PRIVATE RIGHTS OF ACTION IN PRIVACY LAW.

• Author: Scholz, Lauren Henry

Table of Contents Introduction 1641 I. Comparing Private, Public, and Hybrid Enforcement of Privacy Law 1646 A. Public Enforcement Regimes 1648 B. Private Enforcement Regimes 1651 C. Hybrid Enforcement Regimes 1655 II. Dignity and Private Enforcement 1663 III. Private Enforcement and Modern PrIVacy Problems 1668 A. Nonconsensual Pornography 1668 B. Data Insecurity 1673 C. Data Power 1678 D. Digital Market Manipulation 1685 E. Government Surveillance 1689 Conclusion 1692 INTRODUCTION

Federal privacy legislation in the United States is coming. (1) This will place the United States in step with the global Zeitgeist. In the past few years, many jurisdictions, including the European Union, Brazil, China, Canada, and Australia, have passed comprehensive privacy legislation. (2) In 2018, California passed comprehensive privacy legislation--which has been influential beyond the state's borders (3)--and ten more states are on track to pass privacy legislation this year. (4) Increased enforcement of consumer privacy rights in these jurisdictions has led industry to actively lobby Congress for federal legislation on privacy, seeking simplification of the patchwork of laws with which potentially regulated companies must comply. (5) Industry is now on the same page as American consumer advocates who have long advocated for a federal privacy law. (6) There is bipartisan political consensus around the need for federal privacy legislation, with politicians of both parties concerned about abuse of power by Big Tech. (7)

There is a great deal of consensus around the ground a federal privacy law should cover. (8) Companies are amenable to an understanding that notice and choice are insufficient to delineate privacy rights in an interconnected world and even that fiduciary duties may exist between firms and consumers with respect to personal information. (9) But two principal fault lines are holding up legislative action: preemption and private right of action. (10) In privacy law, there is extensive scholarly debate on the question of preemption. (11) By contrast, there is scant discussion of the need for expanding the ability of private actors to enforce privacy protections. (12)

For example, Florida appeared to be on the verge of passing an ambitious and effective state privacy law, but disagreement over a private right of action stymied the bill. The Florida House passed a privacy bill that would have provided citizens with a set of substantive privacy rights, authorized the attorney general to police violations, and granted Florida citizens a private right of action. (13) With the support of Governor Ron DeSantis, the bill passed the Florida House almost unanimously, 118-1. (14) Many House members were eager to provide Floridians with protections against a technology sector they saw as exploitative and overreaching. (10) Due to industry pressure, the House privacy bill died in the Senate. Instead, the Florida Senate passed a similar privacy bill sans private right of action. (16) The House refused to pass the Senate version of the bill, and the legislation died. (17) As one industry commentator observed: "the Florida bill died because the House and Senate could not align on a private right of action--in other words, an individual's ability to sue a company for privacy damages. The Senate's version of the bill removed the private right of action, and House members clearly felt this left the law toothless." (18) At the time of this writing, the debate is still ongoing. (19) Debates like the one in Florida are happening throughout the country, (20) so it is critical to understand what is at stake when privacy legislation includes--or omits--a private right of action.

In providing a framework for understanding the role of private enforcement in privacy regulation, this Article both fills an important gap in the legal literature and addresses a contemporary policy question. (21) Private rights of action have two important benefits for privacy regulation.

First, private enforcement marshals the resources of the private sector to fund and provide information in dealing with this ubiquitous issue. Private enforcement and public enforcement are complements not substitutes. Addressing modern privacy problems requires productive redundancy--that is, providing legal avenues for both government and private parties to observe and challenge privacy-invasive practices. (22) The hybrid approach has precedent in regulatory areas such as employment, civil rights, and consumer protection. The two avenues of enforcement reinforce each other. The modern American administrative state is not capable of addressing an issue of information privacy's magnitude without support from private enforcement.

