Comprehensive information privacy legislation got off to a promising start in the 116th Congress, but even though key Senate and House leaders on both sides have worked to find bipartisan consensus, they have stalled over a few pivotal and more polarized issues.
No issue is more polarized than whether individuals should be able to bring lawsuits for privacy violations. Private lawsuits — especially consumer class actions — are anathema even to the most privacy-friendly companies, while for many consumer, privacy, and civil rights groups, they amount to foundational goals.
This divide is stark in bills from Sens. Roger Wicker (R-Miss.) and Maria Cantwell (D-Wash.) — respectively the chair and ranking member of the Senate Commerce Committee. They have many promising similarities, but on private lawsuits, they could scarcely be further apart. Wicker’s bill has no private right of action. Cantwell’s does, and it includes punitive damages, lawyer’s fees, statutory damages of $100 to $1,000 per day or the amount of actual damages and nothing to narrow claims.
This same gap reappears in dueling bills aimed at privacy for contact data and other personal information collected for COVID-19 pandemic response: a Republican bill with no individual right to sue, and a Democratic one with an expansive one.
Any federal privacy legislation will remain stalled so long as both sides sit in their own corners and have power to block the other (something quite likely whatever the outcome of elections). It will take some give on a private right action to get action.
My Brookings Institution colleagues and I proposed a solution for this pivotal sticking point in a recent report, “Bridging the gaps: A path forward on federal privacy legislation” — providing a remedy when misuse of personal information causes specific kinds of injuries that have been long-recognized in American law, but limiting damages and setting higher standards to bring private lawsuits for other violations of privacy law.
Our report is based on intensive public and private conversation across a spectrum of congressional staff, civil society, industry, and academics, as well as our own experience in following — and drafting — privacy legislation. We found a surprising level of agreement on much of the Wicker and Cantwell bills. In this light, we explored what sort of limited private litigation rights industry might live with, and what limits on such rights privacy advocates might accept.
Many industry representatives do not oppose all litigation, but are concerned about what they consider nuisance lawsuits and the potential for class actions and damages multipliers (like statutory damages, punitive damages, and multiple damages) to ratchet up the nuisance value of suits regardless of their merits. Advocates voiced two key purposes for private lawsuits: to give individuals redress for injuries stemming from violations of legally-protected privacy interests and to add force multipliers for federal and state government enforcement.
These interests anchor our private right of action recommendations. There is little doubt that damage multipliers — compounded by a large number of class action members — quickly reach the kind of risk exposure that gets management attention and adds nuisance value. Even a prominent privacy class action lawyer has said that the penalty of $500 per violation of the recent California Consumer Privacy Act can be excessive in many cases.
Yet few would dispute that some kinds of privacy injuries deserve compensation. Take, for example, non-consensual pornography, use of spyware against a former spouse, financial loss caused by identity theft, or use of personal information in ways that violate antidiscrimination laws. These kinds of injuries have a history of remedies in common law and state and federal statutes for many decades.
Our approach is carefully calibrated to balance these interests, with procedural filters and limits on grounds for lawsuits and damages. Our proposal requires plaintiffs to prove a “knowing or reckless” violation for most legislative provisions and “willful or repeated” violation of the more administrative requirements, to prevent “gotcha” lawsuits for violations with less direct impact on individuals. Only foreseeable injuries of the clearly compensable kind described above would not be subject to these heightened standards.
We also would limit recovery to “actual damages” and reasonable attorney’s fees for most infractions — with higher, statutory damages only available if a plaintiff proves a “willful or repeated” violation of privacy legislation. Potential plaintiffs would have to provide a form of notice and opportunity to cure before bringing a private lawsuit — (as required under various state consumer protection laws) — and follow class action procedures adapted from the 1995 Private Securities Litigation Reform Act.
These recommendations will not satisfy maximalists on either side of the debate. But it will take this kind of balancing for privacy legislation to become law.
Both sides of the privacy debate have something to gain from finding middle ground — and something to lose from continued stalemate. For businesses, it is the opportunity for a consistent national standard. For advocates, it is the opportunity for effective privacy protections for all Americans, regardless of what state they live in or what kind of business they deal with. The longer we wait for a national privacy baseline, the worse off the American people and businesses are likely to be.
Cameron F. Kerry is a distinguished visiting fellow at the Brookings Institution and a visiting scholar at the MIT Media Lab. He previously served as general counsel and acting secretary of the United States Department of Commerce.