Keypoint: As currently drafted, the ADPPA’s private right of action provides U.S. citizens with the opportunity to enforce their privacy rights but limits lawsuits to federal court and provides covered entities and service providers with mechanisms to mitigate the risk of such claims, including through the use of arbitration provisions and class action waivers.
As we previously reported, the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) is eligible for a full House vote after the House Committee on Commerce & Energy (House Committee) reported out an amended version on July 20, 2022. Prior to reporting out the ADPPA, the House Committee adopted an Amendment in the Nature of a Substitute (AINS) that made numerous changes to the bill, including modifications to the bill’s private right of action (PRA).
The contours of the ADPPA’s PRA are crucial.
Privacy advocates point to the inclusion of the PRA as one way in which the ADPPA is stronger than the California Consumer Privacy Act. However, Senator Maria Cantwell (D-Wash.) – whose support is necessary to pass the bill because she chairs the relevant Senate committee – stated that the ADPPA contains “major enforcement holes” and does not have her support. Recently, Senator Cantwell stated that “she couldn’t support the bipartisan framework unless House lawmakers add tougher enforcement measures, including limits on forced arbitration and a broad right for individuals to sue companies that violate the law.” According to Cantwell, “The problem is it’s taking the House a long time to come to reality about what strong enforcement looks like.” “If you’re charitable, you call it ignorance. If you think that it’s purposeful, it literally won’t pass the House because they just won’t meet the test of what a strong federal bill looks like.” Meanwhile, business advocates such as the U.S. Chamber of Commerce are adamantly opposed to any bill “that creates a blanket private right of action.”
Given how important this issue is to passing a federal privacy bill, the below article contains a detailed analysis of the ADPPA’s current PRA as the House Committee passed it on July 20. The article then outlines the PRA contained in Senator Cantwell’s 2019 bill, the Consumer Online Privacy Right Act for comparison purposes.
If you are interested in learning more about the ADPPA, we are hosting a webinar on it on August 18, 2022. Click here for more information and to register. We also would like to thank the Future of Privacy Forum and the IAPP’s Cobun Zweifel-Keegan whose redline of the latest version of the ADPPA was instrumental in the drafting of this article.
Part I – ADPPA
Overview of the ADPPA’s Private Right of Action
According to ADPPA section 403(a), “[b]eginning on the date that is 2 years after the date on which this Act takes effect, any person or class of persons for a violation of this Act or a regulation promulgated under this Act by a covered entity or service provider may bring a civil action against such entity in any Federal court of competent jurisdiction.”
There are a number of elements to dissect in the section.
First, the PRA goes into effect two (2) years after the ADPPA’s effective date. As originally introduced, the PRA would have gone into effect four (4) years after the effective date. The House Committee reportedly made the time frame shorter to try to gain Senator Cantwell’s support. Of note, pursuant to section 408, the ADPPA would go into effect one-hundred and eighty (180) days after enactment. Therefore, ultimately, the PRA would be delayed approximately two-and-a-half (2.5) years after the ADPPA passes.
Second, the ADPPA specifically authorizes class actions, by allowing persons or classes of persons to bring civil actions under the ADPPA. That said, as discussed below, covered entities and service providers can take measures to significantly limit class actions.
Third, although section 403(a) states civil actions may be brought for violations of the Act or a regulation, section 403(e) limits such actions to specific parts of the ADPPA.
Fourth, section 403(a) limits lawsuits to federal courts, meaning claims cannot be brought in state courts. As we outline below, this limitation is significant due to the standing federal courts require under Article III of the U.S. Constitution.
Types of Relief Litigants Can Seek
Section 403(a)(2) permits plaintiffs to recover (1) an amount equal to the sum of any compensatory damages, (2) injunctive relief, (3) declaratory relief, and (4) reasonable attorney’s fees and litigation costs.
Limitations to Bringing a PRA
Arbitration Agreements and Pre-Dispute Joint Action Waivers
The ADPPA allows covered entities and service providers to limit their exposure through the use of pre-suit arbitration agreements and joint action waivers. Senator Cantwell routinely cites this limitation as a reason she does not support the bill.
The ADPPA provides that covered entities and service providers may enter into arbitration agreements and pre-dispute joint action waivers with individuals eighteen (18) years of age and over. The House Committee significantly modified this provision in the AINS adopted on July 20. In the prior version of the bill, covered entities and service providers could not use pre-dispute joint action waivers for individuals of any age.
The ADPPA defines “pre-dispute joint action waivers” as “an agreement, whether or not part of a pre-dispute arbitration agreement, that would prohibit or waive the right of 1 of the parties to the agreement to participate in a joint, class, or collective action in a judicial, arbitral, administrative, or other related forum, concerning a dispute that has not yet arisen at the time of the making of the agreement.”
Based on our research, there is little federal case law on whether businesses can enforce arbitration agreements and pre-dispute joint action waivers for individuals under eighteen (18) years of age. However, two recent circuit court decisions held that arbitrators (and not courts) should decide whether age is a defense to enforcement of a force-arbitration provision. K.F.C. v. Snap Inc., 29 F.4th 835 (7th Cir. 2022) (“Illinois treats the age of contracting parties as a potential defense to enforcement.” . . . “It means in turn that the potential [minor] defense goes to the arbitrator. . . .”) (citing Rent-A-Ctr. v. Jackson, 561 U.S. 63, 71 (2010)); I. C. v. StockX, LLC (In re Stockx Customer Data Sec. Breach Litig.), 19 F.4th 873 (6th Cir. 2021) (applying Michigan law and concluding that a contract existed and the delegation provision was valid between minor plaintiffs and a technology company, and thus the arbitrator must decide whether defenses of infancy and unconscionability allow minor plaintiffs to avoid arbitrating merits of their claims).
