The number of privacy lawsuits filed against big tech companies has significantly dropped in recent years, according to a review of court filings conducted by The Recorder, a California business journal.
According to The Recorder, the period 2010-2012 saw a dramatic spike in cases filed against Google, Apple, or Facebook (as measured by filings in the Northern District of California naming one of the three as defendants). The peak year was 2012, with 30 cases filed against the three tech giants, followed by a dramatic drop-off in 2014 and 2015, with only five privacy cases filed between the two years naming one of the three as defendants. So what explains the sudden drop off in privacy lawsuits?
One theory, according to privacy litigators interviewed for The Recorder article, is that the decline reflects the difficulty in applying federal privacy statutes to prosecute modern methods of monetizing, collecting, or disclosing online data. Many privacy class action claims are based on statutes passed in the 1980s like the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), both passed in 1986, and the Video Privacy Protection Act (VPPA), passed in 1988. These statutes were originally written to address specific privacy intrusions like government wire taps or disclosures of video rental history.
Using these statutes to successfully argue a breach of privacy has not been easy for plaintiffs. Online streaming services Hulu and Roku have been the subject of claims under the VPPA for sharing users’ viewing selections or streaming device identification numbers. But courts have been reluctant to hold that the sharing of users’ online choices between service providers is a “knowing” disclosure of personal information, as required by the statute, or that device identifiers are personally identifiable information.
Moreover, according to Jillisa Bronfman, head of the privacy and technology clinic at UC-Hastings College of the Law, the per-violation statutory damages scheme of current privacy statutes was “not written with modern mass technologies in mind.” Indeed, with hundreds of millions of users (and potential plaintiffs), many technology companies face potentially company-ending fines if courts decide to stick with the current statutory damages scheme.
Knowing this, judges are reluctant to impose penalties under these statutes that could potentially bankrupt a company from one privacy violation. Google and Viacom recently won a dismissal of claims that they illegally tracked the internet activity of children who visited the Nickelodeon website. Plaintiffs brought claims under the VPPA, as well as state anti-computer hacking laws. In dismissing plaintiffs’ claims, U.S. District Judge Stanley Chesler wrote that while children are deserving of special protection, a proper remedy should be pursued through legislative or executive changes, not under existing (i.e. inapplicable) statutes.
Another reason for the drop in privacy suits, noted by Casey Sullivan in The Technologist Blog, may be that plaintiff’s attorneys have not obtained the high payouts that make contingency-based class action lawsuits financially worthwhile. Plaintiffs’ counsel’s fee requests are often challenged by courts who take issue with the potentially large payout to attorneys when the amount received by members of the class is usually low. The most lucrative recent privacy settlements have been a $20 million judgment against Facebook for unauthorized use of users’ images in its “Sponsored Stories,” of which attorneys’ fees came to $4.7 million, about 60% of the original fee request.
However, it may be premature to say that privacy class action suits are in a permanent decline. U.S. District Court Judge Lucy Koh recently certified a class action complaint against Yahoo! for scanning emails of non-Yahoo! mail users, in violation of the SCA and California privacy laws. Another major turning point in plaintiffs’ ability to bring these suits could be coming this fall, when the Supreme Court hears Spokeo, Inc. v. Robbins, a case dealing with a plaintiffs’ ability to bring a case in federal court without showing a particular injury. The plaintiff in Spokeo claimed that Spokeo Inc., a “people search engine” that aggregates and publishes social information from online and offline sources, willfully violated the Fair Credit Reporting Act (FCRA) by publishing misleading information about him.
The plaintiff claimed this misinformation negatively affected his employment, credit, and insurance prospects but could not show any particular injury. Despite a lack of actual harm, the Ninth Circuit Court of Appeals held that the plaintiff had standing under the FCRA simply by asserting a violation of a statutory right.
Major tech companies like Google, Facebook, Yahoo! and eBay have already filed amicus briefs in Spokeo, expressing their concern that the Ninth Circuit’s decision allows plaintiffs who have suffered no particular injury to maintain suits merely by claiming that their statutory rights were violated.
Putting aside the important public policy issue in the case, namely the question of whether a privacy infringement itself is the “damage” intended to be covered by the relevant statutes, the concern of large tech companies is understandable. If the Court finds that a plaintiff has standing to sue in federal court without showing an injury apart from the statutory violation itself, it would make it far easier for class-action plaintiffs to allege violations under any of the many statutes that govern the collection, use, and disclosure of personal information. And combined with the large statutory damages available under certain privacy statutes (the VPPA authorizes $2,500 per violation, for example), the incentives of plaintiffs to file class-action privacy suits, and the potential financial cost to these companies, are extremely high. So depending on how the Court rules in Spokeo, the trend in privacy suits favoring defendant companies could turn. However, according to several privacy attorneys quoted in The Recorder, the next wave of class actions may focus on data breaches, which have affected giant organizations like Anthem, Sony, and even the U.S. government. In the case of Anthem, its data breach affected more than 80 million customers, and spawned more than 40 class action suits. Privacy class action plaintiffs may find that pursuing data breach claims gives them a better chance at showing injury, as the threat of immediate or potential harm to plaintiffs is more readily apparent in cases when personal information is stolen and when a potential black market for the information is known to exist.
The conclusion is that privacy cases are not necessarily going away but plaintiffs’ success in obtaining large judgments has been limited. One reason may be that that the statutes used to pursue privacy class action suits were originally written to address abuses of particular technology or specific types of privacy violations. These legal grounds often do not fit modern threats to data security such as hacking or breaches of large consumer databases. And cases like Spokeo illustrate the underlying public policy debate, of whether actual monetary damages must have been caused by a privacy breach, or whether the breach itself is the harm that was intended to be prevented by Congress and state legislatures. It may be that the continued success of privacy suits will depend on an updated legislative solution that recognizes how information is collected, used, or disclosed in the modern digital era while allowing companies some room for error, absent some willful violation or direct harm to a user, when online data is misused.
