In this episode of Law, disrupted, John is joined by Paul Schwartz, Professor at the UC Berkeley School of Law and Director of the Berkeley Center for Law and Technology, Viola Trebicka, partner in Quinn Emanuel’s Los Angeles office and the Co-Chair of the firm’s Data Privacy and Security Practice, and Stephen Broome, partner in the firm’s Los Angeles and New York offices and the Co-Chair of the firm’s Data Privacy and Security Practice. Together they discuss the explosion of data privacy claims on court dockets across the United States.
The conversation begins with John asking what developments the panel is seeing right now with data privacy claims. Stephen highlights how more cases are being filed daily, particularly under the Illinois Biometric Information Privacy Act (BIPA), as well federal and state wiretapping laws and new novel theories of recovery that were not previously plead in privacy cases. Paul adds that one reason privacy claims are increasing so rapidly is because recent multi million settlements, jury verdicts and government fines have made privacy litigation a high-stakes area and another is that both sides of the political spectrum have become increasingly skeptical of big tech companies.
Viola then explains the two categories of claims plaintiffs have been filing recently. The first category are common law invasion of privacy claims that are now being applied to modern data privacy issues. The second category consists of claims based on repurposing statutes that did not contemplate modern data gathering over the internet.
One example of these statutes is the Federal Wiretap Act of 1968 which was intended to prohibit people from physically connecting to a landline telephone without permission. Today, on the internet, when someone goes to the website for a company, they know they are communicating with that company, but that company will often send the person’s data off to a third party which tracks ads or pages the person visits clicks on. Plaintiffs are now alleging that those third parties are eavesdroppers violating the Wiretap Act.
Another statute plaintiffs increasingly use is the Video Privacy Protection Act which was passed in the late 1980s to prevent reporters from learning what videos a person rented at a video store. Now, many websites have embedded videos. Plaintiffs are now alleging that websites that share information about what embedded videos a person has watched have violated the VPPA.
John moves the conversation to why the US does not have comprehensive national legislation addressing data privacy. Paul explains that while Europe as well as states such as California, Nevada, and Virginia have passed statutes governing data privacy, the proposed federal statute, the American Data Privacy Protection Act (ADPPA) has not yet been brought to a vote in Congress. The panel then discusses the three key questions to resolve in any federal data privacy law: Is there a private right of action? Are there statutory damages or will a plaintiff need to prove actual damage? Are state data privacy statutes preempted?
The discussion then turns to how plaintiffs build large damage claims. Viola explains that plaintiffs focus on unjust enrichment and restitution theories. Unjust enrichment theories are usually asserted when the case centers on advertising data. Plaintiffs’ experts build damages models based on the profits the company makes due to the use of this data in advertising.
Restitution theories rest on three assumptions. The first is the data that belongs to an individual; the second is that the data itself, without anything done by the company that receives it, has value. The third is that the value can be identified in a non-speculative way. To identify that value, experts have turned to companies that pay people to allow their web browsing to be tracked and use that compensation as a proxy for the tracking that was done to the plaintiffs.
The panel then discusses how these theories, when applied to classes that include tens of millions of plaintiffs, can easily lead to total damages figures in the hundreds of millions or billions of dollars. When statutory damages are available for every violation, as in BIPA or the VPPA, the damages that could theoretically ensue reach trillions of dollars.
The discussion then turns to what companies can do to avoid these huge awards. Paul emphasizes that companies need to get ahead of these issues before they get sued by seeking privacy counseling, hiring Chief Privacy Officers, and mapping where their customers’ data is and what is happening to it. This includes smaller companies that no one thinks of as “Big Tech” are increasingly being sued for data collected on their websites.
Finally, the group discusses two notable issues that have come up in recent FTC enforcement actions. The first is the possibility of imposing personal liability on senior executives for data privacy violations. This possibility was raised in the course of the FTC’s landmark settlement of its investigation of Facebook as well as in the FTC’s settlement with Drizzly. The second is that when it settles a case, the FTC will now spell out in extreme detail what it expects of companies who have had a cybersecurity breach, including specific future measures to be taken and what kinds of cyber security professionals the company must hire.
Published: Dec 23 2022