PRIVACY QUI TAM.

• Author: Ormerod, Peter

INTRODUCTION 268 I. PRIVACY LAW IN THEORY & IN PRACTICE 276 A. Recent Developments 276 B. Criticisms 278 1. Structure & Ideology 278 2. Enforceability 279 II. CONVENTIONAL ENFORCEMENT'S SHORTCOMINGS 281 A. Public Enforcement 281 1. Underenforcement 282 2. Ineffective Remedies 289 B. Private Enforcement 292 1. Adhesion Contracts 294 2. Standing 298 3. Class Certification 303 III. QUI TAM ENFORCEMENT 307 A. Examples 307 1. Older Qui Tam 308 2. Newer Qui Tam 312 B. Privacy Qui Tam 315 1. Social Theories of Privacy 316 2. Proposal 318 a. Purposes 8c Findings 318 b. Scope 319 c. Process & Model 319 d. Penalties 8c Remedies 321 e. Federal vs. State 322 f. Severability 323 C. Virtues 324 1. Public Enforcement 324 2. Private Enforcement 8c Other Qui Tam Enforcement 325 3. Operationalizing Privacy Theory 327 D. Criticisms 328 1. Implausible 8c Unprecedented 328 2. Alternatives 330 3. Article II 332 CONCLUSION 334 INTRODUCTION

The conventional wisdom is that privacy law is undergoing a revolution. In 2018, the European Union implemented the General Data Protection Regulation (GDPR) and California enacted the California Consumer Privacy Act (CCPA), (1) and these legal regimes impose a host of novel duties on companies that profit from users' information. (2) Others soon followed: Virginia, Colorado, and Utah enacted omnibus privacy laws, (3) and California later supplemented its earlier law through a ballot measure. (4) Nevada, Vermont, and Maine enacted more targeted proposals. (5) Nearly a dozen comprehensive privacy bills have been proposed in Congress, while most statehouses are debating similar measures. (6)

But this revolution is only a facade. Informational businesses have proved remarkably unaffected by these new privacy laws. Digital advertising revenue soared to a record $189 billion in 2021, a 35% annual increase and up 591% since 2011. (7) Surveillance-based businesses have frequendy reported record-shattering earnings and profits. (8) An average person encounters as many as ten thousand advertisements every day, many of which are the byproduct of pervasive surveillance both online and off. (9) Companies nevertheless seek ever more exotic ways to surveil us, and they demand ever more places to insert algorithmically determined and user-specific commercial messages--despite high-profile mishaps. (10) Prominent enforcement actions are bottle-necked inside a small number of industry-captured regulators, and even successful actions have extracted disappointing penalties and underwhelming concessions. (11) Privacy scholars have condemned even the newest and strongest regulations as insipid, porous, and ineffecive. (12) To the extent that new privacy rules have affected informational businesses' bottom lines, privacy law has had next to nothing to do with it. Instead, corporate-imposed mandates have had a limited effect on profit-driven surveillance, (13) and companies are successfully finding ways to circumvent even these modest restrictions. (14)

Privacy scholars are increasingly investigating why privacy law is proving so toothless. (15) The tenuous relationship between privacy law in theory and privacy law in practice is a multifaceted problem, and one crucial component of this phenomenon concerns enforcement. (16)

Most privacy laws are publicly enforceable: a governmental entity is charged with pursuing lawbreakers. For example, the European Union's and California's new privacy laws are both publicly enforceable, and the Federal Trade Commission (FTC) is the preeminent federal regulator of information privacy in the United States. (17) On the other hand, some privacy laws empower individuals to enforce them. For example, the Fair Credit Reporting Act, the Wiretap Act, and Illinois's Biometric Information Privacy Act all include a private right of action--a provision that authorizes affected or aggrieved individuals to sue entities that violate the law. (18)

Both conventional enforcement schemes have serious shortcomings. Public enforcement--which relies on a small number of government enforcers--is a rather rare phenomenon. (19) The FTC averages only about ten privacy cases each year. (20) In 2021, the FTC initiated six new cases that included a data privacy or cybersecurity allegation. (21) One involved illegal robocalls, one targeted a spyware developer, and one alleged violations of the Children's Online Privacy Protection Rule. (22) The rest alleged that a company violated its own privacy policy. (23) So the FTC's 2021 privacy cases amounted to little more than singling out a handful of bad actors and holding a few companies to their own promises.

