When the general counsel of any publicly-traded company is willing to consider private rights of action—i.e. individual lawsuits to enforce statutory privacy rights—as part of a federal privacy law, that’s news. It’s even bigger news when the company is in a data-driven business. So when Jerry Jones, the Chief Ethics and Legal Officer of the data systems and analytics powerhouse LiveRamp, wrote in a July 2020 op-ed that a federal privacy law “must acknowledge that [a] properly crafted private right-to-action is appropriate and necessary,” I characterized it as a “man-bites-dog” story.
But it is a much bigger story when individuals associated with industry groups appear before a congressional committee and do the same. That’s what happened at the September 29 hearing of the Senate Commerce Committee, during which Maureen Ohlhausen and Morgan Reed both opened the door to an industry support for a narrow private right of action that both protects consumers and prevents nuisance lawsuits, especially against small businesses. Ohlhausen, a former Republican-appointed commissioner and acting chair of the Federal Trade Commission (FTC), now co-chairs the 21st Century Privacy Coalition, largely made up of telecommunications companies and associations. Reed is president of ACT | The App Association, which represents mobile app developers, many of which are small businesses. In turn, the privacy advocates on the witness panel—former FTC Consumer Protection Bureau Director David Vladeck and former FTC Chief Technologist Ashkan Soltani—supported the role which private rights of action could play in strong enforcement of a privacy law while recognizing ways such a right could be tailored to address the industry concerns about burdens of litigation raised by Ohlhausen and Reed.
Equally noteworthy is that this discussion was initiated by the ranking Republican member of the committee, Sen. Roger Wicker (R-MS), the main sponsor of the leading Republican bill. In his opening statement, Wicker disclosed that he “proposed incorporating a narrow private of action” in bipartisan negotiations that took place in 2019, and said, “I remain open to the idea”—with a glance toward committee Chair Sen. Maria Cantwell (D-WA), lead sponsor of the main Democratic bill. He used most of his question time to elicit witnesses’ views on the legitimate scope of a private right of action, directly asking “what would you allow [or] not allow.” He was joined in this line of questioning by Senator Jerry Moran (R-KS), who has also advanced a privacy bill.
In response, Ohlhausen expressed support for a private right of action where consumers can recover “actual damages” targeted toward “repeated or egregious” violations. Reed similarly responded that any monetary damages should be limited to “actual damages” and emphasized that certain “guardrails” would be necessary to prevent small businesses from facing burdensome litigation, such as a “period to cure” an individual’s complaint and a requirement to show some specified wrongful state of mind to bring a private lawsuit.
Meanwhile, Vladeck and Soltani endorsed private lawsuits as an enforcement tool, while also entertaining the notion of guardrails to address industry concerns over excessive litigation. Vladeck described how the 1974 Privacy Act contains a private right of action that limits recovery to nominal damages and attorney’s fees in the absence of actual damage, and additionally how the Equal Access to Justice Act imposes a maximum on recoverable attorney’s fees. Soltani drew parallels to the cure period allowed under the California Consumer Privacy Act, while also suggesting that guardrails against frivolous lawsuits should consider the severity of the data breach and harm to individuals, not just the size of companies.
How a private right of action provides a path to passing a privacy law
These discussions of a private right of action in privacy legislation resemble the ideas that I—along with John B. Morris, Jr., Caitlin Chin, and Nicol Turner Lee—explored over a year ago in our Brookings report. In detailed analysis of leading bills and recommendations for bridging these gaps, we suggested that Congress and stakeholders would need to consider some form of private right of action to pass privacy legislation. We recognized that individuals could suffer serious harms from privacy violations—and that private litigation, along with federal and state enforcement, can strengthen a privacy law. Yet, we also proposed a variety of substantive and procedural guardrails to limit the nature and frequency of private litigation. Our proposals were intended to plant the seeds for compromise. Whether or not our proposals played a part, the September 29 hearing makes clear that such ideas are germinating.
Over the past year, various businesses have started to consider the possibility of private rights of action in some form as the price for enacting a baseline federal privacy law that establishes nationwide standards. But, so far, these have been discussed among like-minded players behind virtual closed doors. The overt discussion in the September 29 hearing takes this willingness to entertain a private right of action to a new level and could pave the way for the hard work by all stakeholders—and bargaining—it will take to pass a strong baseline privacy law.
Compared to Senate Commerce hearings in 2019 and 2020, this latest hearing demonstrates significant progress. The exchanges and body language between Sens. Wicker and Cantwell suggested renewed bipartisan talks on legislation might be possible. Cantwell nodded along with much of Wicker’s opening statement, including his statement that they both believe the time has come to pass privacy legislation. In turn, she expressed appreciation for his “reminding me of your willingness to have a larger discussion about the private right of action.” Both senators agreed that the Biden administration should designate a senior point of contact to work with Congress on privacy legislation, and that the U.S. privacy debate has international ramifications.
The hearing sets the stage for a larger discussion. In addition to private rights of action, the other key sticking point on Capitol Hill has been the scope of federal preemption of state law; any larger discussion about litigation must surely include discussion of preemption. A federal law that combines even a limited private right of action with boundaries on data collection, use, and sharing, and robust enforcement would provide significantly stronger protection for individuals than any state privacy law has to date. This combination could unlock negotiations on the preemption issue. “Lots to do here,” as Sen. Cantwell noted.
Even with the seeming impasse on Capitol Hill since December 2019, I have sustained optimism about the enactment of federal privacy legislation. At times, this has seemed a matter of faith and not reason. But last week’s hearing provides some objective basis for believing bipartisan passage may be possible in this Congress. Stakeholders appear ready to bargain, and leadership from Congress or the Biden administration can bring them to the table.
AT&T, Comcast, CTIA, NCTA – The Internet and Television Association, T-Mobile USA, US Telecom — The Broadband Association, and Verizon are members of the 21st Century Privacy Coalition and general, unrestricted donors to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and not influenced by any donation.
The author would like to thank Caitlin Chin for her research assistance.