Limiting Private Rights of Action In Privacy Legislation

Ronald L. Plesser, Partner
Stuart P. Ingis, Associate
Piper Rudnick LLP

Limiting Private Rights of Action In Privacy Legislation [pdf]

Enforcement of privacy law is a significant issue in the debate about privacy legislation. Generally, enforcement alternatives include a private right of action, Federal Trade Commission (or other federal agency) enforcement, and state attorney general enforcement of a federally-enacted standard. Although there may be narrow circumstances in which a private cause of action is appropriate, the potential negatives that result from frivolous class action lawsuits in the privacy context should be limited. Private causes of action in privacy laws have been used to attempt to recover significant monetary awards in situations where there is no injury to consumers. Set forth below is a description of (1) the negative effects of private rights of action in existing privacy legislation; and (2) examples of the effectiveness of existing enforcement mechanisms in privacy legislation that do not include private causes of action.

Private causes of action in privacy statutes offer incentives for class action lawyers, and result in the spending of significant amounts of money to defend lawsuits raising technical claims.

A private right of action in privacy statutes has had the effect of providing a plaintiff's bounty for class action lawyers to bring lawsuits raising nominal issues against a wide range of companies. A private cause of action offers powerful incentives for plaintiffs' lawyers to bring lawsuits seeking hundreds of millions or billions of dollars of relief in hopes of finding a violation through discovery. Plaintiffs' lawyers have sued for technical violations of the law attempting to recover statutory damages where there is no injury to consumers. Such suits stand in contrast to other areas where class action suits have been brought in cases of injury to consumers. In such instances, the organization as a class allows consumers to sue collectively, thereby offsetting legal costs. Plaintiffs' lawsuits should be limited to situations where injury exists, as has been the ruling of courts in recent high profile cases involving tobacco and asbestos. However, as described below, plaintiffs' lawyers have misused such privately enforceable remedies in privacy legislation to string together claims of a large number of people who suffer de minimis loss as a result of bona fide commercial conduct. The unintended consequences of providing a private right of action in privacy legislation diverts companies' efforts from truly protecting consumer privacy through the adoption of meaningful privacy policies, procedures and consumer education initiatives, toward expending scarce resources to litigate what often are de minimis or attenuated claims.

None of the below-cited cases to date have resulted in a class certification of damage claims. They have, however, resulted in significant defense costs. In addition, they illustrate that there is very strong interest in obtaining huge cash recoveries for what could amount to essentially technical and non-harmful action.

The following cases � brought under the Cable Communications Privacy Act of 1984[1] (the Cable Act), the Electronic Communications Privacy Act (ECPA),[2] the Computer Fraud and Abuse Act (CFAA),[3] and the Federal Wire Tap Act (FWA),[4] � illustrate the types of unintended consequences and unnecessary litigation that can result from privately enforceable remedies for violations of privacy statutes. They all allege essentially technical violations of privacy statutes.

Wilson v. American Cablevision of Kansas City, Inc., 133 F.R.D. 573 (W.D. Mo. 1990) (denying certification of a class action seeking damages ranging from $600 million to $26 billion in connection with privacy notice that allegedly was defective because, inter alia, it failed to disclose that the cable company retained subscriber information for accounting and tax purposes, and notice's statement that subscribers could review their files during normal business hours was not sufficiently specific).
Parker v. Time Warner Entertainment Co., L.P., 1999 U.S. Dist. LEXIS 18883 (E.D.N.Y. 1999), class certification granted in part and denied in part, 198 F.R.D. 374, 2001 U.S. Dist. LEXIS 96 (E.D.N.Y. 2001) (appeal pending) (class action suit seeking hundreds of millions of dollars in connection with cable company's privacy notice that allegedly was defective because it failed to disclose with specificity two list rental practices permitted by law: naming of the premium channels to which households subscribed (e.g., Disney, HBO) and the inclusion of publicly available marketing data about subscriber households purchased from third parties (e.g., gender, age)).
In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (still pending) (class action seeking million(s) in damages filed by Web users for advertising company's use of personal information (e.g., name, address, e-mail address and Web pages visited) gathered through Internet cookies placed with the authorization of affiliated web sites).
In re Intuit Privacy Litig., 138 F. Supp. 2d 1272 (C.D. Cal. 2001) (still pending) (class action seeking million(s) in damages filed by computer users in connection with Intuit's implantation of cookies on their computers during visits to defendant's Web sites).
In re Trans Union Corp. Privacy Litigation, 200 U.S. Dist. LEXIS 17209 (Sept. 2002) (dismissed) (class action seeking $100 for
an estimated class of 130,000 individuals for a technical violation of the privacy provisions of the FCRA where no injury occurred).

