A Compelling Outcome: Using Arbitration Agreements to Limit Liability in Data Privacy Class Actions

• Publication year: 2021

Myriah V. Jaworski^*

Abstract: Data privacy class actions are proliferating. Defendant companies may find an effective defense strategy is moving to compel individual arbitration. Not all contracts have the appropriate language, however, and, even if they do, they may not succeed. This article discusses U.S. privacy litigation and case law on compelling arbitration of class claims in the privacy law context, with recommendations for businesses to improve their chances of securing court orders that enforce arbitration language in their agreements.

In 2002, California couple Vincent and Liza Concepcion entered into a contract with AT&T to provide cellular telephone service that would change the arbitration and class action landscape for consumers across America for decades to come. After learning that AT&T charged a sales tax on the phone it advertised as being "free" with the service plan, the Concepcion's filed a lawsuit that was consolidated into a class action with other lawsuits against AT&T alleging that the practice was false advertising and fraudulent. When AT&T moved to compel the Concepcions to arbitrate their claims individually under their service contract's dispute and arbitration provisions, the District Court and Ninth Circuit agreed with the Concepcions that to do so would be harsh, unconscionable, and in violation of a California state law rule.

The Supreme Court, however, rejected the lower courts' decisions and held that the Federal Arbitration Act (FAA) preempted the California state law rule and other laws that run counter to the FAA's goals. According to the Supreme Court, the FAA expressed clear congressional policy to "enforce[] arbitration agreements according to their terms so as to facilitate streamlined proceedings," and that to require class action arbitration would "interfere[] with fundamental attributes of arbitration and thus create[] a scheme inconsistent with the FAA."¹ Under Concepcion, the Supreme Court directed lower courts to "ensur[e] that private arbitration agreements are enforced according to their terms."²

[Page 147]

The intervening decade has seen a rise in privacy class action litigation throughout the United States. As technology and business use and processing of personal information continues to proliferate, and the rise in ransomware and malicious hacks of business networks grows, individuals have become increasingly aware of the business value to their data, and potential associated risks. Although litigation against large tech companies commonly makes headlines, a large percentage of data breach and consumer privacy litigation is against small and medium size businesses and cuts across industries, with consumer brands, hospitality, health care entities, fintech, and even cannabis businesses being targeted.

To date one of the most effective defense strategies to avoid these claims has been moving to compel individual arbitration, where the right to do so was available to a defendant. But not all defendants have appropriate language in place in their contracts and policies, and even where available, some jurisdictions and subsequent Supreme Court case law may require that substantive and procedural safeguards exist so that arbitration not be unconscionable under applicable state law or case law. The following discusses privacy litigation in the United States, and recent case law on compelling arbitration of class claims in the privacy law context, with recommendations for businesses to follow so as to maximize the likelihood a court will enforce arbitration terms in their agreements.

Privacy Litigation: Data Breach and Data Misuse Class Actions

In general, data breach and consumer privacy litigation concern a business's use and safeguarding of personal information.

State and federal law definitions vary, but the term "personal information" is ordinarily defined to include everything from sensitive genetic and biometric information or health care and banking information to driver license and social security numbers and consumer email addresses, user names, and passwords. Personal information can include information gathered from consumers in the business-to-consumer context, but also includes information from employees, account holders or members.

[Page148]

Currently, every state has a state data breach law that requires businesses to notify individuals and regulatory bodies in the event of a regulated data breach where personal information has been accessed by a third party. Some of the state data breach laws also require businesses to have reasonable security measures in place to safeguard personal information. In addition to relevant state laws, federal laws exist that govern the use of certain types of personal information—personal health information or personal financial information—by certain entities such as health care companies, insurers, or banks.

After a business experiences a ransomware attack or network intrusion by an outsider able to access and exfiltrate personal information, state law may require the business to notify consumers whose information was accessed in the breach. Class action data breach litigation, which may follow receipt of such notification, commonly includes allegations that a business did not use reasonable security measures to safeguard the personal information on its network, and that the information was subsequently exposed in a data breach or ransomware attack, and that the individuals suffered some harm that can be addressed on a class-wide basis.

Common claims in a data breach lawsuit include negligence, misrepresentation, breach of contract or privacy policy, privacy torts such as invasion of privacy, and violation of state consumer fraud statutes that may apply. Class size varies depending on the business type and industry, but it is not uncommon for larger data breach lawsuits to allege a class that includes millions of potentially impacted persons. Data breach actions have seen varying levels of success, with actions involving sensitive data (i.e., social security numbers or medial information) generally more likely to proceed past initial motion practice than those actions where less sensitive data (i.e., payment card numbers) was at issue.

In contrast, data misuse litigation includes allegations that a business failed to disclose it was collecting personal information from the individual or to obtain consent to do so where required, or to disclose how it was sharing personal information with third parties. For example, a common theme in data misuse litigation is that the business shared personal information with a third party for a commercial purpose and without disclosing in its privacy policy that the information was being collected or shared at all. Data misuse litigation will often allege that a business's external-facing policies and terms of use were misleading and...