We live in an information age, where much of our personal information is stored and transferred via electronic means. To address concerns that such information may be transferred or disclosed without our consent, Congress has enacted federal statutes to protect the privacy rights of individuals. Several of these statutes include provisions authorizing private rights of action to redress privacy violations. Given the potential for privacy breaches to have an impact on large groups of individuals, many privacy lawsuits are brought as class actions.
Federal Privacy Statutes Under Which Class Actions Have Been Settled
Over the past five years, the majority of federal privacy class-action settlements have involved cases brought under the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA) (15 U.S.C.A. § 1681 et seq.), the Telephone Consumer Protection Act (TCPA) (47 U.S.C.A. § 227), the Driver’s Privacy Protection Act (DPPA) (18 U.S.C.A. §§ 2721–25), the Electronic Communications Privacy Act (ECPA) (18 U.S.C.A. §§ 2510–22), the Computer Fraud and Abuse Act (CFAA) (18 U.S.C.A. § 1030), and the Video Privacy Protection Act (VPPA) (18 U.S.C.A. § 2710).
Fair Credit Reporting Act
Congress enacted the FCRA/FACTA “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information . . . .” 15 U.S.C.A. § 1681b. Congress chose to protect consumers’ right to privacy by prohibiting the release of consumer reports, which contain private information, unless specific requirements are followed. 15 U.S.C.A. § 1681b(a)–(b). The act also provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction.” 15 U.S.C.A. § 1681c(g)(1). A person who willfully fails to comply with the act is liable for any actual damages suffered by each consumer of not less than $100 and not more than $1,000, reasonable attorney fees and costs, and, potentially, punitive damages. 15 U.S.C.A. § 1681n.
Many of the class-action lawsuits filed under FCRA/FACTA have alleged that the defendant business failed to truncate the consumers’ credit- or debit-card numbers on receipts, printed the expiration dates of the cards on receipts, or both. See generally Todd v. Retail Concepts, Inc., No. 3:07-0788, 2008 WL 3981593 (M.D. Tenn. Aug. 22, 2008); Smith v. Grayling Corp., No. 07-1905, 2008 WL 3861286 (E.D. Pa. Aug. 20, 2008); Reed v. Cont’l Guest Servs. Corp., No. 10-cv-5642, 2011 WL 1311886 (S.D.N.Y. Apr. 4, 2011).
Class-action lawsuits have also been filed alleging that the defendants unlawfully obtained, disclosed, or used individuals’ private information in violation of the act. See Barel v. Bank of Am., 255 F.R.D. 393 (E.D. Pa. 2009) (alleging that the defendant willfully violated the act by obtaining credit reports of non-customers who were acting as power of attorney for bank customers); Nienaber v. Citibank (South Dakota) NA, No. 4:04-4054, 2007 WL 752297 (D.S.D. Mar. 7, 2007) (alleging that the bank unlawfully accessed cardholders’ credit reports).
Telephone Consumer Protection Act
The TCPA provides that it is unlawful for any person to make an unsolicited call “using any automatic telephone dialing system or an artificial prerecorded voice” to any telephone number assigned to a cellular phone service, paging service, or other service for which the called party is charged for the call. 47 U.S.C.A. § 227(b)(1)(A)(iii). The TCPA also prohibits a person from sending any unsolicited telephone facsimile advertisements, unless the sender has established a business relationship with the recipient or the sender properly obtained the fax number as provided in the TCPA. 47 U.S.C.A. § 227(b)(1)(C). A party may bring an action in an “appropriate” “State [court]” for injunctive relief and/or for monetary loss, calculated as the greater of $500 per violation or actual damages. 47 U.S.C.A. § 227(b)(3); see also Mims v. Arrow Fin. Servs., LLC, No. 10-12077, 2010 WL 4840430 (11th Cir. Nov. 30, 2010), cert. granted, 79 U.S.L.W. 3578 (June 27, 2011) (No. 10-1195). The Supreme Court has granted certiorari in Mims to resolve a circuit split over whether federal question jurisdiction exists for cases brought under the TCPA.
