Privacy Litigation: Emerging Trends and Regulatory Implications
By: Henry Rademacher
As efforts to address data protection at the federal level have repeatedly stalled, many states are taking the matter into their own hands. The possibility of each state having a different law on data protection has caused alarm, among both consumer advocates and the private sector. The “patchwork” system currently developing in the United States is projected to have severe economic consequences. From a “litigation explosion,” which is already underway, to compliance costs putting companies out of business altogether, most repercussions of the patchwork system are projected to disproportionately impact consumers and small businesses.
A recurring theme in privacy legislation discussions is that many of the problems caused by the patchwork system could be mitigated by federal legislation addressing data protection. However, the top issues of contention, preemption of state laws and the inclusion of a private right of action, still give Congress heart burn.
Regarding the spike in litigation being caused by the various state data protection laws, Megan Brown, Partner at Wiley Rein LLP, said that “Whenever a law like (CCPA) creates a new right or gives a new consumer authority, you have to question how that is going to be enforced.”
Because the patchwork system opens the door to 50 states having 50 different systems of enforcement, the uncertainty it creates will inevitably result in more instances of litigation. Brown added that the current system incentivizes lawyers to push for more litigation, a concern frequently sighted by privacy advocates.
According to Jennifer Huddleston, Director of Technology & Innovation Policy at the American Action Forum, “The internet is by its nature an international device. It is difficult enough for a company to comply with different regulations in different countries. But it is even more difficult when you cannot offer the same product in California as you can in Maine.”
There is a grave misconception that tech companies are the only businesses that will suffer under aggressive data protection laws. “Often when we talk about data privacy, we assume that we are just talking about tech companies. But data is involved in so many companies today, these laws can effect brick and mortar/mom and pop shops,” Huddleston said. For example, gyms and pharmacies typically offer loyalty programs. If they use data services to manage these programs, they could potentially be subjected to the same data regulations as tech companies like Oracle or Microsoft.
Despite both parties claiming to be in favor of handling privacy concerns at the federal level, the general consensus is that Democrats support a private right of action, which, without significant constraints, would allow law firms to sue companies over data violations without evidence of harm to any individual. They also oppose the idea of federal data protection that preempts state laws. Republicans oppose the private right of action and are in favor of preemption.
Ashley Baker, Director of Public Policy at The Committee for Justice, explained that the private right of action is frequently misrepresented by the media, “There is a broad misconception that removing the private right of action means that consumers can’t sue. Under existing law, they are already able to do so.” U.S. law empowers citizens with some of the most extensive rights to file suit as any country. According to Baker, frivolous litigation costs taxpayers more than $400 billion per year.
Data protection is an issue best handled at the federal level. That opinion has essentially become the industry consensus since the passage of CCPA.
In 2018, California passed the controversial California Consumer Privacy Act (CCPA), which went into effect earlier this year. According to the International Association of Privacy Professionals (IAPP), at least 24 states are in the process of legislating comprehensive data protection as of April 16th, 2020.
To learn more listen to the panel hosted by The Committee for Justice on the current state of data protection laws in the U.S. and what developments are likely in the future: Privacy Litigation: Emerging trends and regulatory implications. Additional topics of discussion included: the ruinous effects of allowing unrestricted privacy litigation, the regulatory burdens and compliance costs placed on businesses under these laws, why innovators and startups will suffer more than established players, and the misconception that tech companies are the only businesses that will suffer under the patchwork system.
Photo credit: Stock Catalog (flickr)