Cyberlaw Predictions: Privacy Litigation in the United States

This post is the second in a series of predictions from legal and business experts about the directions cyberlaw policy might take in 2013, solicited by editors of BNA's Electronic Commerce & Law Report during the closing weeks of 2012. We asked that the remarks be brief -- something along the lines of a Twitter "tweet" or an elevator pitch. Over 100 attorneys, law professors, online business executives, policy advocates and other cyberlaw experts responded, producing 307 separate assessments, predictions, or just plain complaints about any topic that fell under the general heading of cyberlaw.

Many attorneys offered an opinion on the outlook for privacy-related litigation in general and privacy class actions in particular. No surprise there, given the amounts of money at stake and the fact that so many businesses have exposure to claims arising from mishandling personal information.

gavel flag

Even though privacy plaintiffs have had a difficult time establishing an actionable level of damages in privacy cases (see Rudgayzer v. Yahoo!, Ruiz v. Gap, In re Facebook Privacy Litigation, and Krottner v. Starbucks as examples of courts rejecting what they characterized as conjectural allegations of harm; however, rulings in Resnick v. AvMed, Burrows v. Purchasing Power, and In re Sony Gaming Networks are thought to be promising rulings for plaintiffs), the consensus view among our contributors is that privacy litigation is going to increase during the upcoming year.

The experts' views:

2013 will be the year of privacy class actions for the mobile industry. Jay Edelson, @jayedelson, Founder and Managing Partner, Edelson McGuire LLC, Chicago.

The wave of litigation over online tracking appears to have crested. After a series of adverse decisions, the plaintiffs' bar may fear making more bad law. Stephen P. Satterfield, Associate, Covington & Burling LLP, Washington, D.C.

There has been a chipping away at the "proof of harm" wall preventing privacy lawsuits to proceed. Judges have started to allow creative damage theories to establish standing to sue and to fulfill the damages requirement of causes of action. If the wall comes crumbling down, privacy class actions will proliferate. Christopher Wolf, Partner, Hogan Lovells, Washington, D.C.

More judicial exploration of the actual dividing line and balance between the First Amendment and data protection laws. Holly K. Towle, Partner, K&L Gates LLP, Seattle.

More data privacy, behavioral advertising and security breach litigation despite the absence of damage or legally cognizable injury in most cases. Ian Ballon, @ianballon, IP & Internet Litigation Shareholder, Greenberg Traurig LLP, Silicon Valley & Los Angeles.

2012 saw a ton of activity around privacy and social networks, including privacy class action lawsuits against networks, regulatory action, one high-profile battle involving government efforts to obtain user data from networks, and cases involving social media evidence. No decision really stands out to me. What we didn't see was significant legislation (do not track; email/account privacy; federal data breach law). We are sure to see some legislative activity in this area in 2013. Venkat Balasubramani, @Vbalasubramani, Partner, Focal PLLC, Seattle.

Marketing to mobile devices remains an exceptionally difficult task. The laws governing mobile marketing have not kept up with America's transition to the smart phone. This is true both in terms of lack of space for sufficient disclosures in advertising to contacting customers about potential offers. Class action attorneys are exploiting this chasm. Andrew Lustigman, @advlaw, Partner, Olshan Frome Wolosky LLP, New York, N.Y.

Companies beleaguered by privacy-related class action lawsuits had their hearts broken this year when the Supreme Court revoked its grant of certiorari after entertaining oral argument in Edwards v. First Financial Corp., a case in which the Ninth Circuit held that the constitutional standing requirement was satisfied despite the fact that the plaintiff suffered no concrete injury. Neel Chatterjee, Partner, Orrick Herrington & Sutcliffe LLP, Silicon Valley.

Google agreed to pay a record $22.5 million civil penalty this year to settle charges by the FTC that Google misrepresented its use of tracking cookies to users of Apple's Safari browser. In addition to imposing the largest civil fine in history for violation of a Commission order, the settlement agreement also requires Google to disable the subject cookies Neel Chatterjee, Partner, Orrick Herrington & Sutcliffe LLP, Silicon Valley.

Early this year, the First Circuit held that a plaintiff lacked Article III standing to sue her investment broker for failing to conform to data encryption standards, which plaintiff argued increased the risk that her private information would be subject to unauthorized access Neel Chatterjee, Partner, Orrick Herrington & Sutcliffe LLP, Silicon Valley.

The best way to prepare for a major data breach is to experience a major data breach--after your first, they are all routine. Joseph V. DeMarco, @devoredemarco, Partner, DeVore & DeMarco LLP, New York, N.Y.

Watch for increasing class action activity as courts in 2nd, 9th, and 11th Circuits are offering plaintiffs new theories to survive motions to dismiss. D. Reed Freeman Jr., Partner, Morrison & Foerster LLP, Washington, D.C.

Location privacy remains unsettled, but a baseline emerges as SCOTUS finds persistent government tracking by GPS to be a search in United States v. Jones. Albert Gidari, Partner, Perkins Coie LLP, Seattle.

CA federal court rules Video Privacy Protection Act applies to streaming video (Hulu case). Jeffrey Jacobson, Partner, Debevoise & Plimpton LLP, New York, N.Y.

9th Cir. approves Facebook settlement with no payments to class members, just establishment of new privacy foundation with Facebook representative on board. Jeffrey Jacobson, Partner, Debevoise & Plimpton LLP, New York, N.Y.

Multiple decisions holding that violation of privacy statute confers standing to sue even without quantifiable damages; Supreme Court declines to weigh in. Jeffrey Jacobson, Partner, Debevoise & Plimpton LLP, New York, N.Y.

The Supreme Court missed an opportunity to use a real estate case to clarify the law of data privacy. Courts have differed in deciding when violation of a privacy statute creates enough injury to confer standing. The Supreme Court seemed primed to address this issue in First American Financial Corp. v. Edwards, where the plaintiff alleged injury based on violation of the Real Estate Settlement Procedures Act. But the Court dismissed cert. as improvidently granted. The case may have been a victim of the Court's end-of-term focus on the Obamacare case. Howard S. Hogan, Partner, Gibson, Dunn & Crutcher LLP, Washington, D.C.

2012 was the year LinkedIn got hacked. Expect more class-action lawsuits for data breaches and bigger settlements. Glen Gilmore, @glengilmore, Attorney and Digital Marketing Strategist, Gilmore Business Network, Greater New York, N.Y.


Follow @tjotoole on Twitter Follow me on Twitter at @tjotoole.