Serious Privacy

Let's go Big: Privacy Class Action Lawsuits

September 21, 2023 Dr. k royal and Paul Breitbarth Season 4 Episode 34
Serious Privacy
Let's go Big: Privacy Class Action Lawsuits
Show Notes Transcript

On this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal discuss privacy class action lawsuits featuring articles and information from with Richard Sheinis of Hall Booth Smith and Lisa Jaffee of Hiscox Insurance on about the class action “kill chain,” and one from Miller Nash by Brian Esler and Eva Novik on the new wave of class action lawsuits, featuring the Video Privacy Protection Act - and of course, mentioning our friends Ian Ballon of Greenberg Traurig and Constantine Karboliotis

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note this is mostly an auto-transcription. For accuracy, listen to the audio.

[00:00:00] Paul: The data protection laws are enforced by regulators, data protection, authorities, oversight bodies, and what have you. And through individual court cases. But it seems there may be a new sheriff in town, the class section. Both in the us and the European union, and especially here in the Netherlands class sections to fight data protection violations and get satisfaction as well as some damages for individuals are on the rise. Therefore this week Kay and I give are unfiltered. And to be honest, sometimes also educated. Views on class actions and what they could mean for data protection compliance. My name is Paul Breitbarth

[00:00:49] K: And I'm K Royal, and welcome to Serious Privacy. Paula and I are going to jump right in this week, so I've got an unexpected question What color... Would you like to paint your office?

Or what theme? Let's go with that. What theme do you like for your office? What puts you in a productive, working, relaxed kind of atmosphere?

[00:01:12] Paul: light colors in any case. And you shouldn't look at my current office, but it should be sort of tidy. Because an empty desk is an empty mind, right? Or so they say but I'm actually not, not at the stage that I'm designing my new office yet. That's something that's still coming. But probably it will be blues and greens.

[00:01:34] K: Blues and greens, I like that. I'm taking a picture of our screenshot to see our current offices.

So look


[00:01:41] Paul: Well, yours is yours is hardly an office, right?

[00:01:44] K: Yay! Got it. Okay. mine interestingly enough, I usually like cream and gold and for some reason that just puts me in the right mood. And my last office, as you know, had peacocks in it as well as cream and gold, so that will probably stay standard. But back at Align Technology, I had like a six foot set of women's eyes on the wall.

You remember our original? Well, actually that was before you. I had this huge set of eyes on the wall that were just the eyes and I like it. So I'm actually looking for a new set of eyes that I can put on my office with cream and gold and it probably still have something peacock as the accent colors in it.

[00:02:27] Paul: Well, you know, if we would ask Constantine, you would get a pair of googly eyes, right? For your office.

[00:02:32] K: Right, exactly. He sent me a custom set of googly eyes to put on, but I think that that is a great segue. into talking about class actions because that's where eyes are on the company, right? Hey, I pulled that one out good.

[00:02:47] Paul: Yeah, that was a nice bridge.

[00:02:50] K: But seriously though, Paul and I decided today we will talk about class action lawsuits. I'll be honest. I don't really know how class action lawsuits work in other legal jurisdictions. I have never been an attorney at a law firm, never had to work with that kind of thing, but I do know how they work here in the U.S.

[00:03:10] Paul: I'll have to sue you now.

[00:03:13] K: No! Especially not when we're talking class actions where you bring in everybody else that wants to sue me too. I am, what do they call it? Uncollectible, ungarnishable.

But no, seriously. So this has really become a big issue in privacy, having the class action lawsuits. Now, California has made it a lot easier here in the U. S. because there is a private right of action under California if a company has a data breach that involves. the consumer, you. You no longer have to prove harm.

You have a statutory right of action. However, it does say in the law that you cannot use the CCPA for anything else. You can't rely on a class action for they didn't have this process in place or they didn't answer my data subject access request only related to privacy breaches. That hasn't stopped the class action lawsuits.

A great guest that we should have had for this would have been Ian Ballin. I love working with him and talking with him about class action lawsuits. We've had them on webinars before which I trust are absolutely fabulous. But, that is one of the things that we look at is, You know, what else are lawyers looking as a basis for a class action if the CCPA says they cannot use that?

There's also the provisions of the unfair and deceptive trade practices that every state has its level of that as well. And they try to rely on privacy laws as the standard of care, I guess, if you will, to show what a company should have in place as the basis of a lawsuit, even if they're not relying on the law as the foundation of the class action.

[00:04:53] Paul: So, on the European side, it is it is different because, of course, here we have we have legislation country by country and they vary. There is an overarching. Yeah, I mean, there is an overarching European rule, that all member states will need to implement or should have implemented already on class action claims.

