Privacy-Related Lawsuits on the Rise

These days, trial lawyers seem to be exploring the territory of the Internet, where privacy-related class action cases are on the rise. Companies that choose to operate in online and social media take advantage of incredible opportunities to connect with users. Websites and social media networks create new ways to obtain and monetize data about users, often in innovative and potentially harmful ways. These activities often allow search engines, website operators and advertisers access to user data that has never happened before.

According to Todd Ruback, head of privacy and technology at law firm DiFrancesco Bateman, “There is a mushrooming number of cases. A decade ago privacy was a distant worry among CEOs and boards of directors, but now it’s a full-blown hurricane.”

Huge Payouts

In the climate of increasing concern about online privacy, US regulators are working to develop new frameworks and tools for consumer protection. In 2011, the Securities and Exchange Commission (SEC) began requiring public companies to report “cyber incidents” to investors. In an effort to reduce identity theft, since 2002, 49 US states and territories have passed laws that require companies that lose personal data to alert consumers and local authorities.

All this has resulted in a number of high-profile and costly lawsuits. Increasingly, more companies are agreeing to settle outside of court, rather than risk an unfavorable jury decision. In June 2012, Facebook agreed to a $20 million settlement to end a lawsuit over its use of members’ faces in online ads. Earlier in June, LinkedIn was hit with a $5 million negligence suit, after hackers made off with 6.5 million users’ passwords. In another example, Netflix cancelled its planned 2010 sequel to a $1 million public prize for movie recommendation software, after it was sued for accidentally releasing rental records that could be traced to individual consumers.

Of course, online privacy risks are spawning new and highly profitable industries. These days, companies can choose to purchase cyber insurance, which helps protect against the economic fallout from electronic mishaps such as viruses and data loss. In fact, according to insurance broker Marsh, this is the fastest-growing type of insurance coverage in the US.

Common Categories

Industry observers have taken note of some common categories of privacy class action suits, which are listed and described below:

A)     Claims for violation of website terms of use and privacy policy

Almost all companies will have Terms of Use and Privacy Policies posted on their websites. Should consumer data be used or revealed inconsistently with these policies, companies can be subject to a claim for breach of contract created through those online provisions.

B)      Flash cookies

Cookies are commonly used to collect and track information about website and online app users. Cookies can perform a range of functions, from allowing the website operator to view internet browsing history, storing log-in/authentication information, or personalizing sites by remembering user preferences from past visits.

Since cookies are able to collect so much user data, they can often be the center of privacy claims. Recently, there have been a number of class action lawsuits relating to flash cookies. These cookies use a capability of Adobe’s Flash plug-in to track website users and store their information. They are especially common, as Flash software is installed on around 98% of PCs and are used in many popular online video players, such as YouTube and Hulu.

C)      Social media information

This is a big category. Facebook and other popular social media networks amass a wealth of personal data about their users, including location, entertainment preferences and organizational interests. While this can certainly help with targeted advertisements, it’s also prime material for class action suits. Companies operating social media sites or apps, or those that place ads on such sites are coming under increasing criticism.

D)     Online behavioral advertising

Online behavioral advertising refers to the practice of using a consumer’s internet browsing history or profile data to target more relevant ads to consumers. This allows advertisers to get more bang for their buck, however, the FTC and consumer rights groups are on the case, making demands for the industry to self-regulate this practice. This is where the “Do Not Track” debate comes in.

Mitigating the Risks

Experts have come up with a number of strategies to enable companies to continue using the powerful new opportunities the internet offers, while still respecting the privacy rights of their users and avoiding legal fiascos. These strategies are listed and described below:

  • Review website terms of use and privacy policies
  • Due diligence before using third-party technologies
  • Obtain a good indemnity provision
  • Audit websites for hidden tags, cookies, or other such apps

Responding to Class Actions

Companies that find themselves in online privacy-related class action suits, may use any or all of the following defense strategies:

  • Argue that the statues and causes of action invoked do not apply to online privacy issues
  • Argue consent by users pursuant to the relevant Privacy Policy
  • Point to the lack of damage


This article discusses the increase in class action lawsuits involving online privacy. Companies that operate in the online world, specifically in social media environments have attractive opportunities for connecting with consumers, however, as recent events have shown, they must also proceed on the privacy front with caution. The article briefly introduces a number of high profile class action suits, the common categories of the claims, how websites operating in these spaces can mitigate the risks, and finally, how companies might respond to privacy-related class action suits.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Privacy expectations – the consumer perspective (II.A.a.)
  • Privacy expectations – organizational practices (II.A.b.)
  • Personalization – end user benefits and concerns (II.C.a., II.C.b.)
  • Privacy by policy (III.B.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>