Lack of Private Right of Action Is Resulting in Suits Under Older Laws, Lawyers Say

“The new privacy laws -- and we have 20 consumer privacy laws in the states -- ... don't have private rights of action,” said Daniel Solove, a George Washington University law professor, who hosted the webinar. “If you don't have the right tools to use, you grab whatever tools are out there. And so we see [people] grabbing tools from older laws that really were not designed for the technologies of today.”

Those older laws include the 1988 Video Privacy Protection Act (VPPA), which has seen a surge in cases (see 2501100009), and various wiretapping laws, he said, among other older legislation. “Legislatures are actually pretty bad about keeping laws up to date, which is a very big problem in privacy and technology,” he said. If “you don't keep your laws up to date, problems like this arise, and if you don't give the right tools to enforce privacy or address a problem, then that's what you're going to have: old tools, because they're not updated, apply to situations in not the ideal way that we would want.”

One of the most contentious areas, Solove said, is wiretapping.

“The claim under wiretapping statutes is that in doing so, there is an interception of a communication,” said Katherine Heaton, Beazley's cyber and tech claims focus leader. “When you're going on the website, you're doing something there that's a communication, and then that interception of communication is being shared with some third party that didn't give consent.”

A majority of these claims are being filed in two-party consent states, Heaton said, where both parties have to consent to a wiretap for it to be legal. Though some laws, like the Federal Wiretap Act, have one-party consent, you have to prove the company is doing something fraudulent or tortious, she said.

Heaton said the rise in these claims started with pixels, which are snippets of code on a website that interact with the cookies on the site and send a user's information back to the company that owns the site.

Melissa Sibert, chair of the emerging data privacy trends practice at Cozen O’Connor, said using pixels in ads has increased. “That's what pixels are generally used for,” she said. “It's targeted marketing and improving experience on a website, so that you visit the website more often and buy things from it more often.”

TikTok, Sibert said, uses these pixels. That, paired with the idea that “TikTok is used to spy, to surveil, by the Chinese government,” which is “a very common allegation in these California invasion of privacy lawsuits,” you get “this idea that there are entities that are spying on you or getting access to your data…[and] you don't know that they're doing that.”

But some of these claims misrepresent the technology to a degree, she said. “That's where the disconnect is,” Sibert said. “The laws have not caught up with the technology.”

Heaton said this isn't just a burden on consumers. “What's hard though, for the company, is that there are also no guidelines as to what you have to ask for,” she said. “There isn't a statute that says that if you're going to use a pixel, you need to disclose it in this way, or you need to get affirmative consent, or you need to do opt out, but there's just no regulations.”

Said Solove, “You really see kind of a lack on the legislatures' part to keep these laws up to date.” He added, “If the legislators did their job and really kind of kept the laws up to date ... we'd see a lot less of these difficulties or these problems… but until we're in that world ... we're going to see old laws used with the newer technologies.”