Enhanced damages may be available if the defendant knowingly or willfully violated the statute. Id. Privacy class-action lawsuits have been filed under the TCPA provisions that forbid calls using automatic telephone dialing systems to cellular phones, and forbid the transmission of unsolicited faxes. See, e.g., Bellows v. NCO Fin. Sys., No. 3:07-cv-01413, slip op. at 1 (S.D. Cal. Dec. 22, 2008) (alleging that the defendant called plaintiffs’ cell phones without consent using an automated dialing system that used a prerecorded voice); Accounting Outsourcing, LLC v. Verizon Wireless Pers. Commc’ns, LP, No. 03-cv-161, 2007 WL 7087615 (M.D. La. Aug. 2, 2007) (alleging that the defendant unlawfully transmitted unsolicited facsimile advertisements).
Driver’s Privacy Protection Act
The DPPA provides that it is unlawful for any person to knowingly obtain or disclose personal information from a motor vehicle record, unless specifically permitted under the act. 18 U.S.C.A. § 2722. The DPPA also provides that any person who knowingly obtains, discloses, or uses personal information in violation of the DPPA can be liable to each person injured by the violation for the greater of actual damages or liquidated damages in the amount of $2,500; punitive damages, upon a showing of willful or reckless disregard of the law; reasonable attorney fees and costs incurred; and such other relief as the court finds appropriate. 18 U.S.C.A. § 2724. Class-action lawsuits have been filed under the DPPA alleging unlawful acquisition and disclosure of drivers’ personal information. See, e.g., Roberts v. The Source for Pub. Data LP, No. 08-04167, 2010 WL 4008347 (W.D. Mo. Oct. 12, 2010) (alleging that the defendant unlawfully obtained and disclosed restricted personal information from a motor vehicle record); Pichler v. Unite, No. 04-2841, 2011 WL 717644 (E.D. Pa. Feb. 22, 2011) (alleging that the defendant union unlawfully used license plate numbers of employees to obtain employees’ home addresses from motor vehicle records).
Electronic Communications Privacy Act
The ECPA provides that, subject to certain statutory exceptions, any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication” shall have committed a punishable offense. 18 U.S.C.A. § 2511(1)(a). It is also unlawful for any person to intentionally use or disclose such intercepted communication. 18 U.S.C.A. § 2511(1)(c). Any person whose electronic information was intercepted, disclosed, or intentionally used in violation of the ECPA may seek injunctive or declaratory relief, actual and punitive damages, and reasonable attorney fees and costs. 18 U.S.C.A. § 2520(a)–(b). A court may issue an award of actual damages suffered by the plaintiff or statutory damages of the greater of $100 per day for each day of violation or $10,000. 18 U.S.C.A. § 2520(c)(2). Recently, courts have approved class-action settlements of claims under the ECPA against two major Internet companies that allegedly disclosed consumers’ personal information without their consent. See Consol. Amended Complaint at 14–15, In re Google Buzz User Privacy Litig., No. 5:10-cv-00672 (N.D. Cal. settlement approved May 31, 2011); Complaint at 2–3, 40–42, Lane v. Facebook, No. 5:08-cv-03845 (N.D. Cal. settlement approved Mar. 17, 2010).
