For the third year in a row Washington’s State Legislature has failed to pass a comprehensive consumer data privacy law. During this year’s legislative session, versions of the Washington Privacy Act were finally passed in both the house and the senate. As in 2019 and 2020, however, these bills failed to become law after the Washington Legislature could not agree on a provision establishing a private right of action for consumers impacted by privacy violations.
A similar situation unfolded in Florida last week. A data privacy bill passed both the Florida house and senate but failed when the chambers could not agree on a single provision. The provision? whether to include a private right of action. Even though data privacy protections enjoy strong bipartisan support, private right of action has halted progress and become one of the most controversial flashpoints for proposed data privacy regulations. This article will discuss the debate around the private right of action, why such provisions are controversial, and how this debate is shaping data privacy legislation around the country.
What is a private right of action?
A private right of action is a provision in statute which entitles any private person who has been harmed by a violation to the law to sue the violator as a means of enforcing the law. Generally, a private right of action exists in addition to provisions allowing the state attorney general or a dedicated regulatory agency to bring a similar lawsuit. Private lawsuits may strengthen the law by serving as an additional deterrent against violations where state enforcement may not be sufficient. These provisions also allow private individuals who have been harmed by a violation of the law to seek restitution for their specific injuries. However, these provisions can be extremely controversial since more litigation may increase a business’ risk and costs, ultimately deterring beneficial activities. Businesses may even attempt avoid commerce in states that allow heavy monetary penalties in private litigation.
Even stakeholders who agree a private right of action should exist may not necessarily agree on penalties. Depending on how a private right of action provision is written, plaintiffs may need to show “actual damages” which require evidence of the real value a plaintiff lost due to the defendant’s actions. This is in contrast with “statutory damages” which do not require evidence of actual harm and rather impose a specific amount of money for a violation of the law similar to a fine. Actual damages seek to compensate a plaintiff for harms that have occurred while statutory damages are generally a punitive measure designed to deter future violations.
Data privacy presents a unique challenge when trying to prove actual damages, since privacy invasions that violate the law may not result in a direct monetary loss to the consumer. An actual damages requirement might effectively allow businesses to adopt practices that regularly violate consumer privacy without any risk of litigation; that is, so long as the invasive practice does not impact the consumer’s wellbeing or wallet. Additionally, actual damages from a data breach may be hard to value since any financial harm to the consumer may be prospective or occur years after the data was first exposed. Because of this many consumer advocates have supported the use of statutory damages rather than actual damages. This would allow consumers to collect money for privacy violations without having to become the victim of identity theft.
The controversy over a private right of action has become one of the fiercest debates in data privacy, with consumer advocates promoting private litigation as a deterrent and businesses opposing private litigation as costly and inefficient. This core debate will likely continue to halt the development of data privacy regulations around the country as it has in Washington and Florida.
What happened in the Washington Legislature?
For the past three years Washington’s State Legislature has introduced a comprehensive data privacy bill. For the last two years debates over a private right of action have halted progress and exposed a divide between the priorities of the state house and senate. This year another data privacy bill was introduced and passed both houses. While the house bill included a private right of action with the potential for statutory damages of $10,000 per violation, the senate passed a version of the bill that did not include any provision for statutory damages. Like most states, Washington requires a bill with identical text to pass both houses before it may be submitted to the governor for a signature. When substantially similar bills are passed with major differences, the legislature enters a reconciliation process, drafting language for a unified bill that resolves disputes between chambers. In the case of the Washington Privacy Act, however, reconciliation talks broke down after representatives from the two chambers could not resolve the controversy over a private right of action.
What happened in the Florida Legislature?
Earlier this year the Florida Legislature introduced its first comprehensive data privacy bill. Both the state House and Senate passed versions of this bill, but, similar to Washington, the chambers were divided on the issue of a private right of action. The House passed a version of the bill which allowed consumers to bring a lawsuit under three occasions: (1) following a data breach where personal information was negligently exposed; (2) following the sale or disclosure of data to a third party after the consumer had exercised their right to opt-out from disclosure; or (3) following retention of data that the consumer requested to be deleted or corrected. The Senate amended their version of the bill to strip out the private right of action, limiting enforcement of the bill’s provisions to the state attorney general. The chambers could not resolve this discrepancy during reconciliation, ultimately preventing the bill from moving forward.
How have other data privacy laws handled a private right of action?
US data privacy laws have generally avoided providing a private right of action. Most federal data privacy laws including GLBA, HIPAA, FERPA, and COPPA lack a private right of action all together, relying instead on federal and state agencies to enforce provisions. Some older privacy laws such as the FCRA and VPPA provide private rights of action which are limited to actual damages and specific violations. State laws have been similarly resistant to adopting broad private rights of action. Virginia’s CDPA recently became law with heavy bipartisan support. Lawmakers avoided debate on any private right of action provision, opting to provide the Attorney General with sole enforcement authority. This avoided one of the most contentious issues states are currently grappling with and allowed the bill to progress with little controversy and overwhelming support.
Unlike Virginia residents, California residents benefit from a limited private right of action contained in the CCPA. California consumers may sue businesses only when the consumer’s non encrypted or non redacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of the businesses’ failure to implement and maintain reasonable security procedures. California residents may seek actual damages or statutory damages, whichever is greater. Statutory damages are set at no less than $100 and no greater than $750 dollars per violation. While this provision is not expansive, it does provide a strong additional incentive for companies to take reasonable security measures that will better protect consumer data.
The EU’s GDPR contrasts with US laws by providing a broad private right of action through Article 82. Under that provision any person who has suffered damage as the result of a GDPR violation has the right to receive compensation. Unlike regulators, private litigants may not seek statutory damages for violations, but plaintiffs may receive all actual damages that result from a GDPR violation. The controller may be held liable for any damages cause by processing under its control. The processor may also be held liable, but only where it has not complied with GDPR provisions specific to processors or where it acted outside or contrary to lawful instructions from the controller.
While this article takes no particular stance on the outcome of this ongoing debate, it is important for businesses and consumers to keep up to date with the latest developments in data protection legislation, especially when a single provision can cause this much controversy. All around the nation there is strong bipartisan interest in adopting consumer data privacy protections. However, Virginia and California are the only two states with comprehensive consumer data privacy statutes, due in part to the way lawmakers limited debate around a private right of action. Washington and Florida both came vary close to passing their own laws, only to be derailed by disagreements over private right of action provisions. This controversy will continue to be the main point of contention so long as advocates for data privacy regulations cannot agree on the purpose and scope of a private right of action. Data privacy legislation must create clear rules that respect reasonable consumer privacy and allow businesses to effectively comply. Meaningful data privacy regulation must balance these two interests in a manner that is technologically and politically feasible.
About Ardent Privacy:
Ardent Privacy is an “Enterprise Data Minimization and Privacy Technology” solutions provider based in the National Capital region in the United States. Ardent solutions enable companies for privacy compliance in meaningful way by taking data driven approach to security and makes journey to cloud cost efficient, secure, and compliant. It empowers enterprises to efficiently comply with new data privacy regulations including CDPA (Virginia), CCPA (California), HIPPA (Healthcare), FISMA, and GDPR (Europe). Using machine learning and artificial intelligence, Ardent solutions identify, inventory, map and minimize data in enterprises to reduce privacy and compliance risk in their digital transformation and journey to the cloud.
Visit https://ardentprivacy.ai/data-security-resources/library/ for more resources.
Ardent Privacy articles should not be considered as legal or technical advice on data privacy regulations, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.