Editor’s Note: This article is part of a three-part Lawfare series on how to address federal privacy legislation in the United States. The recommendations in this article, along with a recently published section on preemption, are adapted from a June 2020 Brookings Institution report, “Bridging the Gaps: A Path Forward to Federal Privacy Legislation.” Cameron F. Kerry and John B. Morris Jr. lead The Privacy Debate initiative at the Brookings Institution, which brings together stakeholders in civil society, industry, government and academia to discuss federal privacy legislation. The first piece on preemption is available here.
Because an impasse on individual rights of action makes federal privacy legislation unlikely to pass without a private right of action in some form, our report recommends a targeted remedy allowing individuals to sue for certain violations of baseline privacy legislation. We recommend focusing these cases on violations that most directly affect individual privacy by generally limiting recovery to “actual damages,” requiring a heightened “knowing or reckless” liability for most statutory provisions and a “willful or repeated” standard for more procedural provisions, and additional procedural filters. This post explains the rationale and the mechanics of our proposal.
The Gulf on Private Rights of Action
No issue in the privacy debate is as polarized as whether individuals should be able to bring lawsuits for privacy violations. Private lawsuits—especially consumer class actions—are anathema even to privacy-friendly companies, while for many consumer, privacy and civil rights groups, they amount to foundational goals.
These polar positions are reflected in the privacy bills from Senate and House Commerce Committee leaders released late last year, two of which we addressed in our first piece in this series: Democratic Sen. Maria Cantwell’s Consumer Online Privacy Rights Act (COPRA), Republican Sen. Roger Wicker’s draft United States Consumer Data Privacy Act (USCDPA), and the House Energy & Commerce Committee’s “bipartisan staff discussion draft.”
The USCDPA contains no provision for a private right of action. COPRA does have one (Section 301(c)), and it allows for all forms of relief—including punitive damages, litigation fees, and statutory damages of $100 to $1,000 per day or the amount of actual damages—with no procedural or substantive limits to narrow claims. Republican Sen. Jerry Moran and Democratic Sen. Richard Blumenthal tried and failed to negotiate a more limited provision, so Moran went ahead and released his own bill this year with no individual right to sue. Meanwhile, the House discussion draft has a placeholder provision on a private right of action that consists only of brackets.
Although broader privacy frameworks laid out in COPRA and the USCDPA are promisingly similar in many aspects and stakeholders agree on several significant aspects of the proposals, there has been little discussion and no progress since they came out. Indeed, recent bills on privacy protection for coronavirus contact tracing and notification data present mirror images of the gap in COPRA and the USCDPA as to private rights of action. And so long as the protagonists remain in their own corners on this issue, progress—either on pandemic-specific legislation or comprehensive privacy legislation—is likely to remain stalled. We set out to find some middle path on this issue to avoid the either-or choices that otherwise would lead to failure.
Competing Interests at Stake
Charting a path forward requires identifying concrete needs on each side of this divide and exploring whether there are some forms of right of action that the industry side might live with, and some limits that advocacy organizations might live with. Advocates voice two key reasons for allowing private lawsuits. One, not surprisingly, is to allow individuals to seek redress for injuries stemming from violations of legally protected privacy interests. The second is to supplement public enforcement of the statute by adding individuals as force multipliers to the Federal Trade Commission and state attorneys general. In turn, many industry representatives are not opposed to all private litigation but are generally concerned about what they regard as nuisance lawsuits. In their view, there is also a potential for class actions and damages multipliers (like statutory damages, punitive damages and multiple damages) to ratchet up the nuisance value of suits regardless of their merits. Each of the positions of advocates and industry has some force.We see force to each of these interests.
Few would dispute that some kinds of privacy injuries should be compensable. For example, nonconsensual pornography or the use of stalking apps or spyware against a former spouse or sexual partner would fall into this category. Similarly, there is little dispute that financial loss—for example, as the consequence of identity theft—should be capable of recovery, although the exact nature and extent of injury often is debated. These are the kinds of injuries that have had a history in common law and statutory law since Samuel Warren and Louis Brandeis wrote their foundational law review article, “The Right to Privacy,” in 1890.
Today, the privacy landscape in the U.S. contains many laws allowing individual lawsuits. The progenitor of federal privacy laws, the Fair Credit Reporting Act (FCRA), allows individuals to sue reporting agencies and recover at least $100 or actual damages, punitive damages in cases of “willful or intentional” violations, and reasonable attorney fees in all cases. Its progeny—the Privacy Act, the Right to Financial Privacy Act, the Cable Communications Policy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act and the Telephone Consumer Protection Act—all allow for individual lawsuits in various ways. There is also a history of state statutes with remedies to express rights to privacy as well as common-law torts for invasions of privacy interests. Furthermore, all 50 states have passed Unfair and Deceptive Acts and Practices laws, many of which provide for individual lawsuits.
