chevron-down Created with Sketch Beta.

Litigation News

Litigation News | 2020

As Demand for Consumer Data Increases, So Does the Need for Data Privacy Laws

Christina Michelle Jordan


  • If there is no federal privacy legislation, how can lawyers help clients protect their data?
  • Private, personal, and biometric information is collected and processed by corporate entities and the government. 
  • How this information is shared, with whom, and how long it is stored are important factors to consider.
As Demand for Consumer Data Increases, So Does the Need for Data Privacy Laws
Boy_Anupong via Getty Images

Jump to:

The demand for consumers’ personal information is at an all-time high, as targeted marketing is now able to use big data to process large amounts of personal information accurately and at a fast pace. However, there currently is no nationwide federal privacy legislation to protect consumers’ data privacy rights or to inform companies as to what constitutes a violation. How can lawyers help clients navigate data privacy issues so that consumers know their rights and companies know how to use and protect data?

Invasion of Data Privacy

Data privacy intrusions are not often brought about by choice. Consumers are now used to seeing targeted ads on the computer screen as a result of previous searches. Marketing specialists are aware of consumers’ buying habits, frequently visited websites, movies watched, foods eaten, and much more. Political campaigns also routinely harvest similar information to assist in assessing likely voting preferences. Many companies have implemented biometric systems to log in employees at their places of work, or have security systems that can monitor how often and when you clocked in and clocked out, when you logged in to your work computer, and when you logged off.

Such private, personal, and biometric information is collected and processed by corporate entities and the government. How this information is shared, with whom, and how long it is stored are important factors to consider, as an individual is likely to suffer irreversible harm, and companies may be liable for violations if personal data is compromised.

Developing Regulatory and Legal Landscape of Data Privacy and Protection

While there is no central federal privacy law in the United States, in 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which provides data privacy protection for EU citizens. The GDPR recognizes that personal data protection is a fundamental right and that personal data should be processed lawfully, fairly, and in a transparent manner. The GDPR also limits the lawful basis for which personal data may be collected, processed, and transferred. Permissible uses of personal data under the GDPR may conflict with discovery in U.S. litigation, which often relies on access to electronically stored information.

Lawmakers are beginning to propose federal privacy legislation, but national legislation does not seem imminent. Alaska, Arizona, California, Connecticut, Florida, Hawaii, Illinois, Maine, Maryland, Massachusetts, Mississippi, Montana, Nevada, New Jersey, New Mexico, New York, North Dakota, Rhode Island, Texas, and Washington are among the states that have enacted or are in the process of introducing legislation in the data privacy space. The California Consumer Privacy Act (CCPA) is a broad data privacy law that went into effect on January 1, 2020, and largely reflects the GDPR. Under the CCPA, there is no private right of action for a data privacy violation; rather, claims go to the attorney general, who monitors compliance. Unlike the CCPA, the Illinois Biometric Information Privacy Act, which went into effect on October 3, 2008, allows aggrieved persons to sue for a biometric data violation. A major difference between the state data privacy laws is that some states provide for a private right of action while violations in other states would be enforceable only by the state attorney general.

Private causes of action in the GDPR and the U.S. state laws have raised questions including whether laws apply to individuals and entities outside the country or state and whether the presence of a statutory violation can lead to liability. In the absence of a national privacy law, California’s legislation may become the benchmark for how companies implement data privacy policies for all of the states in which they operate. This would be similar to how companies treated updates made in response to the GDPR. Businesses could benefit from having a head start on compliance with existing state laws should a national law go into effect. However, companies would likely prefer a national standard to take the guesswork out of complying with different requirements present in state laws.

Collecting Data: Notice and Consent

One aspect routinely covered in data privacy laws is the collection of data, including notice and consent of data being collected. In Rosenbach v. Six Flags Entertainment Corporation, Six Flags employed a fingerprinting system for season pass holders, including minors. Rosenbach purchased a season pass for her minor child, who had to scan his thumb into a biometric data capture system to complete the transaction.

Rosenbach alleged that there was no accompanying consent requested or notice accompanying the biometric data capture regarding the purpose for data collection and length of time the information would be stored. The court found that Rosenbach did not have to allege harm beyond information collection without consent. Given the potential for increased liability exposure under statutes that may not require proof of harm beyond lack of consent or notice, companies should actively evaluate their privacy data policy to ensure compliance with the landscape of privacy laws.

Guidance on Use of Consumer Data: Transparency

U.S. companies conducting business in Europe or collecting data from European consumers should be mindful of the globalization of the GDPR. Google was fined for lack of transparency regarding its use of consumers’ personal information and for failure to obtain sufficient consent to use that information in personalized advertisements. For example, the regulatory body found that essential information regarding how personal data was being used for personalized ads was not available in a concise location. In addition, Google’s language was purposefully broad and obscure to make it difficult to understand how consumers’ data was being used. The fine should put U.S. companies on notice to be in compliance with the GDPR.

Strategies for Compliance

Although some of the state-enacted data privacy laws have provisions that are similar to the GDPR, being compliant with the GDPR does not mean you are compliant with state laws. Rather, each state law has unique aspects that may conflict with the GDPR with respect to protecting data. As long as data privacy remains unlegislated, companies and individuals will potentially face complicated data privacy policies and expensive litigation.

Companies may want to consider where they are conducting business in the U.S. and in Europe and whether they are collecting data from consumers located there. This will assist in understanding whether they can expect to be compliant with GDPR in addition to the landscape of state data privacy laws. Further, understanding how state data privacy laws align and where they conflict can help companies adopt best practices for handling data privacy for U.S. clients. Establishing a data privacy policy and program that includes training employees on proper collection, processing, and retention of such data may help companies avoid violations.