Table of Contents
- Executive Summary
- Introduction
- The FTC is Currently the Primary Privacy Enforcer but its Authority is Limited
- Congress Could Design a New Data Protection Agency that Addresses Many of the Shortfalls of the FTC’s Authority
- States Could Play a Vital Role in Enforcement
- A Private Right of Action is Key to Ensuring that Consumers Have Their Own Avenue for Redress
- Conclusion
A Private Right of Action is Key to Ensuring that Consumers Have Their Own Avenue for Redress
In addition to deciding what agency or agencies may enforce a new privacy law, Congress should consider whether the law should incorporate a private right of action. With a private right of action, an individual whose privacy rights are violated could sue the violating company directly.
Currently, federal law does not provide a private right of action that would enable individuals to sue companies directly for privacy intrusions, but several state privacy laws include private rights of action. Illinois’s biometric privacy law allows users whose biometric data is illegally collected or handled to sue the companies responsible.1 The California Consumer Protection Act allows users to sue a company for statutory damages if their personal information is involved in a data breach as a result of the company’s negligence.2 Without a private right of action, individuals have to rely on federal or state enforcers, like the FTC, to protect their privacy. While there is some opposition to a private right of action from companies and policymakers, it would offer several benefits.
First, private rights of action are an extension of democratic participation, like petitioning government, writing members of Congress, and talking to state legislators, as Getachew argued. The ability for a person to bring a lawsuit against another party that has done them wrong is also how our judicial system generally works. For example, under tort law, individuals can sue others for causing harm, such as assault, battery, or trespassing. In the same way, individuals who experience privacy harm should be able to hold the perpetrator accountable in court.
Second, individuals have not always been able to rely on the government to protect their rights, particularly their civil rights.3 If a single federal agency is responsible for privacy enforcement, some individual harms likely would not be addressed. This lapse could result from lack of agency capacity and resources, and potentially for illegitimate reasons, like agency capture as well. Such under-enforcement could encourage companies to engage in privacy-harming practices if they believe that enforcement would be unlikely. A private right of action is critical for aggrieved individuals who would then be able to intervene and pursue enforcement on their own, without relying on the federal enforcer.
A private right of action can be designed to reduce the likelihood of frivolous lawsuits and therefore reduce potential problems for law-abiding companies. Gellman argued that “people on all sides of these issues have to begin to look at ways of finding accommodation, finding middle ground, putting some kind of agreeable limits, be they … putting a cap on damages [or] setting procedural requirements before you can file a class action lawsuit.” Gellman suggested that one potential procedural requirement could be having to get your "ticket punched" by some authorizing agency before you can file a class action lawsuit. Such a requirement would allow the agency to control which individual cases move forward, and could potentially weed out malicious or frivolous cases. The private right could be limited to specific issues, or have intent requirements.
Getachew made clear, however, that the private right of action cannot have a forced arbitration clause attached. Forced arbitration clauses are “anti-consumer [and] anti-democratic,” and they
allow industry to potentially control how a case is decided. … At the same time, with a forced arbitration framework, you don't have a situation where you can have a legal precedent for whatever the harm is being litigated against. It's just within that arbitration context, and so it may not be able to empower a class or a community of individuals [that experience] the same harm. And really, it's just not cost-effective for an individual to go through [arbitration] as opposed to going through the private right of action route.
Many argue it would be unfair to give individuals a private right of action, but then force them to go through binding arbitration instead of being heard by a court of law.
Similarly, Banker argued that class action settlements could also be unfair: “There are [class action] settlements where you don't necessarily know what the terms of the agreement were, whether the company … settle[d] because of the cost of the litigation, or because there actually was wrongdoing, and it doesn't necessarily create rules that other people can … follow.” Banker argued that agency enforcement is preferable to an individual private right of action because then cases are settled by consent decree: “We get to see the complaint, we get to see a consent order,” and other businesses can learn from those cases.
In the end, Getachew argued that a private right of action should be “one tool in the toolkit to protect consumers and to really make sure that if the agency isn't acting as a cop on the beat, there's another framework in place to” protect privacy. But getting there may require a compromise.
Citations
- Jennifer Mesko and Emily Knight, “Illinois Supreme Court Rules in Biometric Information Privacy Act Case,” American Bar Association, February 12, 2019, source
- Patterson Belknap Webb & Tyler LLP, “A Closer Look at the CCPA’s Private Right of Action and Statutory Damages,” JD Supra, August 24, 2019, source
- Becky Chao, Eric Null, Brandi Collins-Dexter, Claire Park, “Centering Civil Rights in the Privacy Debate,” Open Technology Institute, New America, August 14, 2019, source