The Litigation Landscape: Data privacy risks and legal readiness

Key Takeaways: The Litigation Landscape: Data privacy risks and legal readiness

Executive Summary

Tim Lowe and Christopher Dean from McDonald Hopkins presented a webinar on the evolving landscape of data privacy litigation, emphasizing the rise in class action lawsuits and the legal readiness required to mitigate risks. They discussed the prevalence of data privacy issues leading to litigation, even in the absence of actual damages, and highlighted the types of lawsuits, settlement patterns, and legal outcomes. The webinar covered general data breach litigation, web tracking tools, and the complexities of defending and settling these cases. Key points included the importance of timely documentation, contract language, and understanding the legal implications of web tracking technologies. The presentation underscored the need for companies to proactively assess and manage their data privacy practices to minimize litigation risks and comply with regulations.

Speakers

Christopher Dean, Member - Litigation Department, Data Privacy and Cybersecurity Practice, McDonald Hopkins
Tim Lowe, Co-Chair, Business Litigation Practice | Member, Litigation Department, McDonald Hopkins

Key Takeaways

1. Rising Litigation Trends: Data privacy class action litigation is on the rise, often involving cookie-cutter complaints with common law claims such as negligence and breach of contract.

2. Small Breach Impact: Even small data breaches can lead to multiple lawsuits due to the increasing number of plaintiff attorneys in the data privacy space.

3. Varied Settlement Structures: Settlements in data privacy cases are common and can vary widely in structure, influenced by factors like class size, demographics, and statutory damages.

4. Web Tracking Litigation: Web tracking tools, including Facebook's Metapixel and Google's suite of products, are generating significant litigation due to their ability to collect and disclose user information to third parties.

5. Privacy Concerns Increase: The use of web tracking technologies raises privacy concerns, as users often unknowingly exchange their privacy for free content, leading to increased public awareness and litigation.

6. Statutory Damages Potential: Wiretap statutes and the Video Privacy Protection Act (VPPA) are being applied to web tracking technologies, with potential for significant statutory damages.

7. Proactive Risk Mitigation: Companies should proactively assess and mitigate risks associated with web tracking technologies, improve privacy disclosures, and obtain user consent to comply with regulations and minimize litigation risks.

Key Quote

With increasing frequency, data privacy and cybersecurity issues will lead to litigation, at least the threat of litigation even where actual damages are non-existent and the risk of litigation starts with the collection and storage of data, any data.

Related Content

Explore Related Content.

Webinar

Watch Full Webinar here.

Litigation Risks and Strategies for Data Breaches and Web Tracking Technologies

In today's digital age, data privacy and cybersecurity have become paramount concerns for businesses across all sectors. The rise in data privacy class action litigation underscores the growing awareness and sensitivity around these issues. Companies are increasingly entangled in legal disputes due to data breaches and the use of web tracking tools. Understanding the litigation landscape, settlement patterns, and legal outcomes is crucial for businesses to mitigate risks and ensure legal readiness.

As businesses strive to optimize their online presence, tools like heat mapping and session replay have become indispensable. These technologies, offered by companies such as Hot Jar and Crazy Egg, allow website owners to visualize user interactions, track clicks, and analyze input data. While these tools provide valuable insights for targeted advertising and content personalization, they also raise significant privacy concerns. Navigating these legal complexities is essential for businesses to protect their interests and maintain compliance.

Litigation Trends and Risk Mitigation in Data Breaches and Web Tracking

Over the past decade, data breach litigation has seen a significant increase. Any data security incident, whether a phishing attack, email compromise, or ransomware attack, can lead to lawsuits. The size of the affected class is often irrelevant; even breaches impacting a small number of individuals can result in multiple lawsuits. This surge in litigation is partly due to the increasing number of plaintiff attorneys entering the space, leading to heightened competition and a race to the courthouse. Plaintiffs' attorneys often file lawsuits before breach notification letters are even sent out, complicating the legal landscape for businesses.

Complaints in data privacy class action lawsuits tend to be similar, with common law claims such as negligence, breach of contract, invasion of privacy, and unjust enrichment being the norm. The key issue often revolves around the alleged injury and damages. Plaintiffs typically claim fear of future harm rather than actual damages, making motions to dismiss a common defense strategy. The success of such motions varies by state and judge, and many cases proceed to the discovery phase, which can be costly and time-consuming. Settlement discussions often follow early discovery, with settlements becoming a significant part of these cases due to the difficulty in having them dismissed.

