PH Privacy

Paul Hastings Hosts Panel on Litigation Trends and Risk Management

May 15, 2024

By Carter C. Simpson,& Hannah Edmonds

On May 9, 2024, Paul Hastings participated in a panel on litigation trends and risk management at this spring’s Privacy+Security Forum. Panelists included Carter Simpson (Partner, Paul Hastings) and Matt Gardner (Senior Privacy Counsel, Ro).

The panel covered their experiences defending against privacy class claims under the California Information Privacy Act (CIPA), Video Privacy Protection Act (VPPA), and other federal and state privacy laws. The panel further examined the interplay between litigation risk management and business priorities.

Here are some of the main takeaways from the panel:

CIPA, Wiretapping, and Eavesdropping. Panelists highlighted that, though the original claims plaintiffs brought under CIPA were typically related to wiretapping, there is now a new approach emerging where plaintiffs are bringing CIPA claims under a pen register theory. As an example, panelists noted the case of Greenley v. Kochava, in which the plaintiff claimed the defendant’s SDKs collected data that the defendant used to “fingerprint” users and sell their user profiles to third parties. The court rejected the defendant’s motion to dismiss, finding that a pen register might include software “that identifies consumers, gathers data, and correlates that data through unique fingerprinting.” This ruling is notable because it demonstrates a court applying older law to new technology. Panelists emphasized that defendants should push back on pen register theories by noting that courts have not yet found such theories applicable to users (as opposed to developers) of tracking technologies.

VPPA, Video Views, and Third-Party Data Sharing. Panelists examined the elements of and most common defenses against VPPA claims, in which plaintiffs allege that their video viewing history being shared with third-party service providers along with some form of personal information that allows viewing history to be linked to a specific user. Many defendants have actively and effectively defended against VPPA claims in recent years, resulting in a narrowing of the types of companies and conduct now targeted by plaintiffs firms. Over time, case law has emerged that the VPPA requires that a business be centered, tailored, or focused on the provision of video content, as opposed to (for example) featuring videos solely for brand awareness. The VPPA also has exceptions for disclosures made in the ordinary course of business and those made with users’ express consent.

Mass Arbitration and Privacy Law. The panelists discussed mass arbitration and its increasing prevalence. Mass arbitration entails simultaneously filing many small-value arbitration claims, for which initial arbitral fees will in most circumstances far exceed the cost of defense. It is common in employment law as well as in consumer and privacy law. The panelists outlined avoidance strategies related to frivolous or abusive mass arbitrations, including formalizing demand intake and investigation procedures, reviewing and revising arbitration provisions to include pre-demand informal dispute resolution processes, and reviewing the text and prominence of update notifications to users and consumers.

Risk Management and Business Priority Considerations. Panelists laid out various business considerations specific to privacy litigation. Financial considerations include, among others, penalties and damages or costs of legal defense, known market rates to settle claims, and strategic settlement techniques. Reputational considerations include negative publicity and the erosion of consumer trust. Finally, operational considerations include, but are not limited to, reviewing consent flows to ensure robust consumer choice, ensuring a deep understanding of ads practice, and reviewing terms of service, especially arbitration provisions if applicable.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this spring’s Forum, which took place from May 8-10 in Washington, D.C.

Our Data Privacy and Cybersecurity practice regularly advises companies on key issues, including litigation trends and risk management, in privacy law. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.

Practice Areas

Data Privacy and Cybersecurity

Privacy and Cybersecurity Solutions Group

For More Information

Image: Carter C. Simpson
Carter C. Simpson

Partner, Litigation Department

Image: Hannah Edmonds
Hannah Edmonds

Associate, Litigation Department

Get In Touch With Us

Contact Us