As U.S. Congress continues to slog through the process of crafting a comprehensive federal privacy framework, two intractable issues have emerged: federal preemption and private rights of action. These two issues are intertwined because they get at the core of how privacy rights and obligations should be enforced. While preemption has received most of the attention, a carefully constructed private right of action could also play an important role in advancing privacy rights at the national level.
Instead, any inclusion of a private right of action has been treated as an all-or-nothing proposition.
Privacy advocates recommend individuals be permitted to privately enforce federal privacy protections through a statutory private right of action without any showing of harm. Meanwhile, industry-friendly proposals treat private rights of action as a non-starter. Both sides are locked into absolutist positions, and lawmakers’ efforts to craft an impactful privacy law have been hurt in the process.
The many facets of private rights of action
There are many identified benefits to private rights of action. They shift regulatory costs away from under-resourced agencies and mitigate the potential for agencies to be captured by the industries they regulate.
However, the primary goal of deputizing individuals to act as “private attorneys general” has been to serve as an enforcement multiplier. Many legal violations are never prosecuted; regulators are resource constrained and have competing priorities. The California Attorney General’s Office has admitted that it will likely prosecute no more than three cases per year under the California Consumer Privacy Act, which is why it has gone on the record calling expanded private rights of action a “critical adjunct to governmental enforcement.”
Still, lawmakers should not ignore legitimate evidence that private litigation leads to over-enforcement or ruinous liability. No less than prominent plaintiff’s attorney Edelson Founder and CEO Jay Edelson has questioned the logic of the statutory damages in the CCPA’s data breach provision, but stakeholders should be honest about where the fault lines truly lie. A recent policy paper from the Chamber of Commerce tries to make the case that private rights of action are “poor tools for addressing privacy issues,” but the real target of the paper seems to be “litigation trumped up by the plaintiffs’ bar to reach a quick payday.”
Conflating any private enforcement provision with an automatic boon to class-action litigation is a false choice. If critics are truly worried about an explosion of privacy-focused class-action lawsuits, the legislative solution isn’t to completely close access to the courts. Instead, Congress should consider how private rights of action could augment the Federal Trade Commission and protect individuals where lawmakers have specific concerns rather than engage in simplistic yes-no thinking.
Including a private right of action in a statute by itself says nothing about how a law will be enforced. Congress and the courts have a huge say in how much litigation ultimately results. In an analysis of how private litigants can enforce federal law, University of California Berkeley Law Professor Sean Farhang notes that lawmakers face a series of choices of statutory design that include (1) who has standing to sue; (2) which parties bear the costs of litigation; (3) what relief is available to winning plaintiffs; and (4) what are the rules of liability and burden of proof to win. Each component can be a limiting factor for incentivizing individuals to sue to protect their privacy.
Standing remains a threshold question
Legal standing is a threshold question for any privacy dispute after the Supreme Court’s decision in Spokeo v. Robins. In it, the Supreme Court cautioned that bare procedural violations may not amount to an “injury in fact” necessary to meet constitutional standing requirements, but it did acknowledge the legitimacy of intangible harms. Unfortunately, this guidance has invited courts to second guess legislative determinations about what constitutes a privacy harm. To get around this, for example, Sen. Edward Markey’s, D-Mass., recent Privacy Bill of Rights attempts to make clear that any violation of the bill “constitutes an injury in fact.”
But judicial skepticism augurs in favor of Congress being extremely clear through legislative findings and statutory text how various privacy rights and requirements are designed to protect individuals. One option for lawmakers could be to focus private enforcement around certain types of data. The 9th Circuit’s recent opinion in Patel v. Facebook, which upheld class certification of Facebook users alleging violations of Illinois’ Biometric Information Privacy Act, may provide a template for this approach. The court noted that technological advances could “increase the potential for unreasonable intrusions into personal privacy” and concluded that any invasion of an individual’s biometric privacy might have a “close relationship” to longstanding privacy torts.
This suggests that private enforcement would be best tailored to focus on limited sensitive data types whose use might “invade” an individual’s autonomy. One could imagine illicit acquisition of geolocation data or the disclosure of inferences about an individual’s health or sexuality being in a similar bucket. While privacy advocates may bemoan these sorts of enforcement limitations, a boundless private right of action will likely be narrowed by the courts.
