Over the past few years, there has been a surge in class actions challenging companies’ privacy and data security practices. But, while the number of class actions continues to grow, the suits face several significant challenges, have afforded limited relief to individual consumers, and have provided no coherent privacy standards in the US By comparison, the primary government regulator, the US Federal Trade Commission (FTC), has proven much more effective in enforcing privacy and data security practices.
The first hurdle: the requirement of ‘standing’ or the need for an ‘injury in fact’
Class action litigation has not proven to be an efficient mechanism for claimants in the US to seek redress for alleged privacy damages.
This stems from the difficulty of having a compensable harm arise from a violation of a privacy-related right under US law.
This creates an important threshold problem in the US federal courts.
Indeed, litigants must demonstrate that they have ‘standing’ to be able to pursue their claims before a federal court.
‘Standing’ has in turn been interpreted to require plaintiffs to establish, among other things, that they suffered an ‘injury in fact’ that is concrete and actual or imminent, not hypothetical or conjectural.
Numerous class actions based on the collection, use and disclosure of data have been derailed because plaintiffs have not adequately alleged an ‘injury in fact’ sufficient to confer ‘standing’1.
The challenges plaintiffs face in establishing standing also apply in the context of data breach class actions.
There has been a split in decisions among the US courts, with many having dismissed claims arising out of cyber- attacks for lack of ‘standing’, holding that plaintiffs’ allegations regarding the threat of future harm they face from the potential misuse of their data is not sufficient.
These courts hold that what may or may not be done with data collected from the victim of a cyber-attack is too speculative and not a concrete and immediate injury sufficient to confer ‘standing’2.
Other courts have found – depending on the type of data involved – that the mere improper access to that personal data creates an increased ‘risk of harm’ sufficient for a claim3.
Where plaintiffs can allege that their data has been misused by criminals, courts are more likely to find such allegations of fraudulent activity sufficient to establish ‘injury in fact’4.
Nonetheless, the US Constitution’s ‘injury in fact’ standing requirement remains an often insurmountable hurdle for plaintiffs.
The US Supreme Court has reminded the lower courts that a plaintiff in data-related cases, who often cannot point to clear financial harm, must allege an injury that is both “particularised,” meaning that the named plaintiff was personally affected by the defendant’s conduct, and “concrete”, meaning there must be an ‘injury in fact’.
Simply alleging that a statute is violated is not enough5.
The second hurdle: causes of action
Even where consumers are able to overcome the threshold question of whether they have suffered a compensable privacy harm, there is further difficulty in finding viable causes of action through which plaintiffs can seek redress.
That challenge is already difficult with respect to federal statutes, as most privacy claims do not fit neatly into the existing federal statutory scheme.
No current law provides an express means of redress for individuals who allegedly suffered privacy harms.
Plaintiffs have instead tried to press their claims under various other federal statutes, including those designed primarily to protect systems and communications from hackers and eavesdroppers.
For instance, the Computer Fraud and Abuse Act targets various computer-related activities, but, in order to bring an action under its provisions, a plaintiff must allege at least US$5,000 in actual damages.
Because they are based on a patchwork of differing state laws, however, these claims rarely afford nationwide relief and do not result in a national standard that companies can follow and consumers can rely upon.
Recent examples of settlements of privacy and security class actions
Despite these challenges, attorneys in the US have continued to file a slew of class actions. One of the primary motivations for this deluge of litigation is the attorneys’ fees plaintiffs’ counsel hope to recover.
Numerous privacy class actions have been resolved by settlement agreements that provide little of value to the consumer while handsomely rewarding the plaintiffs’ lawyers.
For instance, in a data breach class action against Target, Target paid US$10m to a fund for consumers, an amount of less than US$1 per plaintiff, while the plaintiffs’ counsel received US$6.75m in fees.
In a data case against LinkedIn, the named plaintiff was awarded US$5,000 leaving less than US$1 for each additional class member while the plaintiff’s attorneys were awarded over US$321,000.
A total award of less than US$1 or even 10 cents per class members is arguably generous because some privacy class action settlements require defendants to make only cy pre payments — payments to charitable organisations that support work that indirectly benefits the class and the public interest, or to make prospective changes to their data practices.
In other instances, data breach settlements have established funds to provide free credit monitoring to victims as well as to reimburse class members for documented damages. Many settlements, however, provide no monetary compensation to class members whose personal information was stolen.
FTC’s enforcement actions as a better contribution to privacy standards
Because many class actions are resolved through settlement or are dismissed, class action litigation has not established comprehensive privacy standards.
By contrast, regulatory action through the FTC has been a strong force in enforcing such standards.
The FTC has extracted numerous far-reaching consent orders from corporate defendants, which require substantive changes in corporate policy and have established certain privacy norms.
The consent orders resolving FTC privacy enforcement actions typically:
- prohibit the activities that were the subject of the agency’s complaint;
- establish monetary penalties;
- require that corporations delete or refrain from using any wrongfully collected personal data;
- require the maintenance of records and compliance reports to facilitate the FTC’s enforcement of the order; and
- require corporations to notify the FTC of any material changes that might affect compliance obligations.
FTC regulations have been confirmed by federal courts, notably in a court of appeal’s opinion upholding the Commission’s authority6.
- See In re Facebook Internet Tracking Litig., No. 5:12-md-02314-EJD, 2015 WL 6438744 (N.D. Cal. Oct. 23, 2015).; LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW(JCGx), 2011 WL 1661532 (C.D.Cal. Apr. 28, 2011).
- See, e.g., Reilly v. Ceridian Corp., 664 F.3d 28 (3d Cir. 2011); Whalen v. Michael Stores Inc., 689 Fed.Appx. 89 (2d Cir. 2017); In re SuperValu, Inc. Customer Data Breach Litig., 870 F.3d 763 (8th Cir. 2017).
- See, e.g., In re Zappos.com Inc. Customer Data Security Breach Litig., – F.3d -, No. 16-16860, 2018 WL 1883212 (9th Cir. Apr. 20, 2018); Remijas v. Neiman Marcus Grp., Inc., 794 F.3d 688 (7th Cir. 2015).
- See, e.g., Remijas., 794 F.3d 688 (7th Cir. 2015).
- Spokeo, Inc. v. Robbins, 136 S.Ct. 1540 (2016).
- See Federal Trade Comm’n v. Wyndham Worldwide Corp., No. 14-3514, 2015 WL 4998121 (3d Cir. 24 August 2015).
This article forms part of our Data class actions: the era of mass data litigation guide.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.
For more news and analysis that is tailored to you, as well as access to Hogan Lovells’ cutting-edge interactive Lawtech tools, register for free on Engage.
You can also keep track of all the Engage content by following our LinkedIn page.