Computer Fraud and Abuse Act
The CFAA provides that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information” from any “computer used in or affecting interstate or foreign commerce[,]” thereby causing damage or loss, commits a punishable offense. 18 U.S.C.A. § 1030(a), (e)(2)(B). The CFAA also provides that a “person who suffers damage or loss by reason of a violation of [the CFAA] may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C.A. § 1030(g); see also 18 U.S.C.A. § 1030(c)(4)(A)(i) (enumerating conduct giving rise to civil action). Class actions have been filed under the CFAA alleging that breaches of computer security led to the disclosure of consumers’ private information. See, e.g., Consol. Class Complaint at 10–11, In re TD Ameritrade Accountholder Litig., No. 4:07-cv-02852 (N.D. Cal. filed June 13, 2008) (alleging that the breach of defendant’s security exposed consumers’ private information to “spammers”); see also Consol. Amended Complaint at 15–16, Google Buzz, No. 5:10-cv-00672; Complaint at 3, 56–57, Facebook, No. 5:08-cv-03845.
Video Privacy Protection Act
The VPPA prohibits any “video tape service provider” from knowingly disclosing the personal information of its consumers—including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider”—to any third party without the consumers’ prior consent. 18 U.S.C.A. § 2710(a)–(b). The VPPA also requires video tape service providers to destroy personal identifying information “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected . . . .” 18 U.S.C.A. § 2710(e). The VPPA authorizes private civil actions by aggrieved consumers for the greater of their actual damages or liquidated damages in the amount of $2,500, as well as punitive damages, reasonable attorney fees, costs incurred, and such other relief as the court finds appropriate. 18 U.S.C.A. § 2710(c). Plaintiffs in Lane v. Facebook alleged that Facebook’s Beacon marketing associates violated the VPPA by retaining personal identifying information regarding users’ activities on their websites and transmitting that information to Facebook, and that Facebook aided and abetted the alleged VPPA violations by making available on its website information regarding users’ transactions with Beacon affiliates. Complaint at 42–49, Facebook, No. 5:08-cv-03845; see also Consol. Class Complaint at 1–2, 9–10, Boesky v. Redbox Automated Retail, LLC, No. 1:11-cv-01729 (N.D. Ill. filed May 10, 2011) (alleging that Redbox violated the VPPA by indefinitely retaining records of consumers’ video rental selections).
Judicial Approval of Privacy Class-Action Settlements
Before approving a privacy class-action settlement, a federal district court must determine whether the proposed class meets Federal Rule of Civil Procedure 23’s requirements for class certification. See, e.g., Hanlon v. Aramark Sports, LLC, No. 09-465, 2010 WL 374765, at *2 (W.D. Pa. Feb. 3, 2010). “In order for a class to be certifiable under Rule 23(a), it must meet four requirements: (1) numerosity; (2) commonality; (3) typicality; and (4) adequacy of representation.” Id. “If the court finds that the proposed class satisfies the four requirements of Rule 23(a), the court must determine whether the class fits within one of the [three] categories set forth in Rule 23(b).” Id. Unlike class actions seeking declaratory or injunctive relief under 23(b)(1) or 23(b)(2), class actions seeking monetary relief under Rule 23(b)(3) must demonstrate that common questions of law or fact predominate over individual issues and that a class action is superior to other means of resolving the controversy. See Fed. R. Civ. P. 23(b)(3); see also Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 620 (1997) (settlement class certified under Rule 23(b)(3) must meet all of that rule’s requirements except manageability for trial).
In addition to the certification determination, the court must find that the settlement is fair, reasonable, and adequate. Fed. R. Civ. P. 23(e)(2); see also Amchem Prods., 521 U.S. at 620 (stating that the rights of absent class members “demand undiluted, even heightened, attention in the settlement context”). Unnamed class members have the right to reasonable notice of, and opportunity to object to, a proposed settlement. See Fed. R. Civ. P. 23(e)(1), (5). However, such objections are not very common. See, e.g., Lane v. Facebook, No. 08-3845, slip op. at 8–10 (N.D. Cal. Mar. 17, 2010) (out of a class of about 3.6 million users, only four class members objected to the settlement).
