As the new year and decade begins, consumer privacy issues have never been more top of mind – especially with the impending enactment of the California Consumer Privacy Act (CCPA). This groundbreaking and sweeping legislation could be the gold standard around which other state and federal privacy laws are formed, but many corporations are taking a “wait and see” approach before addressing their data security and sharing issues and implementing changes. Although there may be a six-month grace period before California starts enforcing CCPA compliance, that doesn’t stop individuals and other federal agencies from filing lawsuits to protect consumer privacy.
Many credit the EU’s General Data Protection Regulation (GDPR) for sparking this new wave of privacy awareness in America, but that’s only part of the story. New laws that require compliance by certain dates get a lot of media attention, but they work in tandem with enforcement of older laws as they cover new technologies and new data breaches. Over the last 10 years, consumer privacy-related federal lawsuits for violations of the Fair Credit Reporting Act (FCRA) have increased by 150%. Similarly, there were eight times as many cases alleging a violation of the Telephone Consumer Protection Act (TCPA) – regulating infamous “robo-calls” – in 2018 than in 2009.
When the FCRA and the Fair Debt Collection Practices Act (FDCPA) were passed in the 1970s, financial information was stored on index cards and took a significant amount of time to compile and check. As such, these statutes were much harder to abuse. But with the explosion of data volumes in the digital age, the potential for data breaches has increased enormously, as has the potential for litigation.
While not every incident is on the same scale as breaches at Facebook or Equifax, those exceptional cases showcase the upper boundary of litigation risks. Looking at the overall landscape of consumer privacy litigation risks can be a good reminder of the different types of legal risks, which can help privacy professionals plan for comprehensive data privacy policies going into the new year. Looking at data-driven analyses of each type of risk can also remind privacy professionals of how many other cases don’t receive a lot of attention and what the “average” case may look like in each scenario.
Federal executive branch enforcement
The Federal Trade Commission (FTC) files privacy and data security enforcement actions for the federal government. Its 2018 annual privacy and data security update breaks down several categories of enforcement: General Privacy, Data Security and Identity Theft, Credit Reporting and Financial Privacy, International Enforcement, Children’s Privacy and Do Not Call.
According to FTC statistics, the agency filed 18 administrative actions, 40 federal actions and eight civil penalty actions under the consumer protection category in 2018. These relatively small numbers are not surprising because the FTC has limited resources and often files only high-profile cases. Looking specifically at its federal court filings, the FTC filed 480 consumer protection cases* in federal district court from 2009 through 2018 according to documents obtained from PACER (Public Access to Court Electronic Records).
The Consumer Financial Protection Bureau (CFPB) filed 91 consumer protection cases in federal court between 2009 and 2018. Anecdotally, companies may believe that they have little to worry about in the way of government enforcement due to the current administration’s business-friendly rhetoric. However, there have already been 38 consumer protection cases filed by the FTC and 12 filed by the CFPB in 2019 (up from just two in 2018).
The risk of damages varies depending on the facts of the case. While the $5 billion Facebook settlement is remarkable, some enforcement actions contain no damages. Rather, companies may be required to set up compliance practices with the threat of damages for not complying. The Equifax settlement included up to $425 million in settlement damages. However, cash payments to consumers were capped at $31 million, which has led to confusion over payments.
Overall, these types of enforcement actions are relatively rare and may only involve compliance. However, when the case involves monetary damages, they tend to be quite large.
Federal court litigation
According to a consumer protection report that surveyed information from PACER, plaintiffs filed over 3,500 cases filed with FCRA claims in 2018 alone. When compared to the numbers above, this is a much more significant risk of legal action.
Looking at the last 10 years, FCRA cases grew significantly, while FDCPA claims have been on a slight downward slope. Over 7,800 FDCPA cases were filed in federal district court in 2018. While that’s down from 11,440 in 2011, it is still a significant number of cases.
Federal FCRA Cases Filed 2009 to 2018
Federal FDCPA Cases Filed 2009 to 2018
The risk of a class action consumer protection suit has grown in the last 10 years, with nearly 3,800 class action consumer protection suits filed at the peak in 2017. In order to be certified as a class action lawsuit, the class members must be linked by certain criteria, including “commonality” and “typicality.” Often, the links among class members are traceable to their exposure to a large data breach.
Consumer Protection Class Action Cases Filed 2009 to 2018
However, the risk of damages is a bit less than in federal enforcement cases. The largest damages awards in consumer protection cases in federal court tend to be settlements in enforcement actions. Other large damages awards tend to be from multidistrict litigation suits and class actions. These are mostly settlement agreements and then trial awards. According to the report, many of the top class action settlement damages in consumer protection cases were eight figures, such as $60 million in settlement damages against iCan Benefit Group and the almost $50 million against US Coachways under the TCPA.
Federal district court litigation is far more prevalent, and taking a big-picture view of litigation is important to understand trends in filing and damages awards, including class action filings and damages.
State law cases and enforcement actions
While this overview cannot fully survey all 50 states’ laws surrounding data privacy and consumer protection, some recent state law events are especially relevant, particularly the afore-mentioned CCPA. Although CCPA is a California law, it applies to for-profit businesses that collect consumers’ personal information, do business in California and satisfy certain criteria. This law gives consumers rights to demand action related to their private information. According to the IAPP, as many as 100,000 California businesses and 500,000 US businesses could be impacted by this law. Many other states are revamping their privacy laws as well, including Nevada whose law went into effect in October.
In one exceptional consumer protection case, attorneys general from all 50 states filed against Uber for covering up a data breach. Uber paid $148 million to settle these state-law enforcement actions. All states require data breach notification; however, laws can differ on the form and timing required for notification. Additionally, state laws affect federal filings. State law statutory minimums and states with stronger protection tend to have higher consumer protection case filings in federal districts located within those states.
As more data is collected on state law cases and legislation, tracking big-picture trends in state law cases may be just as crucial as tracking federal cases or federal enforcement actions.
Right now, criminal sanctions apply only to those individuals coordinating cyber attacks. Criminal liability for employees of a company that suffers a data breach seems unlikely. However, sentiment may be shifting: A 2020 presidential candidate recently proposed criminal liability for negligent executives. Depending on how the election turns out, executives and employees of corporations could be held criminally liable in the next decade. The United Kingdom’s Data Protection Act 2018 lays out a framework for corporate and employee liability, but it’s hard to imagine the US would pass laws imposing criminal liability before strengthening some of its civil protections.
Mitigating future risk
When companies are planning for future risk, litigation can be simultaneously viewed as a natural cost of doing business and a consequence reserved only for the most extreme situations. Depending on the nature of the business, disposition of in-house counsel and the legislative landscape, risk of litigation may be the focus of a company’s strategic planning or considered an unlikely emergency situation. Often it tends to fall in the latter category because companies find it difficult to quantify and predict certain risks.
One thing is certain: As more states start enacting their own privacy laws, the increased complexity and risk of leveraging consumer data will make the CPO role more important than ever before. Privacy professionals who understand the legal and regulatory landscape – including past litigation trends and damages awarded – are often better able to see the risks on the horizon and provide counsel to clients on how to better protect their organizations and their customers.
* Consumer protection cases are defined as including claims under the Fair Debt Collection Practices Act (FDCPA), Fair Credit Reporting Act (FCRA), Truth in Lending Act (TILA), Telephone Consumer Protection Act (TCPA) or a federal consumer protection enforcement statute, such as the FTC Act or Consumer Financial Protection Act.