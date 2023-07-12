Tuesday, July 11, 2023

In this third installment on the enforcement of U.S. consumer data privacy laws, we focus on the role of private litigants.

Following our discussions of state and federal government enforcement, this post focuses on the third way that consumer rights under U.S. privacy laws are enforced: in private proceedings. These cases are often brought in class actions, where a representative plaintiff or plaintiffs may seek legal remedies on their own behalf and on behalf of others who are similarly situated.

Privacy class actions are one of the fastest growing categories of litigation against U.S. businesses.

Privacy claims are also a focus of mass arbitration campaigns, in which hundreds and sometimes thousands of individual arbitration demands are threatened and filed in a coordinated effort. Consumers may also bring claims in individual litigation or arbitration.

We could devote an entire treatise to covering the full scope of privacy claims that businesses could face from private litigants, but this post will provide an overview of the most common categories of cases.

Initially, companies should consider the various privacy-specific statutes that may govern their activities, and whether those statutes authorize consumers to bring claims for violations of those laws (known as private rights of action).

To assess the scope of potential litigation exposure, businesses should be mindful of the damages available under applicable statutes, how those damages accrue, and the applicable statutes of limitations.

When assessing class action risk, businesses should consider the use of arbitration provisions and class action waivers, and the risk of mass arbitration. Companies should also analyze the geographic reach of relevant statutes and the potential for nationwide class certification.

When considering which litigation risks they may face, businesses should look beyond privacy-specific laws and remember that consumers, investors, and employees can bring suit under a variety of laws and theories, including those that apply generally.

Most often, plaintiffs will bring claims to enforce their data privacy rights under state or federal laws that confer a private right of action, that is, authorization for a private citizen to enforce their rights through litigation.

The nature of each case, the remedies it seeks, and when and where it can be filed, will turn on a statute’s provisions, including the private right of action.

Businesses, however, should also bear in mind that statutes without a private right of action may be invoked in private litigation as setting the standard for lawful or reasonable conduct, such as lawsuits that allege HIPAA violations constitute unfair business practices.

Recent privacy litigation by consumers against companies have included claims based on the following theories:

This year is already on pace to be the biggest ever for privacy litigation.

And assessing and assigning privacy litigation risk is on the rise as a complex and challenging issue in transaction diligence and negotiations.

Companies should look comprehensively at their privacy litigation risks, ensure they understand their insurance coverage, and consider measures to mitigate their exposure. Businesses that use web analytics and tracking tools and practices currently under scrutiny by class action plaintiffs – such as session replay, pixel tracking, and recorded customer service chat communications – should be sure that their legal counsel is aware of those activities. No organization should assume it is immune from litigation exposure based on the size of its operations or revenue.

