Duane Morris Class Action Review - 2023 - Report - Page 29
In each of the three lawsuits brought thus far in Pennsylvania, the class consisted of
allegedly more than 5,000 individuals. This new wave of lawsuits alleging wiretap
violations threatens to subject businesses to a substantial amount in penalties, including
fines ranging from $1,000 to $50,000 per violation, depending on the state. If a violation
occurs every time a user accesses a website in one of these states, the amount of
penalties to which a company may be subject can balloon quickly.
C.
More State Legislation Created And Expanded Data Privacy Rights
While Congress has refrained from addressing data privacy through federal legislation,
many states have enacted their own laws, and 2022 saw significant state legislative
activity regarding data privacy with five states preparing for new privacy laws to take
effect in 2023, including California, Colorado, Connecticut, Utah, and Virginia.
On the heels of California’s enactment of the California Consumer Privacy Act (CCPA)
in 2020, California businesses will need to comply with all requirements of the California
Privacy Rights Act (CPRA) effective January 1, 2023. The CPRA expands the current
CCPA private right of action by authorizing consumers to bring lawsuits arising from
data breaches involving additional categories of personal information and is arguably
the strictest data privacy law in the United States, which places California privacy law
closer, in many respects, to Europe’s GDPR. With potential statutory damages ranging
from $100 to $750 per consumer per incident, and breaches often involving hundreds of
thousands or even millions of users, these types of claims will almost certainly lead to a
sharp rise in class action litigation.
Virginia, Colorado, Connecticut, and Utah likewise enacted sweeping data privacy laws
that will roll out in 2023. These laws are all similar in structure, but unlike California’s
statute, which allows an individual to sue a company for alleged violations, enforcement
will be left to the respective state attorneys general. Each of these laws provides for
expanded consumer rights related to their data, including: (i) Right of access (i.e.,
allows for a consumer to access from a business/data controller the information or
categories of information collected about a consumer); (ii) Right of deletion (i.e., right for
a consumer to request deletion of personal information about the consumer under
certain conditions; (iii) Right to opt-out (i.e., allows for a consumer to opt out of the sale
of personal information about the consumer to third parties); (iv) Right of portability
(allows for a consumer to request personal information about the consumer be
disclosed in a common file format); and (v) Notice and transparency requirements (i.e.,
an obligation placed on a business to provide notice to consumers about certain data
practices, privacy operations, and/or privacy programs).
The approach each state attorney general takes regarding enforcement of these new
laws will provide lessons for other states looking to regulate consumer privacy in the
absence of a federal standard and almost certainly will be closely monitored by the
plaintiffs’ bar, as it attempts to draw from favorable rulings and to anticipate which state
will enact the next plaintiff-friendly data privacy laws.
28
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023