And of course, under the GDPR, we have Article 80, which allows for the representation of data subjects also by not for profit bodies, organizations, or associations. That can that can file a claim on behalf of a whole group of people. currently when you look at data protection class actions the Netherlands is actually quite a hot jurisdiction because we have already implemented I believe in 2020, the European directive for class action claims or mass collective claims.

It's called the, the WAMCA, W A M C A that's, that's our national law and it's being actively used to mainly go after big tech. So there are three at least three cases that go after TikTok asking for damages somewhere in between. Five and five thou 502,000 euros. There were ones going after Oracle for, all kinds of online advertising.

But earlier this week one of the national consumer organizations filed a mass action claim on behalf of 82,000 people against Google, again, for online advertising and over collecting personal data. And yesterday, another group filed a, a mass filed a collective claim against 10, 000 people against Twitter for continuous privacy breaches.

So it's mainly Big Tech. 

[00:06:41] K: Yeah. They go after the ones with the deep pockets, let's be honest. They go after the ones with the deep pockets.

[00:06:47] Paul: that's true, although they cannot be for profit claims and they can also not be What do you call it? The the vexatious claims or the fun claims. So there needs to be really something to it in order to be able to file a, a collective action claim here in the Netherlands or in general in, in Europe.

And you need to also demonstrate that indeed some sort of damages were done.

[00:07:10] K: Got it. So, here we were actually looking, I was pulling up some websites that track the class action data breaches. And I came on one, this one was in Bowman v. T Mobile, the T Mobile class action. T Mobile notified class members on January 20th and the class action was filed on January 22nd. Now, if I know class action lawyers, that was slow.

[00:07:35] Paul: Two days is slow.

[00:07:36] K: Yeah, I think they would have expected it to be January 21st, but supposedly, you know, they, they have work to do to put this together. And funny enough one of my friends from high school is a class action lawyer now. Surprised me, didn't surprise me he's a class action lawyer. Trust me people, class action lawyers are a whole different breed.

they, they live and breathe law on a different level and the things they have to deal with. So, but it was interesting to find out that he went to law school much later in life like I did. We reconnected, I don't know, about 10 years ago and found out we were both lawyers. So that was pretty interesting, but he's a class action lawyer.

So I tried to learn some information from him as well. But there are some that

[00:08:17] Paul: I'm just surprised that they filed a class action suit within, within a couple of days of the breach. I mean, if I just look at, at due process that you have to go through here in the Netherlands and find the funding and get a an external supervisory board in place and all the checks and balances.

You would never be able to do that within the two days let alone in two weeks or two months. It, it, it takes quite a bit longer than that. Mm

[00:08:46] K: Well, I'm going through this wonderful article I'm not going to pretend to be an expert on this myself. I'm going through this wonderful article in the New York Law Journal written by Richard Sheinis and Lisa Jaffe, should recognize at least the name Lisa Jaffe, written in June of this year, or published in June of this year, and they say there are three defenses in the data breach class action kill chain are Article 3, standing, class certification, and causation. So the first line of defense to dismiss a class action, which tells you have to have these things as well.

Think about it in reverse. Is Article 3 standing? So Article 3 of the U. S. Constitution has been interpreted to require that you have to have standing to bring a lawsuit, which means you have to have an injury in fact. Now, this is what we were saying about California. You don't have to have an injury in fact.

You have a statutory right to file a suit. In class certification, oh, and the injury in fact reminds me of the lawsuit in Texas that I believe the judge determined they did have standing because the, this was in a, I believe it was a TCPA where you got a lot of texts and they were complaining against the person for all the texts they were receiving even though they were opting out, and the judge said they did have injury in fact because it drained the battery life of their phone.

[00:10:09] Paul: Oh, wow.

[00:10:10] K: So people get creative. The other is class certification. Federal rules of civil procedure here in the U. S. requires the plaintiff and the members of the class to meet the requirement of commonality. Typicality and predominance in order to be certified. They have to have suffered the same injury.

They have to have the questions of law or fact common to the class members predominate over any specific questions to those individual members and that the alleged damages are experienced for each of them. If they have different degrees of damages, this might result, and I'm reading verbatim, might result individualized causation determinations rather than qualifying for class certification.

So the third one is causation is the third part worthy alleged damages caused by the breach. Now, nowadays is really, really hard if you experience identity theft or fraud to be able to tie it to to a specific breach. There have been so many breaches. How could you possibly decide that this set of harms was caused by this specific breach?

[00:11:22] Paul: Yeah, causation is very difficult. That's true.

[00:11:25] K: That's almost impossible.

So it was, it was very good. so I enjoyed that. And then I was looking up, there is a data break a database of class action where you can identify where some of the More recent data breach class actions have occurred. So I'll look that up before we get off. But there are, I mean, under California, I think the number was well over 100 up to 200 above that by now.

