Use this button to switch between dark and light mode.

Data Privacy Class Actions on the Rise

June 08, 2023 (4 min read)

By Kevin Hylton | LexisNexis Practical Guidance

In-house counsel are on the alert in 2023 for class action lawsuits that could be filed at any time related to how their company safeguards the data privacy of consumers.

“In the U.S., class actions are a popular enforcement mechanism to compensate consumers, including for alleged violations of state and federal privacy laws and data breaches,” says the International Association of Privacy Professionals blog.

The latest major salvo was fired in May, when Hearst Television was slapped with a proposed federal class action that alleges the media company knowingly and intentionally shared users’ personal information with third parties in order to fetch higher ad rates, according to Law360.

“In the last few years, we have seen countless class action lawsuits filed over data breaches in which information as sensitive as Social Security numbers was leaked, as well as over websites secretly sending users’ online activity to third parties, and companies unlawfully collecting fingerprints and other unique identifiers,” reported ClassAction.org. “We expect this trend only to grow in the future.”

Indeed, Corporate Counsel magazine named data privacy litigation as the number-one class action trend to watch in 2023.

“When people think of data privacy litigation, the example that most frequently comes to mind is a data breach, where cybercriminals gain access to individuals’ personal information and then use or disclose that information for their own financial gain,” said Kristin Bryan, a partner in the Data Privacy, Cybersecurity & Digital Assets Practice at Squire Patton Boggs. “But there are emerging avenues of privacy litigation coming from the plaintiffs bar. What we’re seeing now is they are often trying to reinvent data privacy laws that were enacted well before the internet and many other modern technologies had even come into existence.”

Bryan noted that in the last couple of years there has been a rise in data privacy class action lawsuits based on federal and state wiretap laws, against website operators in particular. These actions typically encompass claims related to the use of commonplace modern technologies, such as simple chatbots that are deployed to improve customer service.

“The Electronic Communications Privacy Act, which was enacted by the U.S. Congress back in 1986, long before the internet came into existence, was designed to extend restrictions on federal wiretapping and electronic eavesdropping,” said Bryan. “In addition to this federal law, many states have chosen to regulate in this area of wiretapping as well.”

Plaintiffs have begun filing data privacy class action lawsuits based on these wiretap statutes in federal and state courts nationwide — most notably in the states of California, Pennsylvania, Massachusetts, Florida and Illinois — by asserting that these laws extend to how businesses access internet communications.

“Another avenue we are seeing now is class actions targeting companies that use online video communications, based on something called the Federal Video Privacy Protection Act,” said Bryan. “There have been a number of these video privacy cases filed in recent years, with well over 100 coming over the past two years in jurisdictions across the country.”

Bryan notes that this law was enacted back in 1988 and was prompted by the actions of a video store clerk, who disclosed to media outlets a list of videotapes that had been rented by Judge Robert Bork over a period of time. Congress subsequently passed legislation to preserve the personal privacy of individuals with respect to the rental, purchase or delivery of video tapes — or similar audio/visual materials. The law, which created a private right of action, prevents any provider of such materials from disclosing personally identifiable information of a consumer unless an exemption applies.

This 35 year-old law has recently been dusted off by plaintiffs lawyers as a creative launching pad for a number of data privacy class actions.

“What makes this statute so attractive to the modern plaintiffs bar is that, in addition to having a private right of action, there are also liquidated statutory damages in the amount of $2,500 per violation, as well as possible punitive damages and attorneys’ fees,” said Bryan.

Bryan has obtained dismissals of numerous significant data privacy and cybersecurity litigations, in which plaintiffs collectively sought more than $280 billion in liquidated statutory damages for claims that her clients’ business practices violated federal and state privacy laws. She is a Lexis Practical Guidance contributor and a litigator with deep experience representing clients in complex bet-the-company data privacy, cybersecurity and data breach disputes in federal and state courts nationwide.

I had the privilege of interviewing Bryan on the latest episode of our “Practical Guidance: Data Privacy Series” podcast, where we invite experts to provide insights on timely data privacy and security issues facing legal practitioners. Listen now or download the episode regarding the rise in privacy class actions being brought under antiquated theories of liability, various state and federal wiretap and video privacy laws that are being relied upon by plaintiffs, and how courts are reacting to these causes of action.