Wave of Privacy Suits Peters Out

The phrase 'privacy class action' was first used 15 years ago to describe a new class of suits aimed at dot-com companies. There have been plenty of ambitious predictions since. But though the legal theories have evolved, there have been few big pay days and some signs that mainstream plaintiffs firms are losing interest.

After three boom years, privacy litigation filed in the Northern District of California against Silicon Valley giants Apple Inc., Facebook Inc. and Google Inc. fell off dramatically in 2013, according to a review of cases invoking the statutes most frequently used in privacy cases completed by our San Francisco-based ALM sibling, The Recorder. The search turned up just a single privacy suit against Apple, Facebook or Google filed in 2015.

New Approach

Still, it may be early to write a privacy post-mortem. Just last month, U.S. District Judge Lucy Koh gave plaintiffs hope when she certified a class in a case against Yahoo Inc. over its scanning of e-mail messages. And the next wave of litigation, according to lawyers in the trenches, is likely to focus more on mass data breaches than the monetization of consumer data, posing a new set of legal issues.

Meanwhile, plaintiffs lawyers are tinkering with new approaches, such as bringing privacy claims for customers who purchased a service or device and say that they wouldn't have spent the money if they'd been advised of how their personal information would be tracked. Some are hunting for state laws that may give them more traction.

Plaintiffs lawyers in the Yahoo suit took a lesson from past failures to get their case past the procedural hurdle of class certification. Rather than seeking monetary damages, they're asking for an injunction, which lowers the bar for a class action but can also mean lower attorney fees.

'It's interesting how the tactics have changed,' says San Mateo, CA, solo practitioner Ara Jabagchourian, who filed the first e-mail scanning complaint against Yahoo in 2013 while a partner at Cotchett, Pitre & McCarthy.

And then there's Spokeo, a decision from the U.S. Court of Appeals for the Ninth Circuit that has been popular with the plaintiffs bar because it suggests that damages written into statute may be available for privacy breaches even absent concrete injury. (The Ninth Circuit opinion can be found at http://1.usa.gov/1J5wvmf.)

The Supreme Court granted certiorari April 27 and is likely to hear the case next fall. Since statutory damages of $5,000 or $10,000 per violation can add up to hundreds of millions in privacy class actions, lawyers see a lot riding on the outcome.

EBay Inc., Facebook, Google and Yahoo united in urging the court to overturn the decision. The Obama administration opposed the grant of certiorari, saying the Ninth Circuit's holding was correct (see, http://bit.ly/1BAT9Tz).

Greenberg Traurig partner Ian Ballon, a California litigator who specializes in the defense of privacy, data breach and other class actions, predicts the justices will side with the defense. Then, Ballon says, 'a lot of the current wave of privacy class actions will evaporate.'

Still, defense firms that invested in privacy practices believe they have done so wisely, given the growing interest in privacy from Congress, state legislatures and regulators, and the rise in data breach incidents, which are fueling their own strain of litigation.

'Spokeo may have an impact on certain class actions,' says Keith Eggleton of Wilson Sonsini Goodrich & Rosati, who has represented companies including Netflix in privacy cases, 'but it won't fundamentally change the importance of privacy as a practice.'

No Pot of Gold

When plaintiffs firms first started pressing privacy claims in class actions in the early 2000s, it was traditional powerhouse firms such as Bernstein Litowitz Berger & Grossmann and now-defunct Milberg Weiss Bershad Hynes & Lerach that were testing the waters. But since the practice has failed to yield the hefty damages awards more common in securities and mass torts litigation ' and the attorney fees that come with them ' the practice has largely fallen into the purview of specialty shops such as Chicago's Edelson PC and New York-based KamberLaw.

With the exception of Lieff Cabraser Heimann & Bernstein, few big plaintiffs shops have planted a flag in the area of privacy, and some lawyers in smaller shops say privately that the cases have yet to generate much income for their firms.

So far, plaintiffs have won only a few eight-digit settlements, let alone the nine- and 10-digit blockbusters hinted at in their complaints.

