Skip to main content
Data & Tech

Americans could soon be able to sue companies for misusing their data

Consumer-interest groups are advocating for a legal term called “private right of action.”
article cover

Francis Scialabba

5 min read

America’s next privacy laws—both federal and at the state level—are being decided over if individuals can sue companies for misusing their data.

It’s because of a legal term called “private right of action” (PRA), a power that allows consumers the ability to take companies to court for violating privacy laws via class-action lawsuits. Without it, enforcement is left to government regulators and attorneys, who are woefully underfunded and under-resourced.

It’s a tool consumer-interest groups consider vital, but Big Business calls costly and litigious, inviting trigger-happy ambulance chasers.

Though privacy laws have gained steam over the last several years—five states have passed privacy laws since 2020, when the California Consumer Privacy Act went into effect—private right of action has become a hill that legislators are willing to die on, with implications for the future of federal privacy law, which nearly all sides agree is long overdue.

  • This year, efforts to pass privacy legislation in Florida and Washington failed, largely because of PRA, according to Compliance Week.
  • Of the states that have passed privacy laws, only California’s includes PRA, applicable only to data hacks or data breaches.
  • In June, bipartisan federal legislators introduced a national privacy bill, called the American Data Privacy and Protection Act, that includes PRA.

Consumer-advocacy groups like Consumer Reports and Electronic Privacy Information Center (EPIC) have appeared before state and federal legislators to voice support for PRA.

“The industry knows that those government regulators have limited resources. They can’t go after every case; they can’t track what every company is doing,” Caitriona Fitzgerald, deputy director at EPIC, told Marketing Brew.

Biz says AGs > consumers

Pro-business groups, including the US Chamber of Commerce, are—predictably—against PRA. The IAB and the ANA both told Marketing Brew that they don’t support it, though Lartease Tiffith, EVP for public policy at the IAB, said he’d be willing to compromise if a federal law was on the table. Tiffith previously worked on public policy at Amazon.

The State Privacy and Security Coalition, an organization with members including Google, Meta, Amazon, Netflix, and Walmart, has been working across the country to water down privacy legislation, Protocol recently reported.

“Our position on enforcement at the state level aligns with a widespread consensus—borne out by laws passed in Virginia, Utah, Colorado, and Connecticut—that state Attorneys General are in the best position to enforce privacy violations,” Andy Kingman, a lawyer representing the SPSC, wrote to Marketing Brew.

In other words: no, thank you. That isn’t surprising, especially since Google and Meta have already agreed to pay millions to settle class-action lawsuits brought about because of a PRA stipulation in Illinois’s Biometric Information Privacy Act, passed in 2008.

If there were a nationwide class-action lawsuit, fines could escalate. “How much would a larger number be across everyone in the United States? It’s not that difficult to start getting near that billion-dollar mark,” Wayne Matus, co-founder, general counsel, and EVP at privacy-compliance company SafeGuard Privacy, told Marketing Brew. “An ad-tech company that’s dealing with 100 million people or more worth of data has every reason to be concerned about what could happen if they violated rights.”

💀 “Poison pill,” “kill switch” 💀

Virginia, which passed its privacy law in March 2021, did so without PRA.

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.

“It would have been the kill switch,” State Senator Dave Marsden (D-VA), who introduced the bill, told Marketing Brew. Virginia’s privacy law was modeled after the failed one in Washington, which was partly influenced by Amazon and Microsoft. (Last year, Marsden told Protocol that Amazon “gave us the first cut of a draft”).

Instead, Virginia included what’s called a “right to cure,” where companies are given 30 days to correct any potential wrongdoing consumers have reported.

State Senator Scott Surovell (D-VA), who voted against the bill (though he called PRA a “poison pill,” which is just a touch cooler than a “kill switch”) largely did so because of the lack of inclusion of PRA, joking that if he got into a car accident, he wouldn’t have to wait for the attorney general to defend him.

“I don’t think that I should have to ask another person to sue for a personal harm that is inflicted upon me, about my data. It’s my data; I own it, I’m generating it,” he told Marketing Brew.

State Senator Joe Nguyen (D-WA) worked on the proposed privacy bill that ultimately didn’t pass in his state, but said he himself is agnostic as to what is most effective for consumers. “The holdup has always been on the enforcement. And it’s PRA versus no PRA…It’s almost philosophical,” he said.

Ultimately, how impactful individual state laws are for consumers could be an afterthought if the American Data Privacy and Protection Act, which would preempt most state laws, passes. The bill would let people sue companies, with some caveats (like the fact that PRA wouldn’t be enforceable for four years after taking effect). Then, people who want to sue would have to notify the FTC and their state attorney general and wait 60 days to see if those government agencies will take action.

“I would like to see a removal of some of those hurdles…but I think giving individuals that right to enforce their own rights is just so critical that I hope we can come to a compromise,” said EPIC’s Fitzgerald. Later, she added, “We’re seeing this recognition that you need various forms of enforcement for these privacy harms—no one agency, no state AG is going to be able to take this on by themselves.”

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.