Overview
Most retailers rely on customer information databases for a variety of consumer interactions, such as tailoring product recommendations, assisting with returns, and sharing upcoming events and promotions. Another popular practice is participation in data cooperatives, which, for a fee, allow brands to share information about their shoppers in exchange for data analytics services aimed towards better serving their existing customers and appealing to other potential new consumers.
Despite their benefits to customers, these practices are increasingly under attack, as evidenced by two waves of recent lawsuits filed across the country, which frame this practice as a breach of data privacy and right of publicity laws. Although retailers generally disclose their data-sharing practices in their privacy policies (and in fact, are required to do so under several states’ laws), plaintiffs are, once again, leaping at the opportunity to seek steep payouts and file massive data privacy lawsuits by claiming these disclosures are insufficiently detailed or conspicuous.
These lawsuits usually arise under somewhat obscure state statutes that often share two things in common: (1) they authorize statutory penalties independent of any actual damages; and (2) they were enacted well before the advent of the internet and the rise of today’s data collection and sharing practices. Because the original impetus of these laws was to prevent political blackmail and misusing celebrity likenesses, extending their reach to data privacy claims is another example of how plaintiffs' firms have capitalized on ambiguity within the legal landscape to force astronomical settlements. Below, we summarize several recent developments.
The Michigan Cases: Past Windfalls and Current Attempts to Evade Damages Limitations
Michigan’s Preservation of Personal Privacy Act: Overview and Origins
The first wave of suits targeting the disclosure of customer information began in 2012 in Michigan. Michigan’s Preservation of Personal Privacy Act (PPPA, also known as the Video Rental Privacy Act) was enacted in 1998 to prohibit companies "engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings” from disclosing to third parties "a record or information concerning the purchase... of those materials by a customer that indicates the identity of the customer." The PPPA, like several other similar state statutes passed around the same time, was a response to the public leak of Supreme Court nominee Judge Robert Bork’s video rental history, and the ensuing national scandal. Up until July 2016, the law provided steep penalties of $5,000 per violation.
The First Wave of Plaintiff's PPPA Windfalls and Legislative Reaction
Over the course of the last decade, plaintiffs have used the pre-2016 PPPA to extract many millions of dollars from publishing companies that allegedly disclosed customer information to third parties, including data cooperatives, and marketing analytics companies. Many of the largest media companies in the world have settled PPPA claims for hefty sums, including: Conde Nast Publications Inc. ($13.75 million); Time Inc. ($7 million); Hearst Corp. ($50 million); TV Guide ($1.7 million); Consumers Union, which publishes Consumer Reports ($16.375 million); and Playboy Enterprises Inc. ($3.85 million).
In 2016, following the Supreme Court’s landmark decision in Spokeo, Inc. v. Robins that "bare procedural violations" were insufficient to create legal standing, the Michigan legislature amended the PPPA to expressly limit private causes of action to consumers who suffered actual damage as a result of the alleged disclosure, and limited their potential recovery to the value of their damages. Additionally, in an apparent acknowledgement of developments in technology and data analytics, the 2016 amendments expanded the exceptions to the PPPA's prohibitions and explicitly permitted three common data practices: (1) the disclosure of consumer data after it had been aggregated, or anonymized, such that it could no longer be identified as any particular consumer; (2) data sharing incidental to the defendant’s ordinary course of business; and (3) data disclosed for marketing purposes after giving written notice to consumers, including via an online privacy policy.
Post-2016 PPPA Suits and the Recent Resurgence
The plaintiffs' bar continued to bring claims for statutory damages under the original version of the PPPA until the final days of the statute's limitations period, which up until recently was widely recognized as being three years—the same as any traditional common law invasion of privacy claims. For example, Hufford v. Maxim Inc.1 was filed on May 15, 2019 and involved a class period of just 77 days—May 15 until July 30, 2016, the day before the amended PPPA and its damages limits took effect. The suit, which involved a small class because of the narrow class period, settled on a class-wide basis for $228,000, to be paid into a non-reversionary settlement fund.
