Congress is currently at work on a federal privacy bill that will hopefully strengthen consumer privacy while correcting some of the problems with state privacy laws like the California Consumer Privacy Act. While this is a good sign for the startup community, some policymakers are pushing for a provision in the draft federal privacy bill that could open the floodgates to expensive, bad-faith lawsuits against startups.
According to Sen. John Thune (R-S.D.), some members of a Senate group working on privacy legislation are trying to include a “private right of action,” which would allow individual consumers to sue companies for violating the law, rather than vesting exclusive enforcement authority in an expert agency. While the U.S. needs a set of comprehensive privacy rules at the federal level to help consumers control how their data is collected, used, and shared, a private right of action will incentivize bad actors to exploit the high cost of privacy litigation by filing meritless claims in order to force small companies to pay settlements to avoid going broke defending themselves in court.
For startups on bootstrap budgets, the math is simple: if you can’t afford potentially millions of dollars in legal fees to fully litigate a case, you’re better off paying the plaintiff to go away, even if you would otherwise win the case. Because a startup defendant will have to pay its own legal costs even if it fully defeats the plaintiff’s claims, protracted litigation is a lose-lose prospect.
We already see this type of rent-seeking litigation — aka “trolling” — in other areas of the law, particularly where litigation costs are high and the potential damages are significant. Patent litigation imposes significant time and monetary obligations on defendants, so patent trolls — bad actors that make a living buying and enforcing weak patents to force nuisance-value settlements — have made a cottage industry out of suing startups. Similarly, because plaintiffs can obtain up to $150,000 in damages for a single copyright infringement regardless of the actual harm, copyright trolling has become an increasing problem for startups and Internet users.
Privacy litigation will combine the high costs of patent lawsuits and the massive potential damages of copyright law with an ambiguous liability standard that will put companies that think they’re doing the right thing on the hook for huge damages awards. In short, a private right of action in a federal privacy law is a troll’s dream.
High Defense Costs
Private lawsuits for violations of a federal privacy law are likely to be long and expensive. Even when a case can be disposed of in the early stages of litigation, it can cost a defendant tens of thousands of dollars — far beyond what small companies can afford. A case that goes to trial can easily cost millions in legal fees. With such high defense costs, bad actors can bring even meritless lawsuits knowing that defendants will be better off accepting extortive settlements than fighting back. Without a way to dismiss such claims early or to penalize plaintiffs that bring weak claims, private privacy litigation is likely to be costly for defendants and lucrative for plaintiffs.
Those high defense costs will be especially daunting in cases involving data breaches, an area of technology where threats and best practices are constantly evolving. Whether or not a company that suffered a data breach implemented “reasonable” security measures (as the California law requires) is a fact-intensive inquiry that can’t be determined early on in the case. Instead, the company will have to incur potentially ruinous legal fees conducting extensive discovery (that is likely to fall disproportionately on defendants), going bankrupt in the process of clearing its name.
High Potential Damages
Most harms relating to privacy violations are non-monetary and unable to be rectified through an injunction. If, for example, an ovulation tracking app inadvertently discloses user information, its users have clearly been injured but likely not in any economic way, and there’s no way to undo the loss of privacy arising from such a disclosure. It makes sense then that legislators are considering allowing individuals to sue for statutory damages — an amount of money set by the law, unrelated to any actual monetary harm suffered. Adding high statutory damages to the already high cost of defending a private privacy action will make iit even more difficult for a startup to defend itself from spurious litigation. That’s a recipe for troll lawsuits.
A federal privacy law that provides clear, strong rules barring harmful practices is critically important to protecting consumers and restoring confidence in the Internet economy. Such a law is only useful if it is meaningfully and consistently enforced. Giving an enforcement agency like the Federal Trade Commission the tools and enforcement resources it needs will give adequate teeth to a federal privacy law without giving litigation trolls a new set of laws to exploit.