So, and it takes years to settle a class action. and typically they settle, and I believe in the T Mobile one maybe it was a prior one that settled. Each person got something like a dollar and 82 cents.

[00:12:06] Paul: count yourself lucky. Yeah.

[00:12:07] K: right so a lot of the privacy class actions have settled because it really is very expensive to go through a class action litigation They hope to get them dismissed up front by arguing over these particular elements. I'm assuming .given the list you gave of Was it Norway?

[00:12:25] Paul: No here in the Netherlands.

[00:12:27] K: Okay, so in the Netherlands. So with the list you gave up there in the Netherlands of the things they have to meet with the lawsuit, if they don't meet them, and I'm assuming they can try even if they don't specifically meet them and the lawyers can have a difference of opinion as to whether they met them or not and then a judge determines whether or not it can proceed, do you have to certify as a class action there as well?

[00:12:48] Paul: Mm hmm.

well, to some extent, I mean, you need to go through a first phase and there the, the class section can still be dismissed. I don't believe it's exactly the same as the certification that's required in the U. S.

[00:13:04] K: Okay.

[00:13:04] Paul: a judge really needs to say, okay, all of these people are actually approved to be part of the lawsuit.

[00:13:11] K: Okay.

[00:13:12] Paul: And that is also what you see because we had under the GDPR already a case, obviously it was META. Who else would be in court for GDPR violations than META, I would almost say. But this was a case last year against... A German consumer organization again before the Court of Justice of the European Union.

META claimed that the consumer organization was not actually mandated by its members to file this claim in court. So this was more the representative action than the class action. But also there, the court said, no, a consumer group can indeed file a claim on behalf of all of its members in court, even if there is no specific mandate for this specific lawsuit.

So, I think that's already where you see some difference with the class certification, where every... Individual, basically, would need to sign documentation that they would be part of this lawsuit and that the court reviews that and puts a stamp of approval on that. so, I think it works slightly different.

But then again, my whole impression and my whole understanding of US based class sections comes from the film Erin Brockovich. So, I'm not sure how legally accurate that would exactly be. 

[00:14:24] K: Believe it or not, that is only one of two movie stars I've ever been accused of looking like. It's Julia Roberts and I can find pictures that can show it to be true. There's millions of pictures that show it's not true, but I can at least find one or two, typically when I was 50 pounds ago, but we'll leave that one alone. But I will say that it is interesting because There's a, there's a trend, and we talked about it earlier on, there's a trend to find other ways to bring a privacy mishap into a class action lawsuit without relying on privacy law per se, because we don't have a federal privacy law.

How do we fit it under these other archaic laws? And so there's this wonderful article by Miller Nash the, the two authors are Eva Novick and Brian Esler. They have this wonderful article. It came, I mean, it's just like a little blog regardless, but I always find it very instructive here. They referenced the recent trend of going on the video privacy protection act and suing under the pixel, the meta.

Pixel, if you remember, on the website we talked about. So, the Video Privacy Protection Act came out way back when. Think about Blockbuster and all of those where you, you went and rented videos. And the law came up because there was a video rental history of some of the Congress people and they didn't like that going public. so, which reminds me,

[00:15:48] Paul: that could have been.

[00:15:49] K: men in black in the back. But regardless, it has this up here, but it is 2, 500 per violation and so they are now, this is now coming back up, against Metapixel. There was at least one company that settled a 2. 6 million class action settlement under that. They're also suing under, and I've heard this before too, the federal wiretapping and eavesdropping statute, saying that collecting chats and everything like this, and funny enough, and I don't remember the specific circumstances, but there was a company I was working for that we actually got an inquiry in asking, one, did we have protections against the VPPA and two, the federal wiretapping and statutory?

And it was the first I had heard that companies were suing under chat messages under the federal wiretapping statutes. That was a few months ago. and it was interesting because my response back was, Well, that's interesting.

We'd have to see how that would work. Apparently there's some class action lawyers who have figured out how that worked. I'm not sure my logic agrees with theirs. It's always worth a try, right?

the takeaways from this is that they're saying for these two specific takes on it, the VPPA and the wiretapping is that if you conspicuously display mandatory arbitration policies and class waivers, you can be more successful in compelling arbitration or dismissing class actions on such claims.

I'm taking that point of advice to home right now. You have to be specifically engaged in the business of providing audio visual materials to be covered by the VPPA. So the Metapixel for your various little videos on the website shouldn't. And state laws, again, as you say, differ on who consents and who's participating as a direct party for the purposes of wiretapping and eavesdropping.

Here in the United States, we have a division between a one party consent state and an all party consent. You don't go by a two party consent. It's all parties. Either one party in the conversation can consent for everyone, therefore recording it is legal, or all parties. All parties in the conversation have to consent in order for the recording to be legal and to stand up in law.