In August 2013, U.S. District Judge Richard Seeborg of the Northern District of California approved a $20 million deal that Facebook Inc. reached with users whose images appeared without consent in its sponsored stories. Plaintiffs counsel, who asked for $7.5 million in fees, were awarded about $4.7 million, which was less than the team said it would have collected billing at hourly rates.

In January 2014, comScore Inc. agreed to pay $14 million to Internet users who claimed the analytics company installed data tracking software on their computers without consent. Plaintiffs counsel at Edelson were awarded $4.7 million.

On the data breach front, Sony Computer Entertainment America LLC agreed last June to give $14.5 million in games, online currency and identity theft reimbursement as a result of a massive hack of credit and debit card information from its PlayStation Network.

'There's never going to come to a day where you're going to see a privacy case worth as much as a mass tort case or a large antitrust case,' says Edelson name partner Jay Edelson, who was the subject of a New York Times profile in April. See, 'Jay Edelson, the Class-Action Lawyer Who May Be Tech's Least Friended Man.”

Still, Edelson, who says high-profile data breaches and the Edward Snowden leaks have 'had a profound effect on the judiciary,' predicts a future where settlements routinely top $50 million.

The staggering statutory damages at stake in some privacy cases has actually worked against plaintiffs, he says. 'Judges were looking for ways to dismiss them because no one wants Facebook to go bankrupt because of a privacy violation.'

David Vladeck, a professor at Georgetown University Law Center and the former director of the Federal Trade Commission's Bureau of Consumer Protection, says that the current privacy landscape reminds him of the early days of tobacco and asbestos litigation, when plaintiffs struggled to establish harm and proximate cause. It was only through the discovery gained through early litigation failures, he says, that plaintiffs began to show the value of their claims. Vladeck says that he doesn't know if the cases 'will turn 180 degrees,' but he thinks there's a potential for the cases to gain value as the evidence accumulates.

Vladeck says one reason for the tepid settlement environment is that the courts so far haven't done a very good job in thinking through the kinds of harm that privacy invasions involve: 'In fairness to the courts and in fairness to the lawyers, these are fairly new problems.'

Stale Laws?

If the problems are cutting-edge, plaintiffs lawyers have had to rely on laws passed decades ago ' before cellular phones were briefcase-sized luxury items, let alone the ubiquitous data-rich handheld computers they are today.

In an amici curiae brief filed in Spokeo, EBay Inc., Facebook, Google and Yahoo pointed to a number of stale laws commonly dusted off for use in privacy cases: the Electronic Communications Privacy Act (ECPA), 18 U.S.C. '2510-22, and the Stored Communications Act of 1986 (SCA), 18 U.S.C. '2701 et seq., both passed in 1986, and the Video Privacy Protection Act of 1988 (VPPA).

Applying those statutes to technologies that hadn't been contemplated at the time they were enacted would have 'untoward consequences,' wrote the companies' legal team at Wilmer Cutler Pickering Hale and Dorr.

Jillisa Bronfman, who heads the privacy and technology clinic at UC-Hastings College of the Law, says the tech companies have a point that the laws, many of which contain hefty per-violation penalties, were not written with modern mass technologies in mind. 'If we do want to rely on a statutory damages scheme, we probably need to update those statutes,' she says.

But plaintiffs lawyer Scott Kamber of KamberLaw, who has handled privacy class actions against Facebook and Hulu among others, says complaining that laws are outdated is a bogus defense. Old laws continue to govern nearly every facet of modern society, he says.

Kamber has particular conviction with respect to the VPPA, a law that he used to target Hulu in a case knocked out on summary judgment by U.S. Magistrate Judge Laurel Beeler in late March.

No one has successfully argued that VPPA, enacted after a newspaper printed the video rental history of U.S. Supreme Court nominee Robert Bork, doesn't apply to online video streaming services, Kamber says. Netflix and Facebook lobbied Congress for a 2013 amendment to the law about online disclosures. 'No one at any congressional hearing said, 'Wait a minute. This law doesn't apply to streaming services,” Kamber says.

The Harm Problem

Spokeo, which will likely be heard by the Supreme Court next fall, touches on one of the fundamental hurdles faced by privacy class actions ' difficulty demonstrating harm.

