5 Ways to Reduce Legal Risk with Privacy Policies

Joshua Mooney , Daniel Marvin , John R. Fitzsimmons

|

December 1, 2023

Hands holding a cell phone and hovering over keyboard of laptop with

Over the past few years, privacy litigation—particularly class actions—has exploded. Many data privacy class actions have been based on old laws that were even passed before creation of the internet. For example, the Video Privacy Protection Act (VPPA) was passed in 1988 after Judge Robert Bork’s video rental history was published following his Supreme Court nomination. The VPPA prohibits the sharing of a customer’s video viewing history without their express consent, including videos viewed online. The VPPA is now being used in claims over the use of a plug-in commonly known as the Meta Pixel. This line of code is embedded into a website to track the user’s web browsing activity and transfer that data to Meta to place targeted ads. Courts have interpreted that the transfer of a user’s video viewing history by the Meta Pixel is a potential violation of the VPPA.

A second area of risk stems from claims related to the California Invasion of Privacy Act (CIPA). Originally passed to prevent wiretapping, recent Ninth Circuit precedent opened the door for CIPA claims based on the recording and transcribing of online conversations with website chat functions. With a private right of action and statutory damages of up to $5,000, CIPA claims present a growing and potentially severe risk for companies that provide online chat functions.

While companies continue to invest in data protection and cyber resiliency, they often overlook the significant impact of well-crafted website terms of use and privacy policies. The following five considerations can help mitigate data privacy litigation risk:

1. Affirmative Consent Provisions

With the proliferation of data privacy laws and litigation in the United States, consent has become a key tool in reducing civil litigation risk. User consent to the sharing of their information should be affirmative, knowing and voluntary. A privacy policy buried at the bottom of a webpage stating that a user agrees to certain terms and conditions simply by viewing a webpage is unlikely to reduce litigation risk. These “browse-wrap” policies often fail to withstand scrutiny in court. Instead, courts prefer a “click-wrap” policy, which requires affirmative action from a user such as checking an “I Accept These Terms” box before accessing the website. It is also important to make sure the requirement to check the box happens before cookies functions begin on your site. Acceptance of terms of use does not work after the fact.

In addition, the consent should conform to your company’s online presence. For VPPA claims, for example, off-the-rack policies containing boilerplate language will fail to provide adequate protection. The VPPA requires express consent from consumers specifically related to the sharing of their video viewing habits. While this language is superfluous if your company’s website has no videos, the principle should be applied to any consent clause. First, understand the website’s capabilities related to data collection, processing or transferring. Then, understand the statutory and regulatory scheme at play. Finally, insert the necessary consent language to reduce future risk.

2. Class Action Waivers

Unless there is a statutory damages provision like with Illinois Biometric Information Privacy Act claims, high-dollar settlements are often a function of the large number of claimants in data breach cases. Class action waivers are a key tool in reducing this risk. Commonly included in arbitration agreements, such waivers prevent users or customers from filing a class action, requiring customers to file individual claims instead, often for nominal damages. By undermining the economics of litigating these cases, this reduces the risk of large settlements. Similar to consent, the enforceability of class action waivers in contracts is a critical consideration. Generally, courts are more likely to enforce a class action waiver included in a click-wrap contract than a browse-wrap contract.

3. Forum Selection Clauses

Forum selection clauses can help lower litigation costs and allow businesses to litigate with their preferred counsel under familiar law. Generally, these clauses come in two forms: mandatory or permissive. As the terms suggest, a mandatory clause requires plaintiffs to file all litigation in a designated forum, while permissive forum selection clauses identify a preferred forum but allow for litigation elsewhere. Smart, detailed drafting is key as poorly worded forum selection clauses can be unenforceable, leading to ballooning litigation costs and unfavorable rulings.

4. Arbitration Clauses

Pre-dispute, mandatory arbitration agreements are a well-established, effective tool used to manage liability and control litigation costs in many industries. These clauses are especially important as data breach litigation becomes more widespread. Courts in California, Illinois and New York have all upheld mandatory arbitration clauses in data breach litigations, creating useful precedent for companies looking to include these conditions in user agreements. Arbitration clauses are not just for consumer contracts. In a business-to-business relationship, an arbitration clause can help reduce litigation costs, expedite resolutions and maintain confidentiality. Arbitrators are often subject-matter experts, so they are able to quickly understand the key issues in the dispute and guide the parties to a final agreement. This is especially important for companies that store or process critical business information for third parties where a data breach could lead to the loss of trade secrets, costly business interruption or serious reputational harm.

5. Limitations on Unnecessary Cookies and Data Collection

An organization should only use third-party trackers, cookies or other website plug-ins when it can specifically identify the benefits these tools provide to the organization. Unnecessary use of these tools and the data they collect, retain and transfer carries risk, which is amplified by the constantly shifting landscape in data privacy litigation. New claims and theories of liability are cropping up as old laws are applied to new technologies. For example, plaintiffs in Massachusetts and California have already secured multimillion-dollar settlements in wiretap cases. Plaintiffs alleged the use of Meta Pixel, Session Reply, Heatmaps and other tools that collect data or observe a user’s activities on a website were unlawfully transmitting the contents of a wire communication to a third party. It is unlikely that these cases will only occur in Massachusetts and California. All 50 states have wiretapping statutes, which often include statutory damages leading to multimillion-dollar risk.

The first step in reducing this risk is simple but requires collaboration from the entire organization: limit the use of third-party trackers. While the complete elimination of these trackers is likely unrealistic, reducing the scope of their use can reduce the risk involved. For example, limiting the use of third-party trackers when a user inputs or views sensitive data like medical history or diagnostic results can be an effective risk mitigator. Additionally, organizations should use the in-tool privacy settings to limit the type of user data collected or transferred to a third party. Finally, including tracking-related disclosures in a privacy policy can reduce risk by soliciting users’ consent to third-party tracking.

Likewise, data minimization principles can be effective risk mitigation tools. To reduce future risk, examine when, why and for how long your organization retains data. Holding on to data “just in case” increases the risk of a successful lawsuit in the event of a data breach, especially if you retain sensitive information like Social Security numbers or medical data. While some financial services or healthcare organizations are required to retain certain customer information, every organization should consistently audit its data retention practices and delete unnecessary data from its system.

Joshua A. Mooney is a partner and head of the US Cyber and Data Privacy at Kennedys.

Daniel Marvin is a partner in the cybersecurity and data privacy practice at law firm Kennedys.


John R. Fitzsimmons is an associate in the cybersecurity and data privacy practice at law firm Kennedys.