 Now, of course, you can use those recordings for things other than evidence in a case. So you might still want the recording, it's just it's not legal to produce as evidence. And might actually violate, you know, their privacy, which of course you have no lawsuit you can file for that unless you can prove harm, so.

[00:18:31] Paul: So if there are so many alternatives for class action suits and for suing data protection violations, even without a federal data protection law.

[00:18:42] K: Yeah, is a good one.

[00:18:43] Paul: Yeah, but if there are so many alternatives, then... Why is there such a fuss about a private right of action if it already exists without a law being present? And

[00:18:52] K: Well, I guess because it's really hard to get a privacy class action to go through, you have to find some sort of way to wiggle and wade yourself through the laws. And to be honest, these things are,what's the right word? Detrimental, catastrophic to the companies when they attach. Which is why a lot  of them settle, but they settle for high amounts of money.

And of course the individual class action people in the class action don't get very much at all, but the law firms get their lucrative amount from it. So of course they're all up for it, and I'm not saying they're doing a bad thing. They're literally taking something the company did wrong and filing a lawsuit on them, but they can be catastrophic. 

[00:19:32] Paul: class actions are a business model in themselves as well, right? Because it is very expensive to mount a class action because it's a lot of legal work required up front. You don't know what the outcome will be. It is usually on a no cure no pay basis with the individuals. part of the class just registering but not paying anything so because they typically would pay out of any gains that are made or any damages that are being paid at the end of the trajectory.

So there are quite a few. Companies out there whose whole business model is just to fund class actions

[00:20:10] K: yeah.

[00:20:11] Paul: hope to be compensated by the benefits of it

[00:20:14] K: Well, I just pulled up a list of some, so here we go, of what's listed. These are on topclassactions. com And you can search for words, and so I just looked for privacy, and I'll tell you the ones that come up. Military. com Facebook privacy 7. 35 million class action settlement up to 30 Deadline is October 24th Standard market, the BP, the BEPA, the biometric won 1.

25 class, 1. 25 million class action. Settlement 750, deadline October 18th. The Fredtert. Health Inc. Metapixel, 2 million class action settlement to be determined, deadline October 5th. Instagram, Beepa, for the biometrics, 68. 5 million, settlement to be determined, deadline October 27th. UKG Chrono, 6 million class action settlement settlement is 8, 500.

That's a lucrative one, see if you're part of that one, deadline October 3rd. Equifax Data Breach Class Action Settlement 20, 000 Deadline 122 of 24. So, that's not a list of all those that are filed. That's a list of those that have settled.

[00:21:33] Paul: Which is still quite a lot. So yeah, there is there is a lot of money in class actions and the impression at least this side of the atlantic in some of the conversation is that We will see more of these and not just because of the money, but also because it might be a faster way actually to get some sort of compensation and agreement from companies, satisfaction, indeed, from companies actually breaching data protection laws and maybe faster than ever.

Mm hmm. Going through the whole rounds of a DPA complaint and then the investigation and then the consistency mechanism and then the dispute resolution from the consistency mechanism and then appeals in court,

[00:22:15] K: Well, yeah, because you've got someone on the other side, at least the class action lawyers that are driving the process forward faster rather than someone who doesn't have a motivation to actually seek a lot of funding and court time.

 so yeah, anyway, we'll close it out. We'll put the links to the resources that we have available for class actions. statistics show you might very well be involved with your company facing a class action settlement, especially if you have a breach, keep your eyes open for that.

[00:22:46] Paul: Yeah, it is certainly something that companies need to be aware of that the danger or the risk from non compliance is not only with the Data Protection Authority anymore, and certainly here in Europe with those class action laws becoming coming into force across all of the member states. This is something that you seriously need to consider if something goes wrong that you may also be facing a class action for data protection breaches under the GDPR.

[00:23:15] K: Absolutely. And we would love to hear from any of our listeners that are in other countries that could speak up and let us know you know, your challenges and opportunities with class actions in your country as well and how those work. We simply can't, I mean, that's one area Paula and I can't speak to.

We're not litigators.

[00:23:33] Paul: well, I mean, we can speak to it, but not with any authority.

[00:23:36] K: Not with any authority or experience whatsoever, but we can speak to it, exactly. But I was talking about especially in other countries as we have. So I'd love to have the perspective of other people. But with that, Paul, close us out.

[00:23:47] Paul: Yeah, I wanted to say just join the conversation for this on LinkedIn. You'll find us under Serious Privacy. And as always, thank you for listening to yet another episode of the podcast. You'll find K on social media as @HeartofPrivacy, myself as @EuropolB, and the podcast as @PodcastPrivacy.

Until next week, goodbye.

[00:24:06] K: Bye, y'all.