Disconnect Between Courts and Legislatures at Heart of Privacy Litigation Issues, Experts Say

Müge Fazlioglu, IAPP principal researcher in privacy law and policy, noted the rise in data privacy cases. “We went from about 1,500 cases in 2020, to about 2,500 last year,” she said. “There is a pretty clear upward trend, and ... it's likely to keep increasing in the years ahead.”

Part of the issue with privacy legislation is that “privacy is so hard to define and draw boundaries around,” Fazlioglu said. As such, privacy law is "a dynamic and evolving area of litigation,” she said. “It truly embodies the proverbial living law." Moreover, decisions and settlements in the courts "are playing as great of, if not a greater, role than legislation and government regulation in shaping cybersecurity and privacy norms,” Fazlioglu contends.

For example, the Illinois Biometric Information Privacy Act (BIPA) has attracted an influx of litigation in recent years as a result of state Supreme Court decisions and a legislative amendment (see 2502210037). Although BIPA passed in 2008, it wasn’t until nearly a decade later that the floodgates of court cases opened, privacy lawyers said.

In addition, said Andy Kingman, president of Mariner Strategies, BIPA regulates technology that didn't exist when the statute was created. “Literally, before the invention of the [Apple] iPhone, BIPA was passed,” he noted. “There's a whole online ecosystem that grew and sort of created this square peg, round hole problem for companies trying to comply with BIPA.”

And this situation extends beyond BIPA to other federal and state privacy laws. An example is Daniel’s Law in New Jersey, aimed at protecting the personal information of certain public servants, such as judges or law enforcement, and their families. While well-intentioned, the statute is being abused for monetary gain, Kingman said. Other privacy lawyers say the same (see 2504040031).

Another disconnect between legislation and privacy regulation comes from the use of testers, or recycle plaintiffs, in privacy cases. “The concept that [certain organizations] are fighting for privacy rights ... is really belied by the less-ethical practices that they're employing,” Kingman said.

However, the U.S. District Court for Central California ruled early in April that testers lack standing to sue under the California Invasion of Privacy Act (CIPA) since they typically visit a site expecting a violation of their privacy (see 2504090055).

Another element is the advocacy groups that challenge privacy legislation. For instance, trade association NetChoice often spearheads litigation against state laws whose advocates say would protect children online. NetChoice argues the proposed laws violate privacy and First Amendment rights. “Every law that we have challenged that has been billed as a so-called privacy law” is really an “online censorship law or content moderation infringement law” masquerading as a privacy law, said Chris Marchese, director of litigation at NetChoice. “These are laws that are targeting online speech or access to online speech, and that's why our First Amendment challenges have been so strong.”

“What we have found surprisingly good is that the courts are seeing right through the state legislators and what they've been trying to do,” he said. “You can't just say you're trying to protect children online. You need to flush out the compelling interest, and you have to really show that the law is now really tailored.”

Not all NetChoice's litigation has resulted in wins, however, and many are still ongoing; for example, the 5th U.S. Circuit Court of Appeals on April 17 vacated a preliminary injunction against Mississippi’s age-verification law and remanded the case to the district court (see 2504180013). The U.S. District Court for Northern Florida also dismissed the trade association's complaint over a law prohibiting kids 13 and younger from creating social media accounts and requiring parental consent for 14- and 15-year-olds to create accounts for failure to allege standing (see 2503170061).

Though many states are crafting legislation based on other states' laws, some ignore litigation when drafting them, Marchese said. “The states are not necessarily adjusting from other court cases” as they draft legislation, he said. “We might get a victory, in say, California, for example, on the age-appropriate design code, but then Maryland will go and pass a very similar version of that. So there's been…this disconnect between court rulings and the legislative process.”

While legislatures could benefit from seeking courts' guidance on these issues, the judiciary might find lawmakers' input helpful, too, Kingman said. “There's wildly disparate interpretations of CIPA throughout both the state and federal court system in California, and so, really, [there's] no sense that that litigation is going to abate anytime soon, without some type of legislative fix,” he said.

However, Marchese said he was impressed with the courts' grasp of technology. “It has been really nice to see judges and courts, for the most part, understanding the technology at issue, understanding the mechanics, reading the technical guidance that is provided in our lawsuits,” he said. “While I would not say that the federal judiciary is necessarily totally comfortable with today's technology, it understands these issues a lot better than I think they get credit for.”

Paul Taske, associate director of litigation at NetChoice, agreed and said the willingness of judges and courts to consider modern advances in technology, like social media, differently than more basic, older technologies, has been surprising. Not relying on precedents based on older technologies is good for user privacy and the First Amendment, he said.

Adrienne Fowler, assistant dean of the privacy and technology law program at George Washington Law, said the dysfunction between the legislature and the courts is an ongoing issue. “I think it's really important to recognize that there is a strong government interest in regulating the data protection, the data collection, the data processing practices of the private sector,” she said. Yet she disagrees with Marchese and Taske in that "we are still seeing a large amount of misunderstanding of the way that technology operates within the courts,” though “there are some pockets of light.”

Yaron Dori, partner at Covington and Burling, said even if there is government interest, privacy laws are hard to draft. “Regulating or enacting laws that relate to privacy is very, very difficult, because in one way, shape or form, it has to do with content, and content is speech,” he said.