Second, private rights of action have expressive value that cannot be achieved through public regulation in the area of privacy. (23) The nature of the right implies that an individual opportunity to be heard should be available. Privacy is a personal, dignitary right, so there should be some avenue for an individual to personally contest privacy violations. The ability to bring a claim is itself a recognition of the dignity of the plaintiff.

Understanding the key contributions of private enforcement to privacy regulation leads to several implications. First, because the success of a private enforcement regime is based on its actual availability, neither enforcement support nor dignitary concerns will be served by private rights of action that are in practice unavailable. Any private enforcement avenue should address access to justice concerns. Examples of provisions that increase the accessibility of litigation include fee-shifting arrangements and elevated remedies. Second, understanding what private enforcement contributes to privacy regulation allows stakeholders to understand what limits on private enforcement are possible without undermining the goals of a private right of action. Limited private rights of action, such as a right to explanation or a right to deletion, can relieve administrative agencies of the burdens of addressing smaller matters and affirm individual dignity. Several statutes have limited their application to larger companies, making sure the burden of enforcement falls on the companies most able to fund the public good of litigation on the topic. This is compatible with the aim of having a resilient private partner for public regulators in enforcement. But it does run afoul of the second function of private enforcement, which is to affirm the dignity of citizens by allowing them access to civil recourse when it comes to their personal right of privacy.

This last point reveals that the twin purposes of private enforcement that this Article has identified can be in tension. An individual plaintiff vindicating her own rights may not always have the public interest in mind in how she chooses to resolve them. Private enforcement regimes tailored to provide support to public enforcement of matters of public concern may not always provide direct claims for relief for wronged citizens due to countervailing considerations. Lawmakers must consider both purposes of private enforcement in privacy regulation and balance accordingly between the two when considering the scope of private rights of action. For example, the dignitary interest may be more dominant for framing private enforcement of sexual privacy intrusions, whereas providing regulatory resilience may be more significant for private enforcement of anticompetitive data power claims.

The Article proceeds as follows. Part I shows that a hybrid enforcement regime--a regulatory regime that has both private and public enforcement avenues--is a more effective regime for privacy enforcement than purely public enforcement. Part II argues that the dignitary concerns implicated by privacy invasions independently counsel for the availability of civil recourse via private enforcement. Part III illustrates the critical role private rights of action can play in five important privacy problems of the day.

1. COMPARING PRIVATE, PUBLIC, AND HYBRID ENFORCEMENT OF PRIVACY LAW

   Hybrid enforcement is needed for privacy regulation in the United States. The Federal Trade Commission (FTC) is "the largest and arguably the most important component of the U.S. privacy regulatory system." (24) Furthermore, Danielle Citron's work shows that state attorneys general also play a key role in enforcing privacy law. (25)

   These public enforcers play a critical role in privacy regulation and should continue to do so. Yet private enforcement is necessary to support public enforcement. Private enforcement deters potential wrongdoers by allowing for a resilient avenue of enforcement, available even when agency funding or political will is lacking. It also broadens and democratizes the public forum for sharing and analyzing disputes in the information economy beyond the limits of administrative agencies. Matters brought to light by private enforcers, even if they are unsuccessful in their efforts, can aid public enforcers in their regulatory choices.

   Private rights of action have long been a prominent tool in American regulation. (26) Since the mid-twentieth century, there has been increasing reliance on private rights of action to achieve regulatory goals." (7) As Sean Farhang put it, in lieu of a European-style regulatory state, the American system has a litigation state. (28) Enthusiasm for private rights of action crosses ideological lines, with conservatives and liberals alike seeking to use private enforcement to shore up important rights. (29) Regulation in substantive areas that include both private rights of action and public enforcement have been dubbed "hybrid [enforcement] regimes." (30) These hybrid enforcement regimes exist in antitrust, securities, civil rights, employment, and consumer protection, among others. (31) There is expressive value to giving individuals the right to seek relief from...