Kashmir Hill follows up on the recent Commerce Department report by posing an interesting question, whether:
… if this framework is established, people should have the right to pursue class-action lawsuits against companies that violate the law, or if enforcement should be limited to action by the FTC. Here’s the relevant graf from page 29 of the report [PDF]:
In contrast to the general agreement of commenters in favor of a baseline commercial data privacy framework, there was disagreement on the role for private rights of action in such a framework. Several commenters noted that private lawsuits—particularly in the form of class actions— provide a potent incentive for organizations to keep personal data secure. One commenter noted that “[i]n an absence of private rights of action, . . . there is likely to be significant underenforcement of privacy interests” because of Federal and State authorities’ resource constraints.
Others stated, however, that the potential for large damage awards from private lawsuits provides a reason to limit private rights of action. In particular, one commenter identified potential class action liability as one of the “largest hurdles” that companies face when they seek insurance and contract with other entities that handle personal data.
That’s a big deal. At this point, class action lawsuits over privacy violations have been one of the primary mechanisms for consumers to essentially punish companies that have done privacy wrong (E.g. the Facebook Beacon disaster). Commerce is calling for comment on its report, and I have to assume that question will inspire some heated responses, especially from class action lawyers.
If we view a privacy bill of rights in the context of other federal privacy-related laws, it’s noteworthy that not one piece of proposed federal legislation on data breaches has included a private cause of action. The FTC and state attorneys general have enforcement options and entities can be fined, but consumers have no individual recourse written into proposed law or the existing HIPAA/HITECH Act laws. And the same lack of right of private cause of action exists in the federal education privacy law, FERPA.
While the Privacy Act of 1974 does contain individual provision, my bet is that there will be intense lobbying by those with the big bucks to lobby and the consumer will be left without any cause of action in any online privacy bill of rights law. So perhaps, instead of focusing on financial harm, we need to argue about other types of harm that may accrue from privacy violations and use that as the basis for including a cause of action.