive toward for each of the individual essential elements? The Court did not announce a definitive standard, and so Hunstein’s interpretation — which is that “close enough” is a descriptive term for meeting all the essential elements65 — is not a misapplication of TransUnion but instead a natural consequence.
Hunstein’s holding, however, limits access to federal courts for plaintiffs suing for breaches of federal data privacy rights. By requiring that plaintiffs demonstrate each of the individual essential elements of common law claims, the Eleventh Circuit has entrenched the standing inquiry in the form of common law that is “traditional” — that is, what has already been written into black letter law.66 Existing privacy torts, however, do not adequately cover new technology-enabled harms.
The four traditional privacy torts are (1) public disclosure of private facts, (2) publicity that places a person in a false light in the public eye, (3) intrusion upon seclusion, and (4) appropriation of a person’s name or likeness for the defendant’s advantage.67 New privacy harms are fundamentally different in kind from these existing privacy torts because of the rapidly evolving capacity of data aggregation, which, rather than a discrete invasion, is more akin to long-term and broad-reaching surveillance.68 The following paragraphs explain the insufficiency of the four existing torts in turn, using Flo as an illustrative example.
Flo, a consumer app, collects users’ menstrual health and fertility data, which can then be used to calculate and predict myriad behavioral patterns on an individual and aggregate scale.69 Flo Health, the company behind the app, sold access to its users’ data to third parties, which led to enormous backlash from the public70 and a settlement with the FTC.71 Under Hunstein, Flo users likely could not pursue private rights of action under federal law because the company’s actions do not meet the essential elements of the four traditional privacy torts.
The first and second torts — public disclosure of private facts and publicity placing a person in a false light — both require publicity to establish a viable cause of action.72 Thus, private data transfers, even massive exchanges of user data between large corporations like Flo Health and third-party advertisers, would not be sufficient to establish concrete injury for standing under Hunstein.
The third tort — intrusion upon seclusion — protects the right to stay out of the public eye.73 One of its essential elements, secrecy, requires that the information into which the defendant is alleged to have pried be strictly private.74 The tort typically requires an intentional intrusion into a private space, conversation, or data source without the plaintiff’s permission.75 Under this view, since the users voluntarily provided their information to Flo Health, Flo Health cannot be found to have intruded without permission into the users’ space. Even under a broader conception of this tort that includes disclosures to third parties, however, “[m]any courts have found that the collection — and even disclosure to certain third parties — of personal information about the users . . . may not constitute a sufficiently ‘egregious breach of social norms’” to make out an intrusion upon seclusion claim.76 As a result, the secrecy requirement would not be satisfied, and a plaintiff could not establish standing under this tort.
Finally, the fourth tort — appropriation of likeness — protects the commercial interests of an individual in their name or likeness.77 For example, this tort prevents a business from using a photograph of an individual’s face without their consent in an advertisement. This tort has gained traction in recent years as an avenue of protection for consumer privacy.78 However, an essential element of this tort is the appropriation of a trait that can identify the plaintiff, such as by depicting a unique trait of the plaintiff’s, like a name or face.79 This would not adequately cover the menstrual and fertility data collected by Flo Health, nor other forms of highly sensitive data like geolocation information, religious convictions, political beliefs, and so on.80 However, while these individual data points are not enough to identify a person, companies can aggregate them to predict and shape future behaviors without ever crossing the threshold of associating the data with a specific individual.81
In sum, existing privacy torts are insufficient to cover harms posed by modern data-collection and bartering practices. As the example of Flo Health illustrates, Hunstein’s holding has the effect of closing off federal courts as a venue for remedying violations of federal privacy rights. While there are enforcement mechanisms that are not private rights of action under federal law, such as settlement with executive agencies and statutory remedies under state law, federal private rights of action are nevertheless important avenues for redress. Not all states have consumer privacy statutes,82 and federal administrative enforcement is both constrained by resources and dependent on policy preferences of the presidential administration.83
The Eleventh Circuit’s interpretation of TransUnion in Hunstein falls within the acceptable scope of the Supreme Court’s standing doctrine. However, the decision reflects the judiciary’s trend of creating increasingly high hurdles for plaintiffs to surmount in establishing standing in privacy suits. The traditional causes to which statutory privacy causes of action might be analogized are insufficient to capture modern harms, particularly as conceptions of privacy rights evolve with new technologies at speeds too fast for the common law to adequately keep up with. The slew of new state privacy laws84 and FTC enforcement actions85 in the past five years is an indication of dissatisfaction with gaps in common law. In a post-TransUnion world, circuit court decisions like Hunstein indicate that plaintiffs seeking to vindicate privacy rights likely will not be able to turn to federal courts.