In this third installment on the enforcement of U.S. consumer data privacy laws, we focus on the role of private litigants.
Following our discussions of state and federal government enforcement, this post focuses on the third way that consumer rights under U.S. privacy laws are enforced: in private proceedings. These cases are often brought in class actions, where a representative plaintiff or plaintiffs may seek legal remedies on their own behalf and on behalf of others who are similarly situated.
Privacy class actions are one of the fastest growing categories of litigation against U.S. businesses. Privacy claims are also a focus of mass arbitration campaigns, in which hundreds and sometimes thousands of individual arbitration demands are threatened and filed in a coordinated effort. Consumers may also bring claims in individual litigation or arbitration.
We could devote an entire treatise to covering the full scope of privacy claims that businesses could face from private litigants, but this post will provide an overview of the most common categories of cases.
Initially, companies should consider the various privacy-specific statutes that may govern their activities, and whether those statutes authorize consumers to bring claims for violations of those laws (known as private rights of action).
To assess the scope of potential litigation exposure, businesses should be mindful of the damages available under applicable statutes, how those damages accrue, and the applicable statutes of limitations.
When assessing class action risk, businesses should consider the use of arbitration provisions and class action waivers, and the risk of mass arbitration. Companies should also analyze the geographic reach of relevant statutes and the potential for nationwide class certification.
When considering which litigation risks they may face, businesses should look beyond privacy-specific laws and remember that consumers, investors, and employees can bring suit under a variety of laws and theories, including those that apply generally.
Most often, plaintiffs will bring claims to enforce their data privacy rights under state or federal laws that confer a private right of action, that is, authorization for a private citizen to enforce their rights through litigation.
The nature of each case, the remedies it seeks, and when and where it can be filed, will turn on a statute’s provisions, including the private right of action.
Businesses, however, should also bear in mind that statutes without a private right of action may be invoked in private litigation as setting the standard for lawful or reasonable conduct, such as lawsuits that allege HIPAA violations constitute unfair business practices.
Recent privacy litigation by consumers against companies have included claims based on the following theories:
- State law unfair and deceptive trade practices, including marketing and advertising, that may be based on alleged violations of privacy statutes that do not specifically include private rights of action, such as HIPAA and COPPA.
- Wiretapping, including under the ECPA, state wiretap statutes, and invasion of privacy acts, particularly for jurisdictions requiring the consent of all parties. Some statutes, such as the California Invasion of Privacy Act, provide for statutory damages of $5,000 per violation.
- Violation of the Video Privacy Protection Act, which provides for a private right of action with statutory damages of $2,500 per violation plus punitive damages and the recovery of attorney’s fees.
- Violation of the Driver’s Privacy Protection Act, which prohibits the release and misuse of a driver’s information if that data has been collected from a “motor vehicle record” and mandates a minimum $2,500 liquidated damages award for each violation.
- Violation of the Illinois Biometric Privacy Act, which provides for damages to consumers and employees of $1,000 per negligent violation, or $5,000 per intentional or reckless violation through the collection of biometric information without disclosure and consent.
- Violation of the Fair Credit Reporting Act, under which consumers can recover damages ranging from $100-$1,000 when a consumer reporting agency fails to properly reinvestigate or correct inaccurate reporting.
- Violation of the Telephone Consumer Protection Act, which provides up to $500 in damages for each unsolicited telemarketing call, fax, text message, prerecorded phone call or auto-dialed telephone call, and $1,500 for each knowing violation.
- Violations of the California Consumer Privacy Act, which has a private right of action for unauthorized disclosures that are not cured, and carries statutory damages of between $100 to $750 per consumer.
- Securities fraud and shareholder derivative actions against public companies following data security incidents based on disclosures that insufficiently warned of data security risks or overstated cybersecurity defenses, and alleged failures by directors to exercise reasonable care.
This year is already on pace to be the biggest ever for privacy litigation. And assessing and assigning privacy litigation risk is on the rise as a complex and challenging issue in transaction diligence and negotiations.
Companies should look comprehensively at their privacy litigation risks, ensure they understand their insurance coverage, and consider measures to mitigate their exposure. Businesses that use web analytics and tracking tools and practices currently under scrutiny by class action plaintiffs – such as session replay, pixel tracking, and recorded customer service chat communications – should be sure that their legal counsel is aware of those activities. No organization should assume it is immune from litigation exposure based on the size of its operations or revenue.
If you have any questions or concerns about consumer data privacy laws, would like to know whether they apply to your business, or if there are particular topics you’d like us to address in the future, please don’t hesitate to contact Melanie Conroy, Vivek Rao, or Ariel Pardee.