When William Prosser organized privacy torts and the Warren/Brandeis “right to privacy” into four main categories, more than 50 years ago, he noted “[t]he difficulty of measuring damages.” This difficulty persists today and is one reason that many of the federal laws previously enumerated include statutory damages with specific sums or ranges. These serve to vindicate privacy interests by ensuring a recovery for a prevailing plaintiff regardless of the actual damages.
The Telephone Consumer Protection Act (TCPA) is particularly controversial in this regard. Although enacted to address pestilent robocalls, it targets the use of auto-dialers more broadly and thus has hindered legitimate companies in contacting their own customers, created confusion over whether automated replies constitute autodialing and led to claims based on processing do-not-call requests too slowly. The TCPA allows a private right of action for up to $500 per violation, which some observers assert enables “gotcha” claims. In 2019, this statute produced the highest trial damages award under a privacy law—$925 million—in a class action against the multilevel marketer ViSalus, Inc.
Everyone hates robocalls, but even privacy advocates may question whether they amount to one of the worst privacy offenses. The trial verdict in Wakefield v. ViSalus, Inc. demonstrates how statutory damages, multiplied by a large number of class-action members, can add up. Exposure like this gets the attention of C-suites and boardrooms because it can amount to enough to require reporting in litigation-risk disclosures for securities filings and balance sheets. The effects of these multipliers were a key concern of companies we spoke with on this issue prior to writing our report.
Our recommendations for a private right of action provision try to balance the interests identified above. While private litigation is imperfect for enforcement and policymaking, it can serve as an incremental tool, and exposure to litigation risk does focus the collective mind of corporate management. The common-law tort system based on reasonable care improved the health and safety of workplaces, buildings, vehicles, drugs and consumer products. The iterative process of case-by-case adjudication is part of a broader flexible and risk-based approach to protecting privacy that is integral to our report.
Tiered Substantive Rights
We incorporate a tiered approach to private enforcement by proposing different standards for each provision. We recommend three different tiers of liability, each requiring a well-established state-of-mind standard for differing categories of violations of the privacy statute. These tiers are tied, in the first instance, to proposed substantive obligations that reframe provisions in COPRA and the USCDPA into two broader duties applicable to all entities covered by the federal privacy statute.
One is a “duty of loyalty” that would require covered entities to implement reasonable policies and practices to protect individual privacy “appropriate to the size and complexity of the covered entity and volume, nature, and intended use of the covered data processed”; limit data processing to “necessary [and] proportionate” purposes, consistent with COPRA and the USCDPA; and require communicating data practices “in a fair and transparent manner.” The second is a “duty of care” based on a “harmful data practices” section in COPRA. This would prohibit covered entities from processing covered data in ways that “reasonably foreseeably cause” enumerated harms. These harms include financial injury, intrusions on privacy or intimacy “highly offensive and unexpected to a reasonable person,” discrimination “in violation of Federal antidiscrimination laws or antidiscrimination laws of any State or political subdivision thereof applicable to the covered entity,” and other “substantial injury.”
The injuries covered by this duty of care are the kind widely recognized as compensable under the common-law right of privacy, consumer protection statutes and anti-discrimination laws. Thus, the duty specifically would target the kinds of injuries we suggest a private right of action reasonably should protect. For violations of the duty of care, therefore, we do not propose any heightened state-of-mind standard. In other words, covered entities could still be held liable even if they are unaware of any violations of the duty of care, but they would not be subject to a strict liability provision (as they might under COPRA’s harmful data practices provision), because the element of reasonable foreseeability imports a negligence standard.
We then recommend treating the duty of loyalty and other substantive obligations—including consent, data security and civil rights—under a standard of “knowing or reckless disregard for the privacy or security of individuals.” Here, the goal is not to allow a lawsuit for each and every data security breach or failure to obtain affirmative express consent before collecting sensitive data but, rather, to ensure that bad actors are not immune from suit.
To bring private lawsuits related to provisions outside of these, we recommend requiring plaintiffs to demonstrate “willful or repeated” violations of the statute. This would apply to provisions affecting individual rights of access, correction, deletion, data portability and other recourse; appointment of privacy and security officers; conduct of risk assessments; and comprehensive privacy disclosures. These are administrative provisions that are important to accountability and effective privacy practices but might not necessarily have a direct impact on an individual’s privacy protection. The “willful and repeated” standard would prevent “gotcha” suits for violations with no real impact on individuals but help prevent patterns or practices of violating these accountability requirements or other flagrant disregard.