A Ninth Circuit panel found that an unemployed man had standing in federal court under the Fair Credit Reporting Act to sue the company, which offers information about individuals' contact information, marital status, age, job and wealth to users for a fee. The plaintiff alleged that his employment prospects had been harmed because he'd incorrectly been listed as wealthy and holding a graduate degree on Spokeo's website. Spokeo's petition for review, filed by lawyers at Mayer Brown, questioned whether Congress could confer standing upon a plaintiff who suffers no concrete harm just by virtue of the violation of a federal statute.

The fact that the court is just now dealing with such a foundational issue shows how novel issues of privacy on the Internet are, says UC-Hastings' Bronfman, who previously worked as an assistant general counsel at Verizon Communications Inc. 'People are certainly curious about what the court will say about standing.'

Whether or not technology companies get the outcome they want, Bronfman says, they will at least get some welcome clarity. '[Corporations] like things to be in their favor, but more than that, they have some value in absolute certainty,' she says.

While the case has been read by lawyers such as Cooley's Rhodes as ripe for reversal by the Supreme Court, some caution that it could be decided in a narrow way that punts on the standing issue that Silicon Valley finds so vital, or that it could be decided in a way that actually helps plaintiffs.

The Supreme Court has reviewed the Fair Credit Reporting Act (FRCA), 15 U.S.C. '1681 et seq. (1970), multiple times since it was passed in 1970, noted Georgetown's Vladeck. The harm that comes from incorrect revelations such as the ones at issue in the case are baked into the law, not something that must be separately proven, he says.

The Ninth Circuit's unanimous ruling was authored by Diarmuid O'Scannlain, one of the court's more conservative judges. Moreover, the Supreme Court might be disinclined to rule in a way that plaintiffs lawyers predict would result in more privacy actions being filed in state court.

'This court has at least four self-identified conservative jurists,' says Kamber, the New York plaintiffs lawyer. 'I'd be surprised if those jurists would abdicate the express intentions of Congress' in passing the Class Action Fairness Act of 2005, which allowed defendants to remove state court class actions with more than $5 million at stake to federal court.

Even Cooley's Rhodes has come to a more cautious view of Spokeo. Rhodes says he could see some of the conservative justices on the Court applying a separation of powers analysis to the case. Congress did, after all, pass the FCRA with a private right to sue and statutory damages embedded within it. 'It's a conservative principle to defer to the legislature,' Rhodes says.

Plaintiffs lawyers have already been altering their approach to plead privacy lawsuits with an eye toward the issues raised in Spokeo, says Munger, Tolles & Olson's Rosemarie Ring. Rather than focusing on statutory damages in recent suits, Ring says, 'plaintiffs lawyers have started focusing on theories of harm where they are seeing companies make money off user data and saying 'Hey, we should get some of that money.” She adds: 'I don't think that constitutes harm.' Fenwick & West's Tyler Newby says that he's seen plaintiffs lawyers looking for cases that involve the purchase of a service or a device where damages and harm are easier to quantify, and plaintiffs can also pursue false advertising and unfair competition claims.

Regardless of the Court's ruling in Spokeo, Rhodes concedes his colleagues in the plaintiffs bar ' the ones he predicted would be out of work in a year ' probably won't altogether abandon privacy litigation. Rhodes points to the limited impact of the 1995 Private Securities Litigation Reform Act, PL 104'67, which was meant to curb the flow of frivolous securities lawsuits. 'There have been more securities cases filed after that act than before it,' Rhodes says.

Rhodes says he expects the evolving nature of technology and the shifting tactics of the plaintiffs bar to create plenty of privacy work to keep him and the rest of the defense bar busy.

'Data is data, and people are going to continue to extract new uses out of it,' Rhodes says. 'Some segment of the population is going to be tweaked by that.'

Ross Todd is a Senior Reporter with The Recorder, the San-Francisco-based ALM sibling of e-Commerce Law & Strategy. He can be reached at [email protected].

Michael Rhodes, the charismatic chair of Cooley's privacy and data protection practice, took the stage at an awards dinner in late April with an extra bounce in his step ' and a blunt prediction for his colleagues in the plaintiffs privacy bar.

'I suspect a lot of people, perhaps on the plaintiffs side, will be out of work within the year,' he said.

