Taking a Broader Look at Privacy Remedies

By TAP Staff Blogger

Posted on June 15, 2021


Divisions over two enforcement issues—private right of action and federal preemption—have long gridlocked the effort to enact federal consumer privacy legislation. A look at regulatory systems outside the privacy field, however, reveals a complex landscape of enforcement mechanisms and remedies, many of which have not yet received much attention in the privacy debate. Insights from financial services regulation, environmental law, labor law, and other fields may offer ideas for assembling an effective web of enforcement for a federal privacy law.
- from “Breaking the Privacy Gridlock: A Broader Look at Remedies” by Jim Dempsey, Chris Hoofnagle, Ira Rubinstein, and Katherine Strandburg


In late 2020, privacy experts Chris Hoofnagle (Berkeley Center for Law & Technology), James Dempsey (Berkeley Center for Law & Technology), Ira Rubinstein (Information Law Institute, NYU), and Katherine Strandburg (New York University School of Law) convened workshops with experts from financial services regulation, environmental law, labor law, intellectual property, and other fields in order to explore enforcement and remedy structures that may be useful in developing federal consumer privacy legislation. The resulting paper, “Breaking the Privacy Gridlock: A Broader Look at Remedies,” shares their findings.


The authors state, “We find that, to a remarkable degree, the realization of public policy goals often depends on enforcement mechanisms and remedies that have not yet received much attention in the privacy debate. These tools applied in other arenas may offer ideas for assembling an effective web of enforcement for a federal privacy law.”


Below are a few excerpts from “Breaking the Privacy Gridlock: A Broader Look at Remedies.”


Efforts to Enact Comprehensive Federal Privacy Legislation


For years, efforts to enact comprehensive federal privacy legislation have been stymied by all-or-nothing attitudes toward the paired issues of individual enforcement (private right of action) and federal preemption (whether federal law should set a ceiling on state law). As Cam Kerry and John Morris note in one of the leading efforts to advance resolution of the privacy conundrum, the two issues can be “article[s] of faith on both sides” of the debate. [See Cameron F. Kerry, John B. Morris, Jr., Caitlin Chin, and Nicol Turner Lee, Bridging the gaps: A path forward to federal privacy legislation, Brookings, June 3, 2020]


Looking Beyond the Field of Information Privacy


Fine-tuning private right of action and preemption may indeed be the path forward. But a look at regulatory structures outside the field of information privacy shows just how narrow the scope of the privacy debate is. In other regulated fields, from environmental law to financial services, public policy is enforced by mechanisms that go far beyond formal administrative complaints and private lawsuits for damages. These other enforcement options include licensing, permitting and other forms of approval, agency monitoring (as opposed to investigation), citizen suits seeking injunctive relief, information disclosures, creative means of estimating damages, and use of third-party intermediaries or gatekeepers to enforce policy.


The Supervision Model of Enforcement


Most large federal regulators have authority for some combination of both supervision and investigations but, for many large agencies, monitoring is the primary form of enforcement. The Federal Trade Commission [FTC] is an outlier in this regard because it was designed to rely primarily on investigations led by lawyers. Over time, the FTC has developed more supervision-like activities, although their use generally comes only after investigation and complaint, and there are concerns that the third-party assessments the FTC relies on are not very rigorous.


Most monitoring agencies have at their disposal a graduated continuum of enforcement options, and at many agencies, the options most frequently exercised are those outside the court system.


The supervision model may be well-matched with two relatively recent changes in the overall approach to government regulation: the emphasis on public-private collaboration or cooperation and the rise of compliance departments inside corporations.


Information Disclosure


Information disclosure can also be an effective part of a policy enforcement system. Sometimes, a policy of information disclosure can lead private actors to voluntarily solve a problem in some market-based way. Information disclosure can also support enforcement goals by providing warnings or through admissions of wrongdoing.


Like all of the enforcement measures discussed here, disclosure alone is not sufficient. Consider cybersecurity: California’s breach notification law became effective in 2003, and by at least 2010, breach notification was de facto a national standard. Breach notice has probably changed corporate behavior by reducing unnecessary collection and storage of sensitive data such as Social Security Numbers, but few if any would claim that a decade of breach notices has created sufficient incentives for information security.


Environmental Law


Environmental law has adopted innovative ways of dealing with small, collective and intangible harms. As a baseline, there are statutory requirements, such as emission limits, that the government enforces with administrative orders and penalties and with civil actions for injunctive relief and monetary penalties. The adoption of specific standards enforced by the government rather than individual plaintiffs overcomes the causality and harm problems that limited traditional tort remedies, because the government does not have to show harm, just that the prescribed limits were violated. Environmental law also includes market-based regulation through, for example, emission fees. The environmental field also relies heavily on self-regulation overseen by regulators.


Another interesting approach in environmental statutes is the concept of natural resource damages. This allows for the measurement of collective and intangible harms, sometimes using contingent valuation methodology.


