Companies Face Rising Risk of Data Privacy Lawsuits

Concern is growing in the business world that a new national data privacy law now advancing in Congress could trigger a wave of class-action lawsuits in the United States. 

Some Washington watchers say Congress might actually pass the American Data Privacy and Protection Act (ADPPA), even though other federal privacy bills have failed to gain enough support over the years. If the legislation becomes law, it would finally set a national data privacy policy, which many companies have called for.

Still, details in the bill have drawn opposition — especially the inclusion of a “private right of action.” This right would make any provision in the new law a possible basis not just for enforcement by federal regulators, but also for lawsuits by private citizens and companies.

The U.S. Chamber of Commerce said it opposes the bill due to the private right of action, even though it continues to advocate for a national data privacy law to unify the current patchwork of state and sector-specific regulations. “A national data protection law including a private right of action would encourage an influx of abusive class-action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation,” the Chamber said.[1]

Consumer advocates oppose the provision for different reasons. The Electronic Frontier Foundation, for example, argued that “the private right of action in the ADPPA is riddled with exceptions and limits. A strong private right of action is necessary … Otherwise, the bill has no teeth.”[2]

The legislation passed the House Commerce Committee in July by a strongly bipartisan 53-2 vote and has been submitted for the Senate Commerce Committee’s consideration.[3] The bill’s recent progress has spurred both optimistic and pessimistic headlines in the media. For instance, the National Law Review asked: “Federal Privacy Legislation — Is It Finally Happening?”[4] But The Hill warned: “Corporate Lobbying Could Imperil Sweeping Data Privacy Bill.”[5]

The surge of activity in Washington comes as companies face mounting challenges across the board, with more data privacy legislation, litigation and enforcement, according to a Mimecast-sponsored report from Gartner on privacy risks. Looking ahead, “through 2026, organizations that mishandle personal data will suffer three times more financial damage from class actions and mass claims than from enforcement sanctions,” Gartner said.

New Litigation Possible Under Law

The ADPPA would cover both cybersecurity and data privacy, with requirements including:[6]

• Data minimization: Limiting the collection, processing or transfer of private information to what is “reasonably necessary and proportionate” to provide a requested service, for example, or interact with a customer.
• Cybersecurity: Assessing cybersecurity risks and implementing procedures to detect, respond to, or recover from data breaches and other incidents.
• Consumer rights: Enabling consumers to access, correct, and delete data held by a company.

If these and other provisions become law, they would be subject to regulatory enforcement by the Federal Trade Commission and could also become the basis of potential private lawsuits.

Current Privacy Litigation Landscape

With or without the legislation, data privacy lawsuits have been multiplying in the U.S. under consumer protection rules and other legal grounds. The California Consumer Privacy Act also includes a right of private action; since it went into effect in 2020, one “litigation tracker” has counted dozens of cases filed for data security breaches alone.[7]

Class-action settlements in July alone have included the following:

• The U.S. Office of Personnel Management and its contractor agreed to pay $63 million in damages for allegedly lax protections of federal employees’ personal information stolen in a suspected nation-state attack.[8]
• A national mobile carrier agreed to a $350 million payout after a data breach.[9]
• A fintech in California agreed to pay $58 million in a suit based on its handling of consumer data.[10]

Meeting the Data Privacy Challenge

Experts from the International Association of Privacy Professionals provide guidance on avoiding data privacy litigation, including:[11]

• Evaluate your privacy program at least once a year.
• Update which laws apply to your company.
• Ensure that your program is flexible enough to incorporate new requirements.
• Involve stakeholders from across the organization.
• Make sure your contracts with vendors and service providers include privacy and security terms.

At the organizational level, Gartner recommends taking data privacy a step further. That is, companies should widen their perception of data privacy beyond a focus on regulatory compliance to a customer-centric culture of privacy that becomes a competitive advantage in the marketplace.

At the technology level, meanwhile, tools and training should range from strong cybersecurity systems that protect personal data to archives that can be easily managed to respond when individuals seek to access their data or request changes.

The Bottom Line

Data privacy lawsuits are proliferating. Just how much could be determined by new legislation currently moving through Congress. Read the Gartner report, 2022 Prediction: Privacy Risk Expands, for more insight across the range of legislative, enforcement, and litigation risks and how companies can mitigate them.

[1] “U.S. Chamber Warns It Will Oppose Any Privacy Legislation That Creates a Blanket Private Right of Action,” U.S. Chamber of Commerce

[2] “Americans Deserve More Than The Current American Data Privacy Protection Act,” Electronic Frontier Foundation

[3] “Wicker Comments on Federal Data Privacy Efforts at Committee’s Executive Session,” Senate Commerce Committee

[4] “Federal Privacy Legislation — Is it finally happening?,” National Law Review

[5] “Corporate lobbying could imperil sweeping data privacy bill,” The Hill

[6] “Overview of the American Data Privacy and Protection Act,” Congressional Research Service

[7] “CCPA Litigation Tracker,” Perkins Coie

[8] “A $63 million settlement has been reached in a class-action lawsuit about the data breaches of the U.S. Office of Personnel Management and its security contractor,” Girard Sharp

[9] “T-Mobile agrees to pay customers $350 million in settlement over massive data breach,” CNN

[10] “Judge approves settlement ordering plaid to pay $58 million for selling consumer data,” Courthouse News Service

[11] “2023 here we come: How to prepare your privacy program,” International Association of Privacy Professionals