Executive Summary

The “data privacy and security” laws refer to a patchwork of federal and state legislation that govern how companies collect, use, share, protect, and discard information. Although the media has publicized a few high profile data privacy and security cases, there is little public information concerning the overall volume and trends of data-related class action litigation.

This report analyzes class action complaints filed against private entities between January and June 2013 (the “period”) to help companies better understand the scope, and frequency, of data-related litigation. The following are key findings concerning complaints filed over this period:

  • A total of 88 class action complaints were filed over the period. The rate of complaint filings remained relatively stable throughout the period.
  • The vast majority of complaints (87%) involved data privacy (i.e., collection, use, and sharing) as opposed to data security (i.e., safeguarding) (13%). This tracks the most recent enforcement pattern of the Federal Trade Commission where data privacy accounts for 88%, and data security 12%, of enforcement actions.1
  • Although the complaints alleged a wide variety of legal theories, roughly 45% related to telemarketing and were brought under the Telephone Consumer Protection Act (“TCPA”). 2
  • While data security and data privacy cases were filed in a wide variety of state and federal courts, the most popular federal forums for plaintiffs were the United States District Court for the Central District of California (11%) and the Northern District of Illinois (11%), and the most popular state court forum was California (15%).
  • In terms of industry sectors, the retail industries (home goods, retail general, and fashion/clothing) accounted for one in four complaints. Almost every industry, however, has been targeted by plaintiffs.
  • 70% of the complaints alleged putative national classes.
  • The leading types of data at issue were consumers’ contact information (25%), text messages (17%), faxes (15%), and credit card related information (14%).
  • Approximately 80 plaintiffs’ firms were involved in data-related litigation. Although several firms were involved in two or more cases during the period, no firm distinguished itself as a “leader” from a volume perspective.

Part 1: Primary Legal Theories

The vast majority of complaints (87%) focused on data privacy related issues – such as the propriety of a company’s collection, intentional sharing, or use of information. Data security – the protection of information from unintentional access or acquisition – was the primary focus in only 13% of complaints.

Click here to view graph.

In terms of specific legal theories, the single largest category of complaints related to alleged telemarketing violations under the TCPA (45%). The second largest category involved statutes that regulate the ability to collect information at the point of sale (17%), such as the California Song Beverly Credit Card Act.

Click here to view graph.

Part 2: Volume of Litigation

A total of 88 complaints were filed during the period, with March having the greatest number of complaints (21), and June having the smallest number (11).

With regard to the breakdown of privacy and security complaints, although there were more privacy complaints in each month, the number of complaints involving data security increased slightly during the second quarter, and the number of complaints involving data privacy declined during the same period. The following chart shows the quantity of litigation throughout the period.

Click here to view graph.

Part 3: Favored Courts

During Q1 and Q2, complaints were filed in 28 different courts. Among federal courts, the Central District of California (11%) and the Northern District of Illinois (11%) received the most complaints. Among states, California (15%) and Illinois (10%) received the most complaints. The following chart provides a breakdown of the courts in which class actions complaints were filed during the period.

Click here to view graph.

Part 4: Litigation By Industry

There is far less concentration by industry category than is seen among other types of consumer class action litigation. For example, whereas the top three industries that are the subject of class action complaints alleging unfair or deceptive trade practices (“UDAP”) account for over 66% of UDAP total complaint volume, the top three industries that are the subject of data-related complaints (home goods (10%), telecommunications (10%), and fashion/clothing or financial services (both 8%)) accounted for only 28% of the complaint volume. See Zetoony & Goldman, Trends in Advertising Class Actions: Second Quarter 2013.

Nonetheless the retail industries – including retail sellers of home goods, fashion apparel, and other items – collectively accounted for 25% of all complaints filed and formed the single largest industry targeted by plaintiffs. The following chart provides a breakdown of complaints by the defendant’s industry.

Click here to view graph.

Part 5: Scope of Alleged Class (National v. State)

As indicated in the following chart, a large majority of complaints (70%) allege a putative class that is national in scope. This diagram treats cases as national in scope so long as a complaint alleges a national class even if the complaint also alleges one or more single-state subclasses.

Click here to view graph.

Part 6: Variety of Legal Theories Alleged

The complaints filed during the period alleged more than 15 legal theories. The leading legal theories involved telemarketing and the TCPA (45%).3

The following chart provides a breakdown of all of the legal theories alleged. The percentages collectively exceed 100% as many complaints include more than one legal theory. For example, a complaint that alleges that a company violated a data breach notification statute and was negligent in protecting information is included in both of those categories.

Click here to view graph.

Part 7: Data Fields At Issue

The complaints filed during the period involved approximately 15 different types of data. The most common data fields were contact information (25%), text (17%), fax (15%), and credit card information (14%). The following chart provides a breakdown of the complaints by the primary data field at issue.

Click here to view graph.

Part 8: Plaintiffs’ Firms

Approximately 80 plaintiffs’ firms were involved in filing the class action complaints during the period. While there were no clear “leaders” by volume of complaints filed for data privacy or data security cases, the following firms filed the greatest number of data privacy complaints during the period:

Bock & Hatch, LLC

Caddell & Chapman

Edelman, Combs, Latturner & Goodwin, LLC

Hyde & Swigart

Kazerouni Law Group, APC

Law Offices of Daniel G. Shay

Law Offices of Douglas J. Campion

Law Offices of Steven E. Kaftal

Leonard Law Office LLP

Lindsay Law Corp.

Meiselman, Packman, Nealon, Scialabba & Baker P.C.

Orshansky & Yeremian LLP

Pastor Law Office, LLP

Whatley Kallas, LLP

Williamson & Williams

Wucetich & Korovilas

Part 9: Methodology

Complaints included within the data analyzed by this report were identified within the WestLaw Pleadings library as containing the phrase “class action,” derivations of the phrases “personal information” or “personal data,” and either the phrase “breach,” “privacy,” “security” or “notice.” For thoroughness, separate searches were run to identify any additional class action complaints filed during the period that referenced the Telephone Consumer Protection Act (“TCPA”), the Children’s Online Privacy Protection Act (“COPPA”), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”), the Health Insurance Portability and Accountability Act (“HIPPA”), the Video Privacy Protection Act (“VPPA”), the Fair Credit Reporting Act (“FCRA”), and the Electronic Communications Privacy Act (“ECPA”); searches were also run to identify point-of-sale (“POS”) statutes, including the Song Beverly Credit Card Act and Massachusetts General Laws Chapter 93A. These cases were then reviewed for relevance to data privacy or data security issues, and complaints alleging suit against government entities were excluded. As stated above, this report covers those complaints filed in the first and second quarters of 2013.