Rhodes was referring mainly to the U.S. Supreme Court's decision earlier that same day to grant review in Spokeo v. Robins, No. 13-1339, a case that has the potential to radically reshape privacy litigation. But his remarks also reflected growing confidence among defense lawyers that they have a grip on the legal threat posed by suits that seek to hold companies accountable for improperly collecting, selling off, rifling through or failing to protect customers' data.

The phrase 'privacy class action' was first used 15 years ago to describe a new class of suits aimed at dot-com companies. There have been plenty of ambitious predictions since. But though the legal theories have evolved, there have been few big pay days and some signs that mainstream plaintiffs firms are losing interest.

After three boom years, privacy litigation filed in the Northern District of California against Silicon Valley giants Apple Inc., Facebook Inc. and Google Inc. fell off dramatically in 2013, according to a review of cases invoking the statutes most frequently used in privacy cases completed by our San Francisco-based ALM sibling, The Recorder. The search turned up just a single privacy suit against Apple, Facebook or Google filed in 2015.

New Approach

Still, it may be early to write a privacy post-mortem. Just last month, U.S. District Judge Lucy Koh gave plaintiffs hope when she certified a class in a case against Yahoo Inc. over its scanning of e-mail messages. And the next wave of litigation, according to lawyers in the trenches, is likely to focus more on mass data breaches than the monetization of consumer data, posing a new set of legal issues.

Meanwhile, plaintiffs lawyers are tinkering with new approaches, such as bringing privacy claims for customers who purchased a service or device and say that they wouldn't have spent the money if they'd been advised of how their personal information would be tracked. Some are hunting for state laws that may give them more traction.

Plaintiffs lawyers in the Yahoo suit took a lesson from past failures to get their case past the procedural hurdle of class certification. Rather than seeking monetary damages, they're asking for an injunction, which lowers the bar for a class action but can also mean lower attorney fees.

'It's interesting how the tactics have changed,' says San Mateo, CA, solo practitioner Ara Jabagchourian, who filed the first e-mail scanning complaint against Yahoo in 2013 while a partner at Cotchett, Pitre & McCarthy.

And then there's Spokeo, a decision from the U.S. Court of Appeals for the Ninth Circuit that has been popular with the plaintiffs bar because it suggests that damages written into statute may be available for privacy breaches even absent concrete injury. (The Ninth Circuit opinion can be found at http://1.usa.gov/1J5wvmf.)

The Supreme Court granted certiorari April 27 and is likely to hear the case next fall. Since statutory damages of $5,000 or $10,000 per violation can add up to hundreds of millions in privacy class actions, lawyers see a lot riding on the outcome.

EBay Inc., Facebook, Google and Yahoo united in urging the court to overturn the decision. The Obama administration opposed the grant of certiorari, saying the Ninth Circuit's holding was correct (see, http://bit.ly/1BAT9Tz).

Greenberg Traurig partner Ian Ballon, a California litigator who specializes in the defense of privacy, data breach and other class actions, predicts the justices will side with the defense. Then, Ballon says, 'a lot of the current wave of privacy class actions will evaporate.'

Still, defense firms that invested in privacy practices believe they have done so wisely, given the growing interest in privacy from Congress, state legislatures and regulators, and the rise in data breach incidents, which are fueling their own strain of litigation.

'Spokeo may have an impact on certain class actions,' says Keith Eggleton of Wilson Sonsini Goodrich & Rosati, who has represented companies including Netflix in privacy cases, 'but it won't fundamentally change the importance of privacy as a practice.'

No Pot of Gold

When plaintiffs firms first started pressing privacy claims in class actions in the early 2000s, it was traditional powerhouse firms such as Bernstein Litowitz Berger & Grossmann and now-defunct Milberg Weiss Bershad Hynes & Lerach that were testing the waters. But since the practice has failed to yield the hefty damages awards more common in securities and mass torts litigation ' and the attorney fees that come with them ' the practice has largely fallen into the purview of specialty shops such as Chicago's Edelson PC and New York-based KamberLaw.

With the exception of Lieff Cabraser Heimann & Bernstein, few big plaintiffs shops have planted a flag in the area of privacy, and some lawyers in smaller shops say privately that the cases have yet to generate much income for their firms.

