More on the private right of action
My reaction to Dr. Lauren Scholz commentary on the PRA
The concept of enforcement via a private right of action (PRA) has come up a bunch in the Monopoly Report podcast recently. Cory Doctorow and I talked about the PRA here. And more recently, I had Vermont State Representative Monique Priestly on the pod. Monique is a supporter of the PRA - and referred me to a discussion Rep Monique Preistly had with Dr. Lauren Scholz as part of a hearing with the Vermont House Commerce Committee.
Dr. Lauren Scholz is a Professor of Law at Florida State University (FSU) College of Law.
What is a PRA?
Private right of action allows individuals to sue a company directly for violations, rather than relying solely on government enforcers such as the state AGs. This empowers individuals to seek redress for harm by filing a civil lawsuit for damages, attorney’s fees, and other relief.
At risk of oversimplification, privacy advocates tend to support PRAs while the “ad industry” is opposed to their use. And both sides tend to hand wave away the other sides’ concerns.
In the digital media space, we’ve seen the PRA used to enforce a 1960’s wiretap law (CIPA) and a 1980’s video tape rental law (VPPA) against websites and ad tech companies. Based on what I’ve seen with CIPA and the VPPA, I have a fair amount of skepticism about PRA’s.
Dr. Scholz’ views on PRAs
I’d encourage you to listen to Dr. Scholz’ views here. If I’m understanding her correctly, Dr. Scholtz’ premise is the following:
We need more robust enforcement of privacy laws - when it comes to enforcement options, more is better.
The current system of relying on law enforcement agencies isn’t sufficient because: (a) they are under resourced and (b) the role of an AG is to serve the state interests and not necessarily the interests of individuals.
PRAs will push / shame state enforcers to act.
The fact that some class-action lawsuits are frivolous is not reason enough to remove PRA enforcement entirely.
My view on PRAs
In my view:
PRAs work better when addressing tangible harms and work less well when addressing more etherial harms. The placement of a cookie on a desktop without consent is not the same thing as a violation of Daniel’s Law.
It would be helpful to understand and maybe come to a consensus on what constitutes “enough” when it comes to enforcement of privacy laws. We now how 20 state privacy laws in place - and many of those laws ARE being enforced. I’m not sure if that’s enough, but its not nothing.
Proponents of the PRA to enforce privacy laws often understate and/or under appreciate the distraction that “frivolous” lawsuits can cause. All due respect to Dr. Scholz, the harm caused by the VPPA alone it’s a wee bit more than just “some additional motion practice.”
To her credit, Representative Priestly seems to be at least attempting to find ways to limit if not eliminate the downside to offering a PRA.
@Alan Chapell Thought you might appreciate the full piece that my questions originated from: https://scholarship.law.wm.edu/cgi/viewcontent.cgi?article=3945&context=wmlr And thank you for the shoutout and conversation!