Relief Provided to the Class in Court-Approved Settlement Agreements
Coupons or Free Services
Coupon settlements and settlements providing free services are common in privacy class actions. In particular, coupon and/or free credit-monitoring settlements appear to be the predominant form of relief in class actions brought under the FCRA/FACTA. See, e.g., Palamara v. Kings Family Rests., No. 07-0317, 2008 WL 1818453, at *1 (W.D. Pa. Apr. 22, 2008) (offering each class member a voucher for specified foods in an amount not to exceed $4.78); Klingensmith v. Max & Erma’s Rests., Inc., No. 07-0318, 2007 WL 3118505, at *2 (W.D. Pa. Oct. 23, 2007) (offering class members a $4 coupon); see also Barel v. Bank of Am., 255 F.R.D. 393, 397 (E.D. Pa. 2009) (offering class members four months of free credit report monitoring). Many of the approved coupon settlements offered discounts on future goods and/or services purchased from the defendant. See, e.g., Todd v. Retail Concepts, Inc., No. 3:07-CV-0788, 2008 WL 3981593, at *2 (M.D. Tenn. Aug. 22, 2008) (offering class members coupons for $15 off a purchase of $125 or more); Hanlon v. Aramark Sports, LLC, No. 09-465, 2010 WL 374765, at *1 (W.D. Pa. Feb. 3, 2010) (preliminarily approving settlement offering class members either $50 off a purchase of $100 or more, or a t-shirt or sweatshirt); see also Yeagley v. Wells Fargo & Co., No. 3:05-cv-03403, slip op. at 7 (N.D. Cal. July 23, 2007) (offering class members a $50 rebate on a first mortgage loan from the defendant, as well as free credit reports and credit scores).
Payments to Charitable Organizations
As an alternative or in addition to coupon settlements, courts have approved settlements providing monetary awards to charities and/or providing that unclaimed settlement funds be disbursed to charities. See, e.g., Lane v. Facebook, No. 5:08-cv-03845, slip op. at 6–7 (N.D. Cal. Mar. 17, 2010) (approving settlement of claims under ECPA, VPPA, and CFAA; providing for $9.5 million settlement fund, the bulk of which would be used to fund a nonprofit foundation to support online privacy, safety, and security); Nienaber v. Citibank (South Dakota) NA, No. CIV. 04-4054, 2007 WL 752297, at *3 (D.S.D. Mar. 7, 2007) (approving FCRA/FACTA settlement providing $300,000 cy pres payment to charities).
Injunctive Relief and Compliance Monitoring
Courts have also approved privacy class-action settlements that provide injunctive relief. Specifically, settlements providing injunctive relief are common in privacy actions under the DPPA. See, e.g., Roberts v. The Source for Pub. Data LP, No. 2:08-cv-04167, 2010 WL 4008347, at *2 (W.D. Mo. Oct. 12, 2010) (approving settlement requiring defendant to destroy all driver’s license and motor vehicle information data received from the state of Missouri, remove such information from sale on the Internet, and refrain from purchasing such information going forward unless an exception to the DPPA is met); Fresco v. R.L. Polk & Co., No. 0:07-cv-60695, slip op. at 15–16 (S.D. Fla. July 27, 2010) (approving settlement requiring defendant to undertake various changes in its business practices and undergo periodic auditing over the next seven years to ensure compliance with the DPPA).
Other privacy class-action settlements have provided for monetary payments to class members. See, e.g., Serrano v. Sterling Testing Sys., Inc., 711 F. Supp. 2d 402, 409 n.3 (E.D. Pa. 2010) (approving FCRA/FACTA settlement providing a settlement fund of $975,000 from which each class member is estimated to receive between $500 and $1,000, not to exceed $1,000); Bellows v. NCO Fin. Sys., No. 3:07-cv-01413, slip op. at 6–7 (S.D. Cal. Dec. 22, 2008) (approving TCPA settlement providing 29 class members who filed timely claims with $70 each, in addition to cy pres award of $197,970 to be distributed to agreed list of organizations); Accounting Outsourcing, LLC v. Verizon Wireless Pers. Comm’ns, LP, No. 3:03-cv-00161, slip op. at 1–2 (M.D. La. Sept. 26, 2007) (ordering distribution of funds pursuant to TCPA settlement, whereby class members who filed a claim would receive $397 each, with the remaining amount of the settlement funds to be distributed as cy pres award).