Rights of Federal Trade Commission (FTC) and State Attorneys General
Section 403(a)(3) requires litigants, prior to bringing a claim, to notify the FTC and the attorney general of the state in which they reside that they intend to bring a civil action. The FTC and the state attorney general then have sixty (60) days to intervene. In addition, regardless of the government’s decision to intervene in the sixty (60) day period, the FTC, state attorney general, and any state privacy authority (e.g., the California Privacy Protection Agency) retain the right to later commence a civil action or intervene in the plaintiff’s civil action.
Right to Cure
Plaintiffs seeking injunctive relief must first provide covered entities and service providers with forty-five (45) days’ written notice identifying the specific provision of the ADPPA the persons or class of persons allege have been or are being violated. If the covered entity or service provider is able to cure the violation, the persons or class of persons cannot bring a claim for injunctive relief.
If a person or identified members of a class of persons represented by counsel send a letter to a covered entity or service provider alleging a violation of the ADPPA, the letter must include the statement: “Please visit the website of the Federal Trade Commission for a general description of your rights under the American Data Privacy and Protection Act” followed by a hyperlink to the webpage of the FTC. If such correspondence does not include this language and hyperlink, the civil action may be dismissed without prejudice and shall not be reinstated until such person or persons has complied with the requirement. In addition, pursuant to section 403(a)(3)(C), such letters “shall be considered to have been sent in bad faith and shall be unlawful . . ., if the written communication was sent prior to the date that is 60 days after either a State attorney general or the Commission has received the notice” described above.
Article 3 Standing
Another important limitation is that plaintiffs need to establish standing under Article III of the U.S. Constitution to bring a claim. Under Article III, federal court jurisdiction is limited to “cases” and “controversies.” For there to be a case or controversy, a plaintiff must have a personal stake in the case – i.e., standing. To establish standing, a plaintiff must show that: (i) they suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) the defendant likely caused the injury; and (iii) judicial relief would likely redress the injury.
In TransUnion LLC v. Ramirez, the United States Supreme Court explained that “this Court has rejected the proposition that ‘a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.’” Rather, “Article III standing requires a concrete injury even in the context of a statutory violation.”
In other words, Congress’s creation of a statutory right to sue does not relieve a court of finding that there has been actual harm to the plaintiff. According to the Court, “Congress may enact legal prohibitions and obligations. And Congress may create causes of action for plaintiffs to sue defendants who violate those legal prohibitions or obligations. But under Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.”
In sum, although a covered entity or service provider may have technically violated a provision of the ADPPA, plaintiffs may be unable to bring a claim in federal court absent a showing of concrete injury. Proving damages for privacy violations has often proved difficult for plaintiffs. Given that the ADPPA limits cases to federal (and not state) courts, this limitation could be determinative in many lawsuits.
Provisions of the ADPPA the PRA Applies to
The PRA does not apply to violations of all provisions of the ADPPA.
Pursuant to section 403(e), lawsuits can be brought for violations of sections 102 (loyalty duties), 104 (loyalty to individuals with respect to pricing), 202 (transparency), 203 (individual data ownership and control), 204 (right to consent and object), 205(a)-(b) (data protection for children and minors), 206(b)(3)(C) (rights around third-party collecting entities), 207(a) (civil rights protections), 208(a) (establishment of data security practices), 302 (service providers and third parties), and any regulation promulgated under such sections.
The PRA does not apply to sections 101 (data minimization), 103 (privacy by design), 201 (consumer awareness), 205(c) (youth privacy and marketing division of FTC), 206 (third-party collecting entities requirements except for section 206(b)(3)(c)), 207(b)-(c) (algorithms), 208(b)-(c) (specific requirements for data security practices and FTC regulations for same), 209 (small business protections), 210 (unified opt-mechanisms), 301 (executive corporate responsibility), 303 (technical compliance programs), 304 (commission approved compliance guidelines), and 305 (digital content forgeries). Many of the excluded sections are directed at FTC activities (e.g., consumer awareness) and, thus, logically excluded from the PRA.
The ADPPA excludes certain small businesses from the PRA. Specifically, the PRA does “not apply to any claim against a covered entity that has less than $25,000,000 per year in revenue, collects, processes, or transfers the covered data of fewer than 50,000 individuals, and derives less than 50 percent of its revenue from transferring covered data.” In addition, section 209 exempts certain small businesses from complying with parts of the ADPPA.
Part II – The Consumer Online Privacy Rights Act
In 2019, Senator Cantwell released a comprehensive privacy bill, the Consumer Online Privacy Rights Act (COPRA). As with the ADPPA, COPRA contains a PRA; however, it is more consumer-friendly than the ADPPA’s PRA.
Pursuant to COPRA section 301, individuals can bring a suit in state or federal court for a violation of COPRA or a regulation promulgated under COPRA. In a stark contrast to the ADPPA, plaintiffs can recover statutory damages between $100 and $1,000 “per violation per day or actual damages, whichever is greater.” Plaintiffs also can recover punitive damages, reasonable attorney’s fees, litigation costs, and equitable or declaratory relief.
Attempting to address the Article III standing issue, COPRA states that a violation of COPRA or a regulation “with respect to the covered data of an individual constitutes a concrete and particularized injury in fact to that individual.”
COPRA also specifically prohibits pre-dispute arbitration agreements and pre-dispute joint action waivers “with respect to a privacy or data security dispute arising under.” A court would determine whether there is a privacy or data security violation, not an arbitrator.