Skip to main content

Congress is split over your right to sue Facebook

Congress is split over your right to sue Facebook


To sue, or not to sue?

Share this story

NASA Hearing
Photo By Bill Clark/CQ Roll Call

Should private citizens be able to sue companies like Facebook or Twitter for misusing their data? That’s the question Republicans and Democrats have been ensnared in for months, as they work to craft a new data privacy law. But talks have stalled in recent weeks, and rather than putting out a bipartisan bill, both parties have now opted to introduce their own  measures to stake out their positions.

Last week, Democrats, led by Sen. Maria Cantwell (D-WA), put out the Consumer Online Privacy Rights Act of 2019 (COPRA), which would provide American consumers with a slate of new rights over the data they produce on platforms like Facebook and Google. These rights would require companies to provide greater transparency over user data and give users the power to delete, correct, or transfer it to a competing service. These basic principles have become the baseline for any federal bill aimed at regulating how a platform treats the data of its users. These rules closely imitate the protections offered under the European Union’s General Data Protection Regulation, a law that Mark Zuckerberg has said should be enforced abroad or be used as guidance for any new rules in the states. 

“They should be like your Miranda rights”

“In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them,” Cantwell said in a statement. “They should be like your Miranda rights— clear as a bell as to what they are and what constitutes a violation.”

These same rights to correct and transfer data are largely mirrored in Sen. Roger Wicker’s (R-MS) draft proposal, the United States Consumer Data Privacy Act of 2019. Under Wicker’s bill, the FTC would be the chief enforcer of the law, backed up by state attorneys general. The Democrats agree that both the FTC and states should enforce any law, but it’s a consumer’s right to sue a tech company for data misuse that’s holding any legislation up. 

Private right of action, or the ability to sue platforms for violating what rules are put in place by a future federal privacy law, has become the focal point of the current debate. Democrats have widely backed the provision as a way to ensure that Facebook and Twitter are held liable for the data scandals they create. Republicans disagree, suggesting that it would create a storm of frivolous lawsuits that would greatly impact small businesses instead of the Big Tech industry. 

A private right of action serves as a third level of enforcement for any data privacy law. Both Republicans and Democrats broadly agree that the Federal Trade Commission should enforce any law at the federal level and state attorneys general should be empowered to take on cases as well. But these offices can only handle so many investigations at a time, and without empowering individuals with the ability to sue bad actors, advocates fear many cases, some affecting minority groups, could fall through the cracks. 

“Private right of action for marginalized communities is really critical,” Dylan Gilbert, policy counsel at Public Knowledge, said. “Marginalized communities historically haven’t been able to rely on the government to protect their interests. It’s really important that individuals can have their own day in court.” 

But Republicans foresee a world with a private right of action for data misuse in which litigious-happy lawyers lead countless class actions against both Big Tech and small businesses. There’s some evidence to back them up: in 1991, the Telephone Consumer Protection Act, or TCPA, gave consumers a private right of action against telemarketers, and unleashed a flood of class action lawsuits. According to the National Law Review, the number of class actions alleging TCPA violations increased by over 1,000 percent between 2010 and 2016. Republicans are afraid the same thing could happen if the provision is included in a privacy bill. 

But lawsuits over misused data would be far from frivolous, said professor Ari Ezra Waldman, director of the New York Law School’s Innovation Center for Law and Technology. As Waldman sees it, they would enforce the law and steer companies toward better practices. “First you have to be subject to the statute, and you have to violate the statute, and then someone actually has to know that you’re violating that statute,” Waldman said. “It’s far more likely that that’s going to affect larger players and the worst actors.”

Earlier this month, Sen. Wicker told Communications Daily that he didn’t expect Democrats to push a private right of action if it meant that the two parties couldn’t come to an agreement. “I don’t think Democrats will insist on that in a final bill,” Wicker said. “I don’t expect this Congress to move to the left of the California initiative.” With last week’s introduction of COPRA, any chance of a bipartisan Wicker-Cantwell bill without this provision seems unlikely. 

But on Monday, Wicker seemed open to a more limited private right of action than what the Democrats have proposed so far. Wicker told Bloomberg Government that any provision “would have to be quite narrow, injunctive relief, or something like that.” Injunctive relief would essentially be a court ordering a defendant to stop a certain type of behavior through the civil courts, but it wouldn’t deliver the same payouts to consumers and lawyers that would be extended under Cantwell’s bill. 

Republicans and Democrats disagree on other issues like nullifying state privacy laws and empowering the FTC, but tomorrow’s hearing could focus heavily on a private right of action. “We can pass any laws we want,” Waldman said. “But if there’s no way to enforce them, then what’s the point?”