On the other hand, the class action suit of Dennis v. Metromail, No. 96-04451, in the District Court of Travis County, Texas, 200th Judicial District was settled where damage from injury, rather than statutory damages were alleged. It had been alleged that Metromail and Donnelly collected personal information through consumer surveys in exchange for coupons and product samples. Such information, unbeknownst to the consumer, ultimately was included in databases that were processed by Texas inmates, where harm to the consumer was alleged.

A private cause of action that allows for class actions is not necessary to ensure effective enforcement of privacy laws.

The FTC, other federal agencies, and state authorities provide effective means of enforcing privacy rights. These governmental entities are much less likely to bring lawsuits for technical violations of a statute where no real harm results. Such entities also have limited resources and so focus their attention on situations where injury occurs. In dismissing the complaint in the Trans Union case described above, the court held that individuals that have suffered no actual damage have been and continue to be protected by the FTC's enforcement of the statute and regulations.[5] The court concluded that, regulation by the FTC, coupled with individual actions for damages (and attorney fees), is superior to a class action for statutory damages by tens of millions of consumers who claim no actual economic loss.[6]

In contrast to a private right of action, government enforcement does not result in businesses expending significant resources on defending frivolous class action lawsuits. Such an approach has proven successful in the context of the Children's Online Privacy Protection Act of 1998 (COPPA),[7] legislation enacted to regulate the collection and sharing of information about children. COPPA provides the FTC, states, and a number of federal agencies with authority to enforce compliance with the Act with respect to entities in their jurisdictions. The FTC monitors the Internet for compliance with the rule implementing COPPA, and brings law enforcement actions where appropriate to deter violations. Violations constitute a violation of trade regulation rules and are subject to significant penalties that serve as a deterrent as well as punish bad actors. The threat of FTC or other enforcement action has proven a highly effective means of ensuring compliance with the Act's requirements.

There also exist other recent examples of privacy legislation that does not contain a private cause of action. For example, neither Title V.A. of the federal financial privacy law, the Gramm-Leach-Bliley Act (GLB),[8] nor its implementing rule contain a private cause of action provision that would enable consumers to bring a suit for violations of the GLB Act's requirements. Enforcement is left to the federal agencies and the state insurance agencies that have jurisdiction over financial institutions covered by the rule. Similarly, in the health care privacy legislation promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA),[9] enforcement resides with the U.S. Department of Health and Human Services through its Office of Civil Rights.

Enforcement by regulators, rather than through private actions, allows for a uniform national standard with which businesses can comply and that consumers will understand. Through a single national standard enforced by the FTC and state attorneys general, rather than plaintiffs' lawyers and courts throughout the country, the number of differing interpretations that would result in a patchwork of differing standards will be significantly limited. A private right of action thus would create less certainty and clarity in the marketplace, as more courts would supply their own definition as to what constitutes actual harm.

As policymakers consider the merits of additional privacy legislation, the potential for abuse that can result from a private right of action must be considered. Statutory damages should not be included in legislation. Where effective government enforcement is available, such enforcement is better policy as it protects consumers and limits frivolous lawsuits.

Notes

[1] 47 U.S.C. §§ 521, et seq.

[2] 18 U.S.C. §§ 2701, et seq.

[3] 18 U.S.C. § 1030.

[4] 18 U.S.C. § 2511.

[5] Id. at 17.

[6] Id. at 17.

[7] 15 U.S.C. §§ 6501, et seq.

[8] 15 U.S.C. §§ 6801, et seq.

[9] 42 U.S.C. § 1320d-2(d).