Congressional ineptitude has prompted states to step in and pass their own versions of cybersecurity and privacy laws. The problem with most state bills, however, is that they make matters worse.
Technology has advanced at a breakneck speed, and trusting lawmakers to step in—when many lack a basic understanding of the issues—has paved the way for widespread privacy violations in the digital age.
As an example, the Mozilla Foundation announced last month that cars are “the official worst category of products for privacy” that it has ever reviewed. The global nonprofit reviewed 25 car brands and found 92% of them “give drivers little to no control over their personal data.”
Privacy violations are nothing new. In 2005, Sony BMG’s anti-piracy measures on music CDs installed hidden rootkit software onto PCs that reported back to Sony the CD being played and the IP address of the PC, creating a host of vulnerabilities for worms and viruses to exploit.
One would think that with nearly 20 years of experience with privacy violations, the US would at least have something akin to the EU’s General Data Protection Regulation. Instead, privacy and security bills routinely fail in Congress, and states are left to pick up the pieces.
While not ideal, common-law claims and consumer protection statutes already have been used regularly by civil litigants to enforce their rights against privacy and security violations—some leading to record-breaking settlements of over half a billion dollars to consumers.
In a nationwide class action against Facebook brought in the wake of the Cambridge Analytica scandal, Facebook users brought several common law and statutory claims. The case was settled for $725 million.
Another case involving Equifax’s 2017 data breach, which exposed personal information of nearly 150 million consumers, the parties reached a settlement of up to $505.5 million.
But legislation taking effect in the next several years—Florida‘s Technology Transparency Act, Indiana‘s and Iowa‘s Consumer Data Protection Acts, Montana‘s Consumer Data Privacy Act, Oregon‘s Consumer Privacy Act, Tennessee‘s Information Protection Act, and Utah‘s Consumer Privacy Act—do nothing to help consumers hold companies that engage in rampant privacy and security violations accountable for their conduct.
This is because none of these statutes provide for a private right of action. Instead, enforcement is left to regulators, without any kind of corresponding increase in resources to handle litigation and penalties for the thousands of data breaches that occur yearly, and myriad privacy violations that are exposed daily.
And for statutes that only allow for penalties, none of that money ends up in consumers’ pockets to help them deal with fraud or identity theft—which is quite shocking, considering that consumers reported losing $9 billion to fraud and identity theft scams in 2022.
The passage of these laws might make for great headlines, but existing laws did more to allow consumers to pursue remedies to make themselves whole again.
Instead, passing statutes that allow for private civil enforcement—such as the California Consumer Privacy Act’s private right of action for data breaches, which is limited to a handful of circumstances—allows consumers to get higher compensation for the most egregious of data breaches.
Consider the recent settlement related to T-Mobile’s breach, providing California consumers up to $100 for a data breach that revealed Social Security numbers and other sensitive information.
Leaving the pursuit of expensive privacy and security breach litigation to regulators alone, ignores that private, civil enforcement can often work hand-in-hand with regulator action to achieve complete peace—for consumers and companies. Without a private right of action, these laws do little to help put money back into the pockets of consumers.
The cases are In re Facebook, Inc. Consumer Privacy User Profile Litigation, N.D. Cal., No. 3:18-md-02843, proposed final judgment 9/21/23 and In Re: Equifax, Inc. Customer Data Security Breach Litigation, N.D. Ga., No. 1:17-md-02800, 7/25/19
Lewis & Clark Law School student Elijah Savage contributed research for this article.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Amy Keller is managing partner of DiCello Levitt’s Chicago office and chair of the firm’s privacy, technology, and cybersecurity practice.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.