The burgeoning field of privacy law presents a tempting target for class action lawyers. Alleged privacy law violations appeal to class action practitioners for several reasons:
Consumers are increasingly sensitive to privacy violations. This heightened public concern makes it easier to find good representative plaintiffs that aren't solely interested in the money, but are actually motivated to right a perceived wrong. Moreover, although few class actions are actually tried, both plaintiff and defense counsel must account for jury reaction to privacy violations, which raises settlement values.
Privacy violation fact patterns can greatly ease plaintiffs' counsels' burden in certifying the class. In many forms of class action litigation, demonstrating the required elements for certification, such as commonality and typicality, can present a significant challenge. But, a mass privacy claim often provides a large, easily-defined group that has been injured by the same allegedly wrongful conduct in the same way.
There are a number of federal and state statutes that provide for liquidated, per-violation or per-plaintiff damages, thus obviating much of the ultimate burden of proving damages.
It is, then, little wonder that plaintiffs aggressively pursue those avenues that have proven successful, and continue to creatively seek new theories for heretofore "class action resistant" privacy violations.
Generally, the plaintiffs' bars' greatest success has come in enforcing federal and state statutory schemes that provide for liquidated damages. Such statutes include the Telephone Consumer Protection Act, which regulates telemarketing, and provides for statutory damages of at least $500 per violation. Likewise, the Video Privacy Protection Act, which provides for $2,500 per plaintiff, has been the source of several successful lawsuits and settlements against companies that disclose customers' video viewing history.
Plaintiffs have also had success in pursuing class claims under the Stored Communications Act (SCA). The SCA generally prohibits unauthorized access to stored electronic communications, and provides for minimum damages of $1000 per plaintiff. Claims have also been pursued under the Drivers Privacy Protection Act (protecting driver's license records and providing for $2,500 in damages per person), and the Federal Wiretap Act, as amended by the Electronic Communications Privacy Act (providing for damages in the greater amount of $100 per day or $10,000).
A number of similar state statutes also provide prospects for plaintiffs' success. Among these are California's “Shine the Light” Statute, and Song-Beverly Credit Card Act.
The class action plaintiffs’ bar has met with less success in pursuing negligence-based class actions for incidents such as data loss. Often, these cases have been dismissed on the basis of a lack of actual damages, and the concomitant lack of standing. But, data breaches are sufficiently frequent, and the other attractive characteristics of class treatment (such as numerous plaintiffs and commonality of the injury-producing event) are so enticingly present that creative lawyers have and will continue to seek legal theories that will survive dismissal and support certification. Recently, for example, a plaintiff who suffered a data loss successfully convinced a federal appellate court that an unjust enrichment theory was sufficiently sound to survive a motion to dismiss.
The evolving world of privacy law provides numerous challenges for in-house counsel. The threat of class action litigation will undoubtedly continue as one of these concerns.