So far, plaintiffs have won only a few eight-digit settlements, let alone the nine- and 10-digit blockbusters hinted at in their complaints.

In August 2013, U.S. District Judge Richard Seeborg of the Northern District of California approved a $20 million deal that Facebook Inc. reached with users whose images appeared without consent in its sponsored stories. Plaintiffs counsel, who asked for $7.5 million in fees, were awarded about $4.7 million, which was less than the team said it would have collected billing at hourly rates.

In January 2014, comScore Inc. agreed to pay $14 million to Internet users who claimed the analytics company installed data tracking software on their computers without consent. Plaintiffs counsel at Edelson were awarded $4.7 million.

On the data breach front, Sony Computer Entertainment America LLC agreed last June to give $14.5 million in games, online currency and identity theft reimbursement as a result of a massive hack of credit and debit card information from its PlayStation Network.

'There's never going to come to a day where you're going to see a privacy case worth as much as a mass tort case or a large antitrust case,' says Edelson name partner Jay Edelson, who was the subject of a New York Times profile in April. See, 'Jay Edelson, the Class-Action Lawyer Who May Be Tech's Least Friended Man.”

Still, Edelson, who says high-profile data breaches and the Edward Snowden leaks have 'had a profound effect on the judiciary,' predicts a future where settlements routinely top $50 million.

The staggering statutory damages at stake in some privacy cases has actually worked against plaintiffs, he says. 'Judges were looking for ways to dismiss them because no one wants Facebook to go bankrupt because of a privacy violation.'

David Vladeck, a professor at Georgetown University Law Center and the former director of the Federal Trade Commission's Bureau of Consumer Protection, says that the current privacy landscape reminds him of the early days of tobacco and asbestos litigation, when plaintiffs struggled to establish harm and proximate cause. It was only through the discovery gained through early litigation failures, he says, that plaintiffs began to show the value of their claims. Vladeck says that he doesn't know if the cases 'will turn 180 degrees,' but he thinks there's a potential for the cases to gain value as the evidence accumulates.

Vladeck says one reason for the tepid settlement environment is that the courts so far haven't done a very good job in thinking through the kinds of harm that privacy invasions involve: 'In fairness to the courts and in fairness to the lawyers, these are fairly new problems.'

Stale Laws?

If the problems are cutting-edge, plaintiffs lawyers have had to rely on laws passed decades ago ' before cellular phones were briefcase-sized luxury items, let alone the ubiquitous data-rich handheld computers they are today.

In an amici curiae brief filed in Spokeo, EBay Inc., Facebook, Google and Yahoo pointed to a number of stale laws commonly dusted off for use in privacy cases: the Electronic Communications Privacy Act (ECPA), 18 U.S.C. '2510-22, and the Stored Communications Act of 1986 (SCA), 18 U.S.C. '2701 et seq., both passed in 1986, and the Video Privacy Protection Act of 1988 (VPPA).

Applying those statutes to technologies that hadn't been contemplated at the time they were enacted would have 'untoward consequences,' wrote the companies' legal team at Wilmer Cutler Pickering Hale and Dorr.

Jillisa Bronfman, who heads the privacy and technology clinic at UC-Hastings College of the Law, says the tech companies have a point that the laws, many of which contain hefty per-violation penalties, were not written with modern mass technologies in mind. 'If we do want to rely on a statutory damages scheme, we probably need to update those statutes,' she says.

But plaintiffs lawyer Scott Kamber of KamberLaw, who has handled privacy class actions against Facebook and Hulu among others, says complaining that laws are outdated is a bogus defense. Old laws continue to govern nearly every facet of modern society, he says.

Kamber has particular conviction with respect to the VPPA, a law that he used to target Hulu in a case knocked out on summary judgment by U.S. Magistrate Judge Laurel Beeler in late March.

No one has successfully argued that VPPA, enacted after a newspaper printed the video rental history of U.S. Supreme Court nominee Robert Bork, doesn't apply to online video streaming services, Kamber says. Netflix and Facebook lobbied Congress for a 2013 amendment to the law about online disclosures. 'No one at any congressional hearing said, 'Wait a minute. This law doesn't apply to streaming services,” Kamber says.