Tiering of Damages
Apart from cases of “willful or repeated” violations of any provision, we recommend covered entities be insulated from statutory damages. Thus, for statutory violations that are not “willful or repeated,” we would generally limit recovery to actual damages for the injuries incurred, plus attorney’s fees and litigation costs as well as any equitable relief a court awards in its discretion. One-time events may affect many people, such as when an organization changes its privacy policies, so it would be helpful to clarify that a violation is not considered repeated “solely by virtue of the fact that it affects a large number of individuals within a short period of time.” This would exclude statutory damages for one-time events while leaving the door open to obtain statutory damages of up to $1,000 per day for violations that continue over some period of time.
As discussed above, questions about the nature and extent of damages have long been an issue in privacy litigation. In the online era, courts have addressed the constitutional issue of whether plaintiffs meet standing requirements under Article III of the Constitution—which will also operate as a limiting factor to a federal privacy law. For example, in Spokeo, Inc. v. Robins (2016), Robins brought a class-action lawsuit under the FCRA—the first federal privacy statute—alleging that a “people search engine” displayed incorrect personal information about him. The Supreme Court sent the case back to the lower courts to determine whether allegations of intangible harm were both “particularized” and “concrete” enough to present a case or controversy eligible for Article III purposes; on remand, the U.S. Court of Appeals for the Ninth Circuit found they did.
In discussing these requirements, the court noted that “concrete” injury must be “real, and not abstract,” but also that the violation of “intangible” rights such as free speech and free exercise of religion can apply. Although the court ruled that not every inaccuracy or procedural violation under the FCRA amounts to concrete harm, it acknowledged that when considering “whether an intangible harm constitutes an injury in fact, both history and the judgment of Congress are instructive.” The Spokeo court specifically recognized that “Congress is well positioned to identify intangible harms that meet minimum Article III requirements.” This invites Congress to articulate privacy harms. Doing so can help with standing hurdles but may not solve the challenges of establishing damages.
In free speech and free exercise litigation, success often comes in the form of injunctive relief. Here, the availability of attorney’s fees and costs can ease the burdens and disincentives in bringing constitutional litigation and create exposure for defendants. Allowing courts to award reasonable litigation costs and attorney’s fees for private lawsuits would serve the same purpose for privacy cases.
Based primarily on the Massachusetts Consumer Protection Act, we recommend a form of notice and opportunity to cure. In our report, it is tied to the exercise of a proposed “right to recourse,” but it could be adopted as an independent provision. This statute requires that a plaintiff first give the relevant business a 30-day notice of the claim and attest to the notice and failure to act before bringing a lawsuit for unfair or deceptive acts or practices. Requiring individuals to pursue the right to recourse would give them a simple way to resolve claims, while also allowing covered entities a chance to head off litigation. We note that there should be an exception for situations, such as stalking, that present a risk of physical injury or other irreparable harm if an individual must wait for a response to the recourse request.
While we do not think a privacy law should be encumbered with so dramatic a change in the American allocation of litigation costs as to shift costs and attorney’s fees to the losing party, we do incorporate a modest fee-shifting provision that is consistent with well-accepted American law. It is modeled on offers of judgments in Rule 68 of the Federal Rules of Civil Procedure, which permits a civil defendant to make an offer that, if accepted, can be converted into a judgment against the defendant; if rejected, however, it can shift liability for litigation costs if the plaintiff fails to recover more than the offer. Based on this model, we propose that a covered entity responding to a request for recourse be able to offer money, and that this offer function like a Rule 68 offer if a plaintiff eventually recovers less than the amount of the offer. Like Rule 68, this would serve to promote the settlement of claims.
Existing federal law also suggests ways to allow class actions while addressing some of industry’s concerns about such cases. The Private Securities Litigation Reform Act of 1995 (PSLRA) establishes additional pleading requirements for securities litigation that serve to hold discovery at bay until a class is approved. It also spells out procedures for selecting a lead plaintiff among class representatives and outlines the class benefits and expected fees in class settlements. These procedures can be adapted to privacy litigation, leaving out some provisions that are sui generis to securities cases. Since the PSLRA refers to Rule 23 of the Federal Rules of Civil Procedure—which governs class actions—we think such a provision in privacy legislation would need to give the federal courts exclusive jurisdiction over class actions; overlaying it onto state procedures could prove excessively complicated.
In a similar vein, we recommend that the federal right of action be the exclusive remedy for the actions complained of in all private lawsuits. This would preclude appending more expansive state claims into the federal case, and would force an election of remedies and prevent bypass of the damage limits under federal law on the basis of state claims.
A Path Forward?
Barring a radical change in the makeup of Congress, the issue of private right of action in federal privacy legislation is unlikely to be resolved with an either-or outcome. As a result, enacting comprehensive baseline legislation will require choices. Given the options for tailoring a private right of action, such choices probably would resemble what we suggest here.