Gatekeepers and Third Parties


Many regulatory systems rely on private sector enforcers, such as certification bodies, self-regulatory organizations, accountants, lawyers, and other “gatekeepers.” In recent years, the use of gatekeepers in the financial services sector has expanded and, moreover, has changed in the large financial institutions have themselves been enlisted as gatekeepers, regulating the conduct of their third-party service providers. Gatekeeper regimes have become quite explicit and extensive in other key sectors, including information technology, oil, and pharmaceuticals, where regulators in each of these industries have put leading firms on notice about their responsibilities for third-party oversight. As Prof. Rory Van Loo has written, “policymakers have begun relying on third-party enforcement by the real gatekeepers of the economy: the firms who control access to core product markets.”


For example, after the Cambridge Analytica scandal, the FTC privacy settlement with Facebook required Facebook to safeguard what happened to users’ data even after it reached a third party’s custody. So now, if an app developer is not behaving, Facebook is expected to bring it into line or shut the gate, meaning cutting off the app’s access to Facebook. This type of requirement dates back at least to the 2011 Resellers case, in which the FTC required data brokers to oversee the security practices of the mortgage companies to which they sold consumer data.


Compensation Versus Deterrence


In many fields, including, for example, contracts, intellectual property, and consumer protection, the law of remedies draws a distinction between compensation and deterrence. In some schemes, such as commercial contracts, remedies are focused on compensation for breaches, not their deterrence. Indeed, one view of contract law is that its remedies structure allows, even encourages, “efficient breaches,” so long as the injured party is compensated for the harm it suffered. However, consumer contracts are treated differently. In the consumer context, both the common law of fraud and false advertising and the statutes on unfair and deceptive trade practices have remedies structures that are designed to deter wrongdoing.


The overarching point that emerges from a consideration of damages in these fields is that the remedies must be linked to the goals. The first question must be whether the goal of the system is compensation or deterrence. A compensation-based regime will probably not be effective in deterring undesirable conduct.


Class Actions


The consumer class action has been hotly debated for decades, with studies on both sides. We cite recent evidence that class actions do generate both specific changes in business practices and general deterrence of wrongdoing. Recent studies have also found value in approaches that ensure monetary relief is actually paid to individual consumers. Some recent privacy and data security class actions have resulted in settlements imposing only injunctive relief (plus attorneys’ fees).


Aside from damages, discovery is an important element of class action lawsuits, as discovery often helps plaintiffs understand how data are actually collected and used. Several high-profile cases in recent years became more credible as a result of the discovery process unearthing practices that differed from companies’ public statements.


Policy Goals


Remedies should be tied to policy goals: Before developing a system of remedies, policymakers should define their goals and then any assessment of remedies should consider whether they advance a desired policy goal. Considering remedies through a deterrence theory framework makes it easy to see just how complex and interdependent the remedies necessary to promote even a single policy goal may be. Different policy goals may require different remedies.


Read the full article: “Breaking the Privacy Gridlock: A Broader Look at Remedies” by Jim Dempsey, Chris Hoofnagle, Ira Rubinstein, and Katherine Strandburg.


Read More: “A Broader Look at Privacy Remedies” by Jim Dempsey, Chris Hoofnagle, Ira Rubinstein, and Katherine Strandburg (Lawfare, April 7, 2021).


About the Authors


Chris Hoofnagle is Professor of Law and of Information in Residence at the School of Law and an Adjunct Full Professor at the School of Information, University of California, Berkeley. Additionally, he is a Faculty Director of the Berkeley Center for Law & Technology. Professor Hoofnagle helps students from different disciplinary perspectives understand the effects of law on technology. He teaches cybersecurity, privacy, consumer protection, forensics, and seminars on new technologies.


James Dempsey is the Executive Director of the Berkeley Center for Law & Technology. He has been a leading expert on privacy and Internet policy for three decades. In addition to his role as BCLT Executive Director, from August 2012 through January 2017, Mr. Dempsey was appointed by President Obama to serves as a part-time member of the Privacy and Civil Liberties Oversight Board (PCLOB). The PCLOB is an independent federal agency charged with advising senior policymakers and overseeing the nation’s counterterrorism programs.


Ira Rubinstein is a Senior Fellow at the Information Law Institute (ILI) of the New York University School of Law. His research interests include Internet privacy, electronic surveillance law, big data, voters' privacy, EU data protection law, and privacy engineering. Mr. Rubinstein lectures and publishes widely on issues of privacy and security, and he has testified before Congress on these topics on several occasions.


Katherine Strandburg is the Alfred B. Engelberg Professor of Law at New York University School of Law. Her research considers the implications of user and collaborative innovation for patent law and of “big data” for privacy law. An expert in patent law, innovation policy, and information privacy law, Professor Strandburg is particularly interested in understanding how the law in these areas might accommodate and reflect the importance of collaborative and emergent collective behavior.