Even when governmental regulators act, the remedies they pursue tend to entrench rather than disrupt the status quo. (24) The FTC typically imposes auditing and assessment requirements on the companies it investigates, but these mandates rely almost exclusively on the businesses' own conclusory representations. (25) In rare instances where regulators impose financial penalties, the sums extracted are minuscule compared to the companies' profit-generating capacity. (26) Privacy law--as enforced by governmental regulators--is little more than a necessary cost of doing business.

Both ills with public enforcement could seemingly be cured by a private right of action: authorizing plaintiffs to sue promotes vigorous enforcement, and imposing statutory damages should shift incentives. And yet over the past generation, private enforcement has also proven increasingly ineffective due to court decisions on die enforceability of adhesion contracts, Article III standing, and class certification. (27)

Many companies use terms of service to impose a host of onerous restrictions on individuals' rights of redress, and the Supreme Court has been eager to enforce arbitration clauses that render claims infeasible to pursue in an individualized proceeding. (28) Even if a plaintiff avoids an arbitration clause, terms of service may nonetheless defeat a privacy claim on the merits by including a provision that says the user consented to the contested practices. (29) For example, both the Wiretap Act and Illinois's Biometric Information Privacy Act permit consent defenses. (30)

If the plaintiff can somehow avoid this pair of adhesion contract hurdles, she still must overcome a motion to dismiss that seizes on the Court's recent Article III standing decisions. The Court has repeatedly held that some intangible injuries are insufficiendy "concrete" to invoke the jurisdiction of the federal courts, and privacy claims are particularly susceptible to intangible-injury arguments. (31) Only if the plaintiff makes a sufficiently strong analogy to a privacy tort from the mid-twentieth century will she keep her claim in federal court. (32)

But even if she does, the plaintiff will still need to run a gamut of difficult-to-satisfy criteria to have her class action certified. Many lower courts refuse to certify privacy class actions on an atextual consideration about whether the defendant's illegal practices are so complicated that it's too difficult to identify class members. (33) And the Supreme Court has also been enthusiastic about decertifying classes based on ever-heightening class certification requirements like commonality and predominance. (34)

In short, there are no fewer than a half-dozen significant obstacles that a privacy class action plaintiff must dodge and overcome before the action is economically feasible to pursue.

Contemporary debates about privacy law enforcement tend to outright ignore the uncomfortable reality that neither public nor private enforcement is effective at changing much of anything. (35) As Congress and statehouses debate new laws, industry allies insist on public enforcement because they know it will preserve the status quo. (36) On the other side of the aisle, most privacy advocates have focused on the private right of action--despite mounting evidence that only the unluckiest and least competent companies will be held accountable. (37)

This Article proposes a hybrid approach that solves the dichotomy between ineffective public enforcement and infeasible private enforcement: qui tarn actions. (38) A qui tarn is a legal action that authorizes a private plaintiff, called a relator, to redress an injury suffered by the government or by society, and successful relators are entitled to a portion of the recovery. (39) Qui tarn has an ancient pedigree. English qui tarn actions date to the thirteenth century, and the First Congress enacted a host of qui tarn statutes shortly after the Framing. (40)

While a rarity today, some scholars have recently sought to resuscitate and resurrect the qui tarn, (41) and it's easy to see why: qui tarn is responsive to the shortcomings with both public enforcement and private enforcement. Authorizing private plaintiffs to bring a qui tarn solves the underenforcement problem with governmental regulators, and relators are incentivized to seek significant damages rather than agree to toothless consent decrees. (42)

Relators' actions are also not subject to the same doctrinal obstacles as private suits. Relators can be exempt from onerous terms-of-service provisions--ensuring that suits remain in court and that blanket consent provisions don't defeat claims on the merits. (43) The Supreme Court has previously held that qui tam relators have Article III standing, so legislatures can empower relators to stand in the government's shoes to promote the public interest in the same way that an agency does. (44) Finally, because relators adopt the public enforcer's identity, there is no need for a qui tam to satisfy class certification criteria like ascertainability, commonality, and predominance. (45) The upshot is that a privacy qui tam is a powerful tool for addressing the significant shortcomings with conventional enforcement options.

Qui tam has historically been employed to vindicate collective injuries. Early American qui...