Lawyers Warn of a Wave of Lawsuits filed by Consumers Accusing Businesses of All Sizes Violating their Privacy
Companies getting sued under privacy law
International law firm Gunderson Dettmer has reported a “substantial increase” in clients receiving legal threats due to how their websites use common website technologies. As consumers become aware of the widespread use of tracking technologies online, they’re bringing lawsuits against companies they accuse of violating their privacy. Specifically, consumers are accusing businesses of violating privacy laws by using common marketing and analytics tools without consent.
And, they might be right.
New DataGrail research found that around 75% of websites do not honor a person’s right to opt-out, leaving companies in a state of non-compliance with some state privacy laws. Interestingly, many of the cases cite laws that passed long before cookies, pixels, or adtech, such as:
- Video Privacy Protection Act (VPPA): This federal law was passed in 1988 to protect data about people’s movie and video game purchases. It’s now being cited in scores of cases about the tracking of people who have watched online videos.
- California Invasion of Privacy Act (CIPA): One of many US “wiretapping” laws, CIPA requires the consent of both parties before recording a phone call. Plaintiffs argue that CIPA applies when tracking technologies “intercept their communications” with a website.
- Other legal arguments based on consumer protection laws, state constitutions, and torts such as “intrusion upon seclusion” are also often cited in privacy cases.
These laws allow consumers to sue businesses, sometimes for several thousand dollars per consumer, per violation—which can add up to several million dollars for a business. The problem arises when businesses use tracking tools without obtaining consent. Lawyers sometimes use quite imaginative legal interpretations to apply these old rules to modern situations, for example:
- Meta Pixel: Plaintiffs have argued that this common marketing tool is used for “wiretapping” by sending data about their communications to Facebook and Instagram without consent.
- Software Development Kits (SDKs): Some lawyers say that the third-party SDKs installed in millions of apps act as illegal “pen registers”—devices that record which numbers a phone has called.
- Session replay technology: Some companies have been accused of invading people’s privacy by using session replay software to monitor how users behave on their websites without consent.
Most of these allegations could be avoided by only activating these tools with people’s consent or by taking other steps to respect people’s online choices.
Do any of these cases win?
Whether or not such cases succeed, they can cause huge, expensive headaches for the defendants. Many companies settle to manage their brand reputation and keep their name out of the headlines. Others are working furiously to ensure they follow the law to a T.
A recent lawsuit alleged that the Boston Globe had violated the VPPA by nonconsensually sharing information about people who viewed videos on its website with Facebook via the Meta Pixel. After fighting the case for over a year, the Boston Globe agreed to settle for $5 million last May.
Since then, tracking cases have continued to come in.
A VPPA lawsuit against the media company Block Communications advanced to court earlier this month. This week, attorneys announced that they are looking into “mass arbitration” claims against Minecraft, the Daily Caller, and workout app Plove, among others.
What about claims under new state privacy laws?
Around one-third of states have recently passed stronger privacy legislation giving people the right to opt out of certain tracking activities.
Some of these laws also require businesses to recognize automatic opt-outs via the Global Privacy Control (GPC) signal. Some even require websites to get opt-in consent in certain circumstances.
Enforcement action under these state privacy laws is just beginning. In February, DoorDash settled with the California Attorney General for allegedly selling people’s personal data in violation of the CCPA. Retailer Sephora settled under the CCPA in 2021, partly because it failed to recognize GPC signals.
Unlike the older laws explored above, many of these new state privacy laws are enforced by state authorities and don’t include a “private right of action” allowing consumers to bring court cases. But there are exceptions.
- California’s CCPA has a limited private right of action and has reportedly led to over 360 legal claims.
- Washington’s My Health My Data Act (MHMDA) starts to take effect on Sunday, and lawyers warned this week that the law’s broad drafting and strict requirements could lead to a “flood of cases.”
- Other states are considering draft privacy laws with private rights of action, with Vermont’s House of Representatives approving such a bill last week.
A wave of new state privacy laws is likely to further increase the number of tracking-related lawsuits and enforcement actions.
Recommended action items
Take an increasingly privacy-conscious public and extremely active privacy litigators and add stricter state privacy rules into the mix. It’s clearly time to start taking online privacy seriously. But as noted above, DataGrail’s research shows that many companies are not ready for this new landscape.
Consider the following actions to help avoid privacy litigation:
- Assess your website: Conduct an audit of your company’s online properties to determine how you’re using tools such as pixels, cookies, and session replay tech.
- Implement a consent mechanism. Configure your website to request consent for marketing and analytics, depending on your risk appetite and the laws that apply to your business.
- Process Global Privacy Control (GPC) signals and other “universal opt-out mechanisms”. Increasingly, state laws require businesses to treat these signals as valid requests to opt out of targeted advertising.
- Review your privacy notice: A lack of transparency can make legal issues much worse. Make sure you’re being honest with your users about what data you collect and what you do with it.