Legal Fees Awarded to Class Counsel
Size of Fee Award
Attorney fees in excess of $1 million are not uncommon in approved privacy class-action settlements. See, e.g., In re Trans Union Corp. Privacy Litig., 629 F.3d 741, 744, 748 (7th Cir. 2011) (awarding over $14 million in attorney fees); Fresco v. R.L. Polk & Co., No. 0:07-cv-60695, slip op. at 22–27 (S.D. Fla. July 27, 2010) (awarding $7.5 million in attorney fees); Lane v. Facebook, No. 08-3845, 2010 WL 2076916, at *2 (N.D. Cal. May 24, 2010) (awarding more than $2 million in attorney fees).
Method of Calculating Fee Award
When determining the amount of reasonable attorney fees in privacy class-action settlements, courts typically use either the lodestar approach or the percentage of the settlement amount approach. Many courts choose one of these approaches and then cross-check the reasonableness of the award using the other approach. See Barel v. Bank of Am., 255 F.R.D. 393, at 403–4 (E.D. Pa. 2009).
Under the lodestar approach, attorney fees are determined based on the reasonable number of hours worked multiplied by a reasonable hourly rate; under a multiplier approach, courts may increase the amount of the fee award to account for an exceptional result. See, e.g., Barel, 255 F.R.D. at 403–4 (approving a $390,000 award of attorney fees, the maximum amount provided for in the settlement, using an upward multiplier of 1.35); Bellows v. NCO Fin. Sys., 2009 WL 35468, at *7 (S.D. Cal. Jan. 5, 2009) (approving the maximum amount of attorney fees contained in the settlement using lodestar with an upward multiplier of 1.793); Fresco v. R.L. Polk & Co., No. 0:07-cv-60695, slip op. at 22–27 (S.D. Fla. July 27, 2010) (approving $7.5 million in attorney fees using a multiplier of 2.6, which included estimated attorney fees of $4.5 million to be incurred for post-judgment monitoring over the next 10 years). Other courts, however, have refused to apply an upward multiplier and have instead awarded only the lodestar amount. Todd v. Retail Concepts, Inc., No. 3:07-0788, 2008 WL 3981593, at *6 (M.D. Tenn. Aug. 22, 2008) (court approved the lodestar amount of $104,713.75, instead of the requested $120,000, stating that there was no reason to provide a multiplier).
Similarly, under the percentage-based approach, courts usually approve the requested attorney fees. Courts commonly award attorney fees amounting to 20 percent to 30 percent of the total settlement amount. See, e.g., Razilov v. Nationwide Mut. Ins. Co., No. 01-cv-1466, 2006 WL 3312024, at *2–3 (D. Or. Nov. 13, 2006) (awarding $5,772,606 in attorney fees, which amounted to 30 percent of the common fund); Serrano v. Sterling Testing Sys., Inc., 711 F. Supp. 2d 402, 419–21 (E.D. Pa. 2010) (finding an award of 33.1 percent of the total settlement amount reasonable); In re Countrywide Fin. Corp. Customer Data Sec. Breach Litig., No. 3:08-MD-01998, 2010 WL 3341200, at *9 (W.D. Ky. Aug. 23, 2010) (award of 20 percent of the total settlement held reasonable). Although many courts use the percentage-based approach, that approach can be problematic when applied to coupon settlements or settlements providing goods or services, which are difficult to value.
