Federal Privacy Bill Poses Enforcement Questions for Litigators

New landmark federal privacy legislation years in the making would set the stage for a new era of privacy litigation in courts across the country.

If enacted, the American Privacy Rights Act, unveiled April 7, would be the first comprehensive federal privacy law and usher in new privacy rights, including the ability to directly sue companies for alleged violations.

“It’s stronger than anything we’re seeing on the state level right now, maybe with the exception of California’s private right of action under data breaches,” said Austin Mooney, a partner at McDermott Will & Emery.

The bill, which would also preempt comprehensive privacy laws enacted by states, could shake up enforcement dynamics, which under a patchwork of state laws have largely fallen to state attorneys general.

The proposal, a 140-page discussion draft, has yet to be formally introduced in either chamber of Congress. It was negotiated by House Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Chair Maria Cantwell (D-Wash.).

Private Right of Action

The bill would allow courts to rectify violations by ordering relief that includes data deletion, actual damages, and attorneys’ fees.

Unlike a 2022 privacy bill approved by the House Energy and Commerce Committee, plaintiffs wouldn’t have to give the Federal Trade Commission or a state attorney general an opportunity to bring a case before filing a private suit. The proposal also omits language from that bill which would delay the private right to action for two years after enactment.

The draft bill would also render pre-dispute arbitration agreements unenforceable for claims involving minors or alleging “substantial privacy harms,” defined as those involving financial harms of at least $10,000, mental or physical injury, or discrimination based on protected classes.

“By making this a numerical threshold the law basically gives a roadmap to file claims that avoid arbitration,” said Mooney. “If this were passed as drafted, this would result in a significant increase in litigation.”

Such guardrails would make the popular legal tactic moot in many cases, says Brian Hengesbaugh, partner at Baker & McKenzie LLP.

“Virtually any sort of privacy issue that you have is probably going to sweep up anyone under 18 and I can’t imagine a plaintiffs’ attorney that wouldn’t allege their claim would involve substantial privacy harm,” he said. “I think the net effect is if this goes through there will be a lot less privacy arbitration.”

Under APRA, companies would have 30 days to cure a harm before a plaintiff could turn to a court. That cure period wouldn’t apply to substantial privacy harms.

The broadened scope of a substantial privacy law would generate more lawsuits than the 2022 bill, titled the American Data Privacy and Protection Act, said Maneesha Mithal, partner at Wilson Sonsini Goodrich & Rosati

“Companies know that the plaintiffs’ bar is very active,” she said. “And when the plaintiffs’ bar gets new tools to bring private rights of action, they will use those tools.”

Trade groups have also expressed concerns about the costs they could face under the proposal.

“On the plus side, the APRA would preempt state laws to set a national standard,” Information Technology and Innovation Foundation’s senior policy manager Ashley Johnson wrote in a press release. “But on the minus side, the bill also includes a private right of action that is much broader than previous privacy bills. If passed into law, this would likely be the new bill’s most expensive provision.”

Under APRA, large companies would have to designate a specific employee to serve as a privacy or data security officer. That could also lead to new legal concerns as agencies like the Federal Trade Commission ramp-up warnings about personal liability for executives.

“Anytime we’re putting even more obligations on somebody internal to the company and specifying new requirements, there could be grounds for some action,” said Brandon Pugh, director and a resident senior fellow for the R Street Institute’s Cybersecurity and Emerging Threats team.

While the draft bill would preempt comprehensive consumer privacy bills like California’s Consumer Privacy Act, more focused state privacy laws would remain in effect.

The proposal wouldn’t preempt laws regarding unfair and deceptive trade practices, civil rights, employee and student privacy, data breaches, wiretapping, medical privacy, or criminal acts. Civil actions to enforce the bill’s protections for biometric and genetic privacy against actions that occurred in Illinois would retain the standards for relief under that state’s Biometric Information Privacy Act and Genetic Information Privacy Act. Similarly, actions regarding data breaches in California would retain that state’s standard for relief.

“This laundry list of things that are preserved would likely provoke a bunch of litigation questions as to what the scope is,” said Hengesbaugh. “There’s a lot that’s left on the table that preemption is not impacting.”

FTC’s Future

The bill would largely leave the FTC’s privacy enforcement powers intact while introducing greater oversight.

It would also put an end to the FTC’s dueling process exploring a commercial surveillance and data privacy rulemaking in 2022. The legislation would direct the commision to end that rulemaking, though the agency would continue to have authority to provide guidance, enforcement, and rulemaking on other matters. One example is a suggestion in the bill that the FTC issue guidance on data minimization, one of the privacy-protection principles outlined in the draft.

FTC Chair Lina Khan had previously expressed that the agency welcomed federal privacy legislation and didn’t see its 2022 rulemaking as a competing process.

The proposal also would create new oversight mechanisms, including a yearly report to Congress on its annual plans and proposed rulemaking.

“I don’t think it’s intended to hamper the FTC in any way but it’s creating some additional accountability,” said Mithal, former head of the FTC’s division of privacy and identity protection.