The prevalence of online advertising, the rise of websites that collect personal information (like social networking sites), and the enactment of several federal statutes protecting online users have resulted in more and more lawsuits claiming breaches of privacy. Many of these lawsuits have conglomerated into class action suits, which are more likely to be litigated due to their efficiency and potential for greater damages. It is important for websites that collect information to be aware of this trend, and understand steps that can be taken to protect themselves.
One of the biggest issues facing websites is simply the threat of a lawsuit. For most website operators, the cost of litigation, combined with the potential hit to their public perception, is enough to convince them to quickly settle claims for breach of privacy. But a website with a history of settlement is a prime target for easy money for users and plaintiff’s attorneys.
The two most important things website operators need to know to protect themselves from lawsuits is (1) that such suits are generally losers for the plaintiffs and (2) that honoring its own Privacy Policy or Terms of Use is generally a very effective defense for websites accused of breaching user privacy.
Firstly, plaintiffs have a tough time succeeding in their breach of privacy claims. For instance, proving actual damages is difficult, particularly when there is no monetary loss claimed. And while most claims arise under federal statutes that provide damages for plaintiffs, many plaintiffs do not have standing under these statutes because much of the private information at issue in many online privacy cases is not protected. Further, threats of class action suits should be met with skepticism due to the practical difficulties of finding similarly situated plaintiffs — many times different potential plaintiffs have varying consent, causation, reliance, and injury claims and are thus unable to bring a suit as a class.
Secondly, most website operators can defeat a breach of privacy claim by proving the plaintiff-user consented to the website’s Terms of Use and/or its Privacy Policy. While every case is different, and these devices are certainly not a shield to all liability, strong Terms of Use agreements and clear Privacy Policies can act as effective deterrents to threatened lawsuits.
Online privacy class actions typically arise under a combination of federal statutes and state consumer protection laws. Understanding the primary statutes at issue helps website operators assess their exposure and prioritize their compliance efforts.
The Video Privacy Protection Act, 18 U.S.C. § 2710, has become one of the most litigated statutes in online privacy class actions. Originally enacted in 1988 to protect video rental records, the VPPA has been applied by plaintiffs to modern video streaming services, news websites that embed videos, and mobile apps that share viewing data with advertising networks. The VPPA prohibits “video tape service providers” from knowingly disclosing “personally identifiable information” about consumers without their written consent. The statute provides statutory damages of $2,500 per violation — a number that, when multiplied across the users of a large platform, creates enormous potential liability.
Recent VPPA cases have targeted websites that use Meta Pixel or similar tracking technologies to share user viewing behavior with Facebook. Courts have divided on whether sharing data through these tracking pixels constitutes disclosure of “personally identifiable information” under the statute. Website operators who embed video content and use advertising tracking pixels should assess their VPPA exposure carefully.
The Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2523, prohibits the interception of electronic communications without consent. ECPA claims in the class action context often arise from website analytics practices, session replay technologies, and advertising tracking that plaintiffs allege constitutes unauthorized interception of their communications with the website. Courts have been divided on the application of ECPA to these technologies, but the potential for statutory damages makes ECPA an attractive hook for plaintiff’s attorneys even when the substantive legal theory is uncertain.
Several states — most notably California and Illinois — have enacted privacy statutes that provide broader protections and higher statutory damages than their federal counterparts. California’s Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 630-638, and Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., have generated an enormous volume of class action litigation. Illinois BIPA in particular has produced some of the largest privacy settlements in history, including a $650 million settlement against Facebook for its face-tagging feature.
In online privacy class actions, the battle over class certification under Federal Rule of Civil Procedure 23 is often the pivotal moment in the litigation. Plaintiffs seeking class certification must demonstrate that their claims share common questions of law and fact that predominate over individual issues — a requirement that is frequently difficult to satisfy in privacy cases where individual plaintiffs may have different consent histories, different levels of harm, and different interactions with the defendant’s platform.
The Supreme Court’s decision in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), added another obstacle for privacy class action plaintiffs by requiring courts to carefully examine whether plaintiffs have standing under Article III of the Constitution. A plaintiff must allege a concrete, particularized injury that is not merely speculative — the bare statutory violation of a privacy statute, without more, may not be sufficient to confer standing. The follow-on decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), reaffirmed this principle and has been used to dismiss privacy class actions where plaintiffs failed to allege concrete harm.
Website operators can take several practical steps to reduce their exposure to privacy class actions:
Revision Legal advises website operators, app developers, and digital businesses on privacy compliance, terms of service drafting, and defense of privacy claims and class actions. Whether you are proactively building your privacy program or responding to a demand letter, our attorneys have the experience to help. Contact us today to discuss your situation.
California’s revised CCPA regulations offer some compliance clarity but leave significant questions unanswered. Here’s what businesses need to act on now.
Read more about Revised CCPA Regulations: Guidance and Uncertainty
Revenge porn involves the non-consensual distribution of intimate images to harm a victim. Revision Legal’s internet attorneys explain the legal definition and remedies for revenge porn victims.
Read more about What is Revenge Porn? Legal Definition and Remedies
Montana’s data breach notification law requires businesses to notify residents when their personal information is compromised. Here’s what the law requires and who must comply.
Read more about Montana Data Breach Notification Law Explained