Economic incentives are relevant
Court costs influence all aspects of litigation, including the decision by a private plaintiff to bring suit in the first place. Lawsuits are an expensive, disruptive hassle. As a result, monetary damage awards, attorney’s fees, and other available relief drive litigation, and the ease with which damages or attorney’s fees can be obtained can either curtail or expand private enforcement.
The cost of an attorney has a huge impact on whether to litigate. Often to encourage private enforcement, lawmakers let winning plaintiffs obtain attorney’s fees, but that is not the baseline rule at common law. Some state consumer protection laws even force individuals to pay a business’s attorney’s fees for frivolous claims, while other laws give courts discretion to allocate attorney’s fees. In addition to attorney’s fees, the prospect of recovering compensatory and punitive damage awards also drives litigation. However, the “payday” narrative of privacy litigation is usually fueled by the inclusion of statutory damages, which are set in law without regard to any actual harm.
This conundrum of what constitutes a privacy harm operates as a hurdle to achieve corporate reforms or consumer redress. Statutory damages can remedy this issue, as well as address violations in which any actual damage is too small to warrant the costs of bringing suit. They also expedite lawsuits because they do not require the same burden of proof as actual damages, and they can serve a punitive purpose, leading to potentially ruinous liability. Thus, writing a reasonable dollar figure into statute can prove challenging.
Statutory damages can also scale with intent. BIPA, for example, provides for damages at either $5,000 for knowing or reckless violations or $1,000 for mere negligent violation of the statute. Determining the standard by which statutory damages are triggered, whether negligence, willfulness or something else that must be proven, is something that lawmakers could consider.
If advancing the public interest is of primary concern, private enforcement can also be stripped of financial incentives entirely. Lawmakers could limit plaintiffs to only injunctive or equitable relief. For example, Title III of the Americans with Disabilities Act prohibits discrimination on the basis of disability in places of public accommodation, but private plaintiffs are only allowed to seek equitable relief, like removals of barriers rather than any financial awards. Injunctions are an underexplored mechanism for stopping disputed data practices.
Granular enforcement provisions and privacy gatekeepers as potential solutions
There are other ways to control for private litigation, as well. For example, Congress might ensure that only some provisions of a privacy law is open to individual enforcement or use the FTC as a sort of privacy gatekeeper.
There is no rule that says a private right of action has to encompass the entirety of a privacy bill; Congress could go provision-by-provision and specify exactly what is subject to private litigation. For example, it might make sense to permit private enforcement of data access rights but not data portability requirements. The IAPP has found that data portability ranks as one of the most difficult privacy compliance obligations, and Congress could reasonably determine that a flood of data portability-related litigation would be counterproductive and unfair to industry.
A second idea would be to require the FTC or another appropriate regulator to investigate and process complaints prior to permitting an individual to sue. Boosting agency adjudication can mitigate excessive paydays and address concerns that private enforcement upsets the FTC’s thoughtful regulatory agenda. This approach requires several leaps of faith, however, including giving the FTC sufficient resources, ensuring its interpretations are referred to by reviewing courts, and improving how the FTC processes and handles complaints.
One model to consider is how the Equal Employment Opportunity Commission operates.
For most federal employment discrimination cases, an employee is required to first file a discrimination claim with the EEOC prior to filing a lawsuit. The EEOC then investigates the claim, which results in one of three outcomes. The commission will attempt to mediate the dispute; in egregious cases, it can file a lawsuit on the employee’s behalf, or it will close the case and issue a “Right to Sue Letter.” A Right to Sue Letter is not legally probative. It means only that the EEOC did not find sufficient evidence of discrimination or lacked the resources to pursue litigation. However, the process slows private enforcement and interjects the mediating influence of a regulator.
Some scholars have suggested that Congress might just let agencies devise the scope of a private right of action, but agencies already play a big role in shaping the contours of private enforcement. They can place their thumbs on the scale with respect to liability rules and burdens of proof. The Department of Housing and Urban Development’s controversial new rule, for example, would change the standards for how to assess housing discrimination cases and effectively create new rules for how landlords can deploy automated decision-making systems that produce housing decisions. Agency discretion can be used to expand or contract private litigation in a privacy statute.
Conclusion
If stakeholders are serious that privacy legislation requires meaningful enforcement, there is no reason why a comprehensive privacy law should utterly lack for private enforcement. Private rights of action are not a rarity in federal law, and critics have an obligation to better articulate their positions on the matter.
Photo by Andy Feliciotti on Unsplash