“For years, the plaintiffs’ bar has conjured multibillion-dollar class action lawsuits out of largely intangible privacy harms. This wave of litigation is increasingly driven by federal and state statutes that include private rights of action and allow for excessive statutory damages. Given the willingness of some courts to let cases proceed despite a lack of allegations or evidence of concrete harm, this litigation trend shows no sign of abating.”
The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws. As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation.
Whereas a stream of harmful consequences flow from private rights of action for privacy laws, agency enforcement provides the right balance between protection, penalties, deterrence, and progress.
Statutory Private Rights of Action: Inefficient and Ineffective for Addressing Privacy Concerns
Rampant litigation under the Telephone Consumer Protection Act (TCPA) and Fair Credit Reporting Act (FCRA) serve as two examples of how private rights of action are insufficient to address claims involving privacy interests. In addition, suits under the Video Privacy Protection Act (VPPA) remain a source of litigation for miscellaneous privacy grievances that do not fit within other existing statutory schemes. And, litigation under the Illinois Biometric Information Privacy Act (BIPA) is particularly voluminous and problematic, forcing other states considering similar biometric laws to assess whether it truly makes sense to include a private right of action. Ill-Suited explores trends in litigation under each of these statutes, as well as other statutes under which plaintiffs attempt to fit a square peg in a round hole, alleging privacy harms or rights where no harms or rights exist.
Even More Problems With Privacy Private Rights of Action
Ill-Suited highlights numerous detrimental consequences from privacy private rights of action, including:
- Private rights of action undermine appropriate agency enforcement and allow plaintiffs’ lawyers to set policy nationwide, rather than allowing expert regulators to shape and balance policy and protections.
- Private rights of action lead to a series of inconsistent and dramatically varied, district-by-district court rulings.
- Combined with the power handed to the plaintiffs’ bar in Federal Rule of Civil Procedure 23, private rights of action are routinely abused by plaintiffs’ attorneys, leading to grossly expensive litigation and staggeringly high settlements that disproportionally benefit plaintiffs’ lawyers rather than individuals whose privacy interests may have been infringed.
- Private rights of action hinder innovation and consumer choice by threatening companies with frivolous, excessive, and expensive litigation, particularly if those companies are at the forefront of transformative new technologies.
Agency Enforcement: A Better Approach
In the privacy context, agency enforcement is far superior to private litigation. Agency enforcement is typically led by experts who are familiar with standards and best practices, who are intimately aware of the workings of relevant industries, and who have a thorough understanding of the regulations with which they seek compliance. Unlike litigation trumped up by the plaintiffs’ bar to reach a quick payday, enforcement actions at their core are meant to identify and remedy noncompliance that raises concerns for consumer and patient privacy and promote fair competition within industries. Agency-made decisions are also subject to oversight by administrative law judges, Congress, and/or the President.
Examples of federal legislation that provide no private cause of action for privacy violations and that are enforced by agencies include the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Federal Educational Rights and Privacy Act (FERPA), and the Genetic Information Nondiscrimination Act (GINA). Ill-Suited focuses on HIPAA and COPPA as examples of impactful agency enforcement of diverse privacy interests.
* * *
Although privacy law presents many complex questions about what to protect, why, how, and to what degree, the question of how best to enforce privacy rights has become increasingly clear: Agency enforcement is far more beneficial to consumers and the organizations that serve them than unpredictable and excessive attorney-driven private litigation. Federal and state privacy statutes that provide private rights of action—like the TCPA, FCRA, VPPA, and Illinois BIPA—exemplify the pitfalls associated with allowing plaintiffs’ lawyers to set policy nationwide by way of inconsistent judicial rulings. By contrast, privacy statutes that are enforce by government agencies provide a robust process through which noncompliance with protected privacy interests can be identified, remedied, and monitored while promoting consistency, fairness, and innovation.
For more, check out Ill-Suited: Private Rights of Action and Privacy Claims (July 2019).