Equifax Settlement Previews Likely Outcome if Congress Creates a Data Privacy Law Allowing Class Action Lawsuits
With a comprehensive federal data privacy law potentially within reach—assuming Congress keeps its priorities in order—the debate over specific provisions in such a law is increasingly salient. One of the most significant sticking points for lawmakers is the private right of action, the right for consumers to sue data holders over privacy violations.
Much of the opposition to including a private right of action in a federal data privacy law has focused on the significant economic cost—up to $2.7 billion per year in duplicative enforcement—while proponents tout the benefits to consumers. Proponents argue that consumers should be able to obtain financial compensation when data holders violate their privacy. But a recent example demonstrates that consumers may not gain much financial benefit from a private right of action, and certainly not enough to justify the cost.
Consumers have been receiving their payments from a settlement Equifax reached with the Federal Trade Commission (FTC) over the company’s high profile 2017 data breach. Of the $425 million consumer restitution fund that makes up the bulk of the settlement, individuals can receive up to $125, though most will receive far less: mere dollars and cents. A quick look on social media shows most users receiving settlement checks of $5 or $12. Meanwhile, the lawyers involved in the case received $77.5 million in fees and up to $3 million in reimbursed litigation expenses, demonstrating who the true winners are in this scenario. On top of that are significant transaction costs in consumers applying and receiving the awards.
If a new federal data privacy law includes a broad private right of action that allows for class action lawsuits, these lawsuits would likely play out very similarly to the Equifax case. The thousands or millions of affected consumers would receive very little, while the lawyers representing them would win big. A more limited private right of action, such as the one included in last year’s draft of the American Data Privacy and Protection Act (ADPPA), would have a lower economic cost than a broad private right of action, but it would still carry costs that would not translate into significant financial benefit for individual consumers.
The ADPPA only allows individuals to bring civil actions against data holders starting four years after the act goes into effect, and individuals must notify their state attorney general and the FTC of their intent to bring suit. If one of those agencies decides to initiate an action, individuals cannot file their own lawsuit. There is also a limited right to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they can seek dismissal. Under these circumstances, the only lawsuits individuals can proceed with are likely to be meritless, which translates to costly legal fees for data holders just to get the cases against them dismissed.
A targeted privacy law would still include effective enforcement mechanisms, such as giving power to the FTC and state attorneys general. Most state attorneys general are elected, making them directly accountable to citizens, and in the remaining states the governor appoints them, so citizens should expect them to be responsive to any complaints. But a broad private right of action is not worth the economic cost, especially considering its limited benefit to individual consumers.