In light of persistent inaction at the national level, states have taken the initiative to pass their own versions of cybersecurity and privacy laws. However, these efforts are plagued by problems that arguably worsen the landscape of these issues.
Technological innovations have raced past legislative attempts to supervise and monitor them, leading to rising instances of privacy violations. Last month, the Mozilla Foundation declared cars to be “the official worst category of products for privacy.” The organization’s review of 25 car brands disclosed that 92% of these grant scant or zero control to drivers over their personal data.
This lack of control hails from as far back as 2005, when Sony BMG’s anti-piracy measures clandestinely facilitated the influx of rootkit software and opened computers up to threats from worms and viruses. Yet, even with almost two decades of first-hand experience with privacy violations, the US falls short of having something as comprehensive as the EU’s General Data Protection Regulation. With privacy and security bills consistently failing in Congress, states have been left to navigate the aftermath.
Despite this, common-law claims and consumer protection statutes have found use in civil cases to defend against privacy and security violations, sometimes leading to settlements as substantial as $725 million and $505.5 million in cases against Facebook and Equifax respectively.
However, a range of legislation set to take effect in the coming years—including Florida’s Technology Transparency Act, Indiana’s and Iowa’s Consumer Data Protection Acts, Montana’s Consumer Data Privacy Act, Oregon’s Consumer Privacy Act, Tennessee’s Information Protection Act, and Utah’s Consumer Privacy Act—offer little solace to consumers. None of these statutes provide for a private right of action, placing the enforcement onus upon regulators without augmenting their resources to cope with the thousands of yearly data breaches and daily privacy violations. In fact, the penalties imposed by these statutes do nothing to compensate consumers for losses due to fraud or identity theft, despite the fact that consumers reported losses to the tune of $9 billion in 2022.
In contrast, statutes that allow for private civil enforcement—such as the California Consumer Privacy Act—grant consumers higher compensation for the most egregious of data breaches—a recent settlement relating to T-Mobile’s breach offered up to $100 to California consumers. Without a private right of action, these laws fail to put money back into consumer pockets.
Further study of these cases:
In re Facebook, Inc. Consumer Privacy User Profile Litigation, N.D. Cal., No. 3:18-md-02843, proposed final judgment 9/21/23 and
In Re: Equifax, Inc. Customer Data Security Breach Litigation, N.D. Ga., No. 1:17-md-02800, 7/25/19 may prove insightful for legal professionals.
Lewis & Clark Law School student Elijah Savage contributed research to this topic.
Original article can be found here.