Settlement structures in data breach litigation can vary widely, from common fund settlements to claims-made settlements and hybrids of the two. Common fund settlements, where a set amount is contributed to a fund to pay for everything related to the settlement, tend to be more expensive but easier to negotiate. Claims-made settlements, where relief is paid out as claims come in, can be cheaper but more complex to negotiate. The types of relief offered to class members typically include reimbursement for documented monetary losses, compensation for lost time, additional credit monitoring, alternative cash payments, and improvements to the defendant's IT security. Factors such as class size, demographics, type of information involved, statutory damages, and the number and style of plaintiffs' counsel all significantly impact the cost of settlements.

Beyond class actions, businesses may face breach of contract or indemnification claims following a cyber incident. These claims often arise when a vendor's cyber incident impacts its customers, leading to demands for indemnification. The success of these claims depends on the timeliness and documentation of the claim, as well as the contract language and limitations of liability. Navigating these claims can be sensitive, especially when there is an ongoing customer relationship to maintain. Single-party claims by individuals affected by uniquely personal information breaches, such as medical records, are less common but can occur.

Web tracking tools, such as pixels and analytical tools, have also become a significant source of litigation. These tools, which are ubiquitous across websites, collect and disclose user information to third parties like Google and Facebook. The information collected can include IP addresses, header information, device and browser details, page views, mouse movements, and text entries. Facebook's Metapixel, in particular, has been a high-profile target due to its ability to tie website users to actual individuals through persistent cookies. The use of these tools raises privacy concerns and has led to costly litigation for businesses.

The collection of user data through tracking technologies is a double-edged sword. It allows companies to deliver more relevant content and advertisements, enhancing user experience and potentially increasing sales. For instance, if a user is interested in purchasing a lawn mower, targeted ads for lawn mowers are more likely to be appreciated than irrelevant advertisements. This convenience comes at the cost of user privacy. Many users are unaware of the extent to which their data is collected and used, and even fewer take steps to protect their privacy online. Despite the availability of privacy settings and tools like cookie blockers, a significant portion of users remain logged into platforms like Facebook, exposing themselves to continuous data collection.

The legal landscape surrounding data privacy has evolved significantly in recent years, driven by increasing public awareness and regulatory changes. High-profile articles and guidance from bodies like the Office of Civil Rights (OCR) have highlighted the use of tracking technologies by major institutions, including hospitals. This has led to a surge in litigation, with plaintiffs' attorneys leveraging statutes like the Wiretap Act to challenge the use of tracking pixels and other ad tech. These legal actions often hinge on whether the tracking constitutes a form of eavesdropping, akin to wiretapping, and whether the consent of one or both parties involved is required.

The Video Privacy Protection Act (VPPA) is another area where plaintiffs' attorneys have been particularly creative. Originally enacted to protect consumers' video rental histories, the VPPA has been applied to modern web tracking technologies that disclose video watching habits online. This statute imposes significant statutory damages, making it a lucrative target for litigation. The definition of personally identifiable information and whether a website qualifies as a videotape service provider are key issues in these cases. Recent court decisions have provided some clarity, but the risk of substantial settlements remains high for businesses that fail to comply with these regulations.

To mitigate the risks associated with web tracking technologies, businesses must take proactive steps. Conducting thorough assessments of the tracking tools used on their websites and mobile applications is essential. Understanding the business purpose of these technologies, the type of information collected, and where it is disclosed can help identify potential vulnerabilities. Implementing measures to anonymize data and improve privacy disclosures can further protect user information. Additionally, obtaining user consent where possible and evaluating regulatory risks based on industry and location are critical. By taking these steps, businesses can reduce their exposure to litigation and ensure compliance with data privacy laws.

Navigating the landscape of data privacy and cybersecurity litigation requires businesses to be vigilant and proactive in their data protection efforts. Understanding the types of lawsuits, settlement patterns, and legal outcomes, as well as the implications of web tracking tools, is crucial for legal readiness. By adopting robust cybersecurity measures and staying informed about the latest developments in data privacy law, businesses can mitigate litigation risks and protect themselves from potential legal pitfalls. Balancing the benefits of web tracking technologies with the need to safeguard user privacy is essential. Proactive measures and compliance can help businesses leverage technology to enhance user experience while effectively managing privacy challenges.