The Harm Problem

Spokeo, which will likely be heard by the Supreme Court next fall, touches on one of the fundamental hurdles faced by privacy class actions ' difficulty demonstrating harm.

A Ninth Circuit panel found that an unemployed man had standing in federal court under the Fair Credit Reporting Act to sue the company, which offers information about individuals' contact information, marital status, age, job and wealth to users for a fee. The plaintiff alleged that his employment prospects had been harmed because he'd incorrectly been listed as wealthy and holding a graduate degree on Spokeo's website. Spokeo's petition for review, filed by lawyers at Mayer Brown, questioned whether Congress could confer standing upon a plaintiff who suffers no concrete harm just by virtue of the violation of a federal statute.

The fact that the court is just now dealing with such a foundational issue shows how novel issues of privacy on the Internet are, says UC-Hastings' Bronfman, who previously worked as an assistant general counsel at Verizon Communications Inc. 'People are certainly curious about what the court will say about standing.'

Whether or not technology companies get the outcome they want, Bronfman says, they will at least get some welcome clarity. '[Corporations] like things to be in their favor, but more than that, they have some value in absolute certainty,' she says.

While the case has been read by lawyers such as Cooley's Rhodes as ripe for reversal by the Supreme Court, some caution that it could be decided in a narrow way that punts on the standing issue that Silicon Valley finds so vital, or that it could be decided in a way that actually helps plaintiffs.

The Supreme Court has reviewed the Fair Credit Reporting Act (FRCA), 15 U.S.C. '1681 et seq. (1970), multiple times since it was passed in 1970, noted Georgetown's Vladeck. The harm that comes from incorrect revelations such as the ones at issue in the case are baked into the law, not something that must be separately proven, he says.

The Ninth Circuit's unanimous ruling was authored by Diarmuid O'Scannlain, one of the court's more conservative judges. Moreover, the Supreme Court might be disinclined to rule in a way that plaintiffs lawyers predict would result in more privacy actions being filed in state court.

'This court has at least four self-identified conservative jurists,' says Kamber, the New York plaintiffs lawyer. 'I'd be surprised if those jurists would abdicate the express intentions of Congress' in passing the Class Action Fairness Act of 2005, which allowed defendants to remove state court class actions with more than $5 million at stake to federal court.

Even Cooley's Rhodes has come to a more cautious view of Spokeo. Rhodes says he could see some of the conservative justices on the Court applying a separation of powers analysis to the case. Congress did, after all, pass the FCRA with a private right to sue and statutory damages embedded within it. 'It's a conservative principle to defer to the legislature,' Rhodes says.

Plaintiffs lawyers have already been altering their approach to plead privacy lawsuits with an eye toward the issues raised in Spokeo, says Munger, Tolles & Olson's Rosemarie Ring. Rather than focusing on statutory damages in recent suits, Ring says, 'plaintiffs lawyers have started focusing on theories of harm where they are seeing companies make money off user data and saying 'Hey, we should get some of that money.” She adds: 'I don't think that constitutes harm.' Fenwick & West's Tyler Newby says that he's seen plaintiffs lawyers looking for cases that involve the purchase of a service or a device where damages and harm are easier to quantify, and plaintiffs can also pursue false advertising and unfair competition claims.

Regardless of the Court's ruling in Spokeo, Rhodes concedes his colleagues in the plaintiffs bar ' the ones he predicted would be out of work in a year ' probably won't altogether abandon privacy litigation. Rhodes points to the limited impact of the 1995 Private Securities Litigation Reform Act, PL 104'67, which was meant to curb the flow of frivolous securities lawsuits. 'There have been more securities cases filed after that act than before it,' Rhodes says.

Rhodes says he expects the evolving nature of technology and the shifting tactics of the plaintiffs bar to create plenty of privacy work to keep him and the rest of the defense bar busy.

'Data is data, and people are going to continue to extract new uses out of it,' Rhodes says. 'Some segment of the population is going to be tweaked by that.'

Ross Todd is a Senior Reporter with The Recorder, the San-Francisco-based ALM sibling of e-Commerce Law & Strategy. He can be reached at [email protected].