Part I: First, Check Your Rear-View Mirror

[M]odern enterprise and invention have, through invasions upon . . . privacy, subjected [people] to mental pain and distress, far greater than could be inflicted by mere bodily injury.”[1]

Legal commentators today commonly characterize data privacy and cybersecurity litigation as a “tidal wave”[2] approaching the proportion of a “tsunami.”[3] But consumer privacy litigation is nothing new and recent legislation has so far not meaningfully altered much other than the zeitgeist. Privacy litigation in the United States was borne from the Supreme Court’s recognition that certain privacy rights are fundamental. Indeed, as far back as 1890, Justices Warren and Brandeis predicted that modern advancement and technology would necessarily invade basic privacy interests in ways that would demand legal intervention.[4]

Protection of an individual’s expectation of privacy is a bedrock principle upon which the United States was founded. Americans have always valued and sought to shield their privacy in a variety of contexts. This encompasses the varied privacy rights protected by the Bill of Rights, including the First Amendment (protecting every citizen’s privacy of beliefs), the Third Amendment (protecting privacy of the home), the Fourth Amendment (protecting the privacy of the person from unreasonable searches and seizures) and the Fifth Amendment (with the bar on self-incrimination protecting the privacy of personal information).

The Supreme Court has upheld and reinforced these protections with the recognition of privacy as a fundamental constitutional right, most notably during the Warren Court. In Griswold v. Connecticut, the Court observed “zone of privacy created by several fundamental constitutional guarantees” including those referenced in the Bill of Rights. 381 U.S. 479, 485 (1965). The Court reiterated a similar sentiment in Stanley v. Georgia, declaring that “also fundamental is the right to be free, except in very limited circumstances, from unwanted governmental intrusions into one’s privacy.” 394 U.S. 557, 564 (1969) (citing Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting) (“The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness . . . They conferred . . . the right to be let alone—the most comprehensive of rights and the right most valued by civilized man.”)).

The Court further embraced and entrenched the right to privacy in the seminal case, Roe v. Wade, announcing that “a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution.” 410 U.S. 113, 152 (1973). Of course, the Supreme Court has continued to develop and refine notions of privacy well into the modern era, including as to informational privacy, and the Roberts Court. See, e.g., Carpenter v. United States, 138 S. Ct. 2206 (2018) (holding that collecting extensive, historical cell phone location information by the government is a search requiring a warrant).

Numerous federal and state statutes followed the Supreme Court’s early recognition of individual privacy rights to specify the prevention of such things as the mishandling and misuse of certain types of personal information and to decry the surreptitious intrusion into private communications. This is in addition to many states (including California) that specifically recognize the right to privacy in their constitutions. The California Consumer Protection Act (“CCPA”) is just the most recent example. Although some herald the CCPA as marking a new era, many privacy statutes long predate the CCPA and current notions of so-called “data” privacy rights. Exemplary of this earlier lawmaking includes the Fair Credit Reporting Act (“FCRA”), which became effective five decades ago, in 1970.

The FCRA was the first federal law enacted to regulate the privacy of personal information compiled by businesses, specifically credit reporting agencies. Other statutes followed and expanded this statutory protection to ensure the privacy of various additional categories of information ordinarily held in confidence by individuals. Among other things, laws were passed to protect private information in the context of healthcare (the Health Insurance Portability and Accountability Act (“HIPAA”)). In the present context of discussing data privacy rights, it is also especially noteworthy that more than two decades ago Congress passed the Children’s Online Privacy Protection Act (“COPPA”) to protect data accessible online relating to users aged children 13 and under.

States have also enacted special protections of privacy rights, with some predating even early federal action, such as the California Confidentiality of Medical Information Act (“CIMA”) and the California Invasion of Privacy Act (“CIPA”) passed in 1967. Like the CCPA garnering so much attention today because of its purported novelty, these laws enacted more than 50 years ago were passed to protect against the “invasion of privacy resulting from the continual and increasing use of [modern] devices and techniques” that were perceived to “create[] a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.” Cal. Pen. Code § 630.

The CCPA may be a new statute targeting data privacy, but its future enforcement and the anticipated strategies for handling it in litigation can be relatively easily divined by those who are knowledgeable about and fluent in the decades-old privacy laws that have already been litigated and shaped by the courts.

History teaches us that the enactment of privacy laws precedes the birth of novel consumer privacy litigation. In this context, the identification of the CCPA as preordaining a tidal wave of data privacy litigation is unsurprising and no different from how other privacy laws greeted the courts. For example, after the passage of the FCRA in 1970, individual plaintiffs promptly invoked the statute to seek relief in court.[5] Since its early beginning, FCRA litigation has since grown from single-plaintiff actions to a class-action machine with nearly 5,000 FCRA cases filed in federal court in 2019 alone—an 8.9 percent increase in filings over 2018.[6] Although many ambiguities and legal questions lurk in corners of the CCPA, a good student of history enjoys superior tools to predict, prepare and pivot in the face of litigation premised upon this new statute.

In Parts 2 and 3, we will discuss the evolution of some of these defense theories in consumer privacy litigation—both successful and unsuccessful—and what types of defense theories can be expected in the years to follow this evolving “data” privacy litigation battle. We will also discuss novel prosecution theories that could surface in the coming years, especially from competitors.