Concerns over Fairness of Fee Awards
Objections to privacy class-action settlements often focus on the amount of fees being awarded to plaintiffs’ attorneys. Sizable fee awards have been subject to criticism in coupon and injunctive relief settlements, where the relief awarded to class members may be of questionable value. See generally 28 U.S.C.A. § 1712 (mandating judicial scrutiny of coupon settlements and fee awards in connection with such settlements); cf. Todd, 2008 WL 3981593, at *3 (approving settlement notwithstanding objections by the Texas Attorney General to settlement on grounds that class counsel was to receive $120,000 in fees, whereas class members were to receive coupons of little or no value). Indeed, in some cases, the amount of attorney fees awarded exceeded the amount of relief provided to the entire class. For example, in Riebstein v. Rite Aid Corp., No. 09-2734, 2011 WL 192512, at *14, *17 (E.D. Pa. Jan. 18, 2011), the class received a total of $48,820 worth of gift cards and the plaintiffs’ attorney received $65,000 in fees. Although courts have reduced the amount of fees requested by counsel in privacy class-action settlements, such decisions are relatively rare. See, e.g., Yeagley v. Wells Fargo & Co., No. C 05-3403 CRB, 2010 WL 2077013, at *4–5 (N.D. Cal. May 20, 2010) (reducing counsel’s hours from 2,100, which the court deemed unreasonable, to 720 for purposes of the lodestar analysis; approving fee award of $332,202.76 as opposed to $1.5 million requested).
Class Representative Incentive Awards Approved by the Court
The federal privacy statutes discussed above do not specifically provide for incentive awards to the named plaintiffs; however, many courts have approved such awards. Incentive awards have typically ranged between $1,000 and $3,000 per representative plaintiff. See Bellows v. NCO Fin. Sys., No. 3:07-cv-01413, slip op. at 6 (S.D. Cal. Dec. 22, 2008) (approving $1,000 incentive award for the class representative); Curiale v. Lenox Grp., Inc., No. 07-1432, 2008 WL 4899474, at *10 (E.D. Pa. Nov. 14, 2008) (preliminarily approving an incentive award of $2,500; citing five other Pennsylvania district court cases that approved incentive awards ranging between $2,000 and $3,000). On the other hand, courts have approved incentive awards as large as $10,000. See Barel v. Bank of Am., 255 F.R.D. 393, at 402–3 (E.D. Pa. 2009) (court approved an incentive award of $10,000 to the representative plaintiff); Razilov v. Nationwide Mut. Ins. Co., No. 01-cv-1466, 2006 WL 3312024, *3–4 (D. Or. Nov. 13, 2006) (approving an incentive award of $10,000 to one class representative and an incentive award totaling $10,000 for two other class representatives). Class representative awards may substantially exceed the amounts awarded to other class members. See, e.g., Klingensmith v. Max & Erma’s Rests., Inc., No. 07-0318, 2007 WL 3118505, at *2 (W.D. Pa. Oct. 23, 2007) (class members received a food voucher for $4 each while the class representative received an incentive award of $2,500). Some courts have reduced or denied requested incentive awards. See, e.g., Riebstein v. Rite Aid Corp., No. 09-2734, 2011 WL 192512, at *13 (E.D. Pa. Jan. 18, 2011) (approving an incentive award of $1,000 instead of the $3,000 requested; articulating factors that should be considered in analyzing incentive awards); Lane v. Facebook, No. 5:08-cv-03845, slip op. at 10 (N.D. Cal. filed May 27, 2010) (reducing one representative’s award from $15,000 to $10,000 and two other representatives’ awards from $7,500 to $5,000).
The rise of the information age, the proliferation of federal privacy statutes, and the provision under certain of those statutes for private causes of action all ensure that privacy class actions are here to stay. Thus, the plaintiffs’ bar and defendants’ bar will continue to debate the adequacy of the relief to be awarded to the settlement class and the size of the attorney fee awards to class counsel, especially in the context of settling cases where the class members are to receive purely nonmonetary relief. The courts will continue scrutinizing the settlement terms, approving, rejecting, and modifying them as they deem appropriate and reasonable.