After two years of calm, a new wave of PPPA lawsuits began in June 2021, brought by the same firms that had previously litigated in this space. To continue collecting expansive statutory damages, instead of the miniscule (or non-existent) actual damages allowed under the 2016 amendment, the new suits now creatively posit that a six-year limitations period—rather than the three year limitations period that even the same plaintiffs' firms previously recognized—applies to the PPPA. In early August 2021, nearly 20 suits were filed within days against publishers, both large and small, followed by a number of subsequent filings in recent months. Defendants in this second wave have begun filing motions to dismiss based on (amongst other arguments) the previously applied three-year statute of limitations. If plaintiffs are successful in convincing courts that the limitations period is twice as long as they had previously acknowledged, more suits will no doubt follow. Conversely, these cases will quickly lose value if courts rule instead that the three-year limitations period still applies.
The New Variant: "Right of Publicity" Theories
New Right of Publicity Lawsuits Emerge Nationwide
On the heels of the reemergence of the Michigan PPPA, the same plaintiffs’ firms initiated a new variation of data-privacy lawsuits—this time under a right of publicity theory. These suits, which first emerged in July of this year but did not gain momentum until October, argue that brands violate various state right of publicity laws merely by including plaintiffs’ names on customer lists that are sold or rented to third parties. Many of these new filings target the same large media companies that previously settled PPPA cases, but this time they have been filed across the country (including district courts in Illinois, New York, California, Wisconsin, and Iowa).
Similar to the PPPA cases, these new right of publicity cases test—and likewise stretch—the boundaries of often overlooked state laws, including those of South Dakota, Puerto Rico, Ohio, Illinois, and Alabama. At least 33 of these suits have been filed since mid-October 2021 against a range of companies, including publishers and other media entities, credit card companies, and retailers. Unlike the second wave of Michigan PPPA cases, which have been brought almost exclusively by a single set of firms, the new publicity suits have had more plaintiffs’ firms join the fray.
Broadly speaking, the right of publicity is based in traditional tort common law, and is understood to mean an individual's right to control the commercial use of his or her identity and likeness. Many state statutes codifying this right were enacted well before today's data economy. The Illinois and Ohio statutes took effect in 1999, while a handful are more recent, such as Puerto Rico’s (2011), South Dakota's (2014), and Alabama's (2019). Regardless of a statute’s specific vintage, the sine qua non of any right of publicity claim is, of course, publicity. For that reason, such claims have traditionally been brought by public figures and celebrities protecting the use of their likenesses for commercial endorsements. For example, in August, Jay-Z filed claims alleging that a photographer was selling the rapper and business mogul’s images without permission, in violation of his right of publicity.
Plaintiffs in the new cases, however, assert that their right to publicity has been violated based on companies’ alleged sale of their customer lists; these uses are arguably outside the scope of the statutes' intended purpose. Of additional concern for businesses that have been targeted with the new suits, these right of publicity laws often provide for sizeable statutory penalties (in the case of Puerto Rico, up to $20,000 per violation).
Early Motions to Dismiss Could Open (or Shut Down) the Floodgates
Because these new right of privacy cases are in their infancy, the outcome of the initial motions to dismiss will signal whether right of publicity cases become the next major wave of litigation to plague the retail and e-commerce industries.
A significant question in early papers has been whether right to publicity laws even apply where, as here, the plaintiff's name or likeness is not being used for promotional purposes, but rather is the product being sold. Hearst, which has been sued in nine right of publicity cases, made this argument in its motion to dismiss claims under the Illinois Right of Publicity law, which it filed on September 24, 2021. The briefing was concluded on November 29, 2021, but no hearing has been scheduled as of yet.2 On December 3, 2021, Trusted Media Brands raised the same argument in a letter to the court requesting leave to file a motion to dismiss analogous right of publicity claims asserted under Ohio and California laws.3
Evincing the substantial similarities between the various state right of publicity statutes, all of which are rooted in the traditional right of publicity, both Hearst and Trusted Media asked the respective courts to distinguish customer-data sharing from typical claims under the right. Pointing to situations similar to the Jay-Z suit discussed above, both defendants argued that unlike the traditional right of publicity claims, where plaintiffs allege that their identities were misappropriated to sell a separate item or service, these new claims merely allege that lists of personal identifying information were sold; i.e., the identity was itself the product and the subject of the alleged sale. Put otherwise: they argued that selling a likeness, as a product, does not run afoul of the right of privacy.
There is good support for this argument. In Brooks v. Thomson Reuters Corporation,4 the plaintiffs claimed that Thomson Reuters violated individuals' right of publicity by selling "detailed cradle-to-grave dossiers" on them as part of its background check services; this information is pulled both from publicly available information (such as social media profiles), and "information from third-party data brokers and law enforcement agencies that are not available to the general public, including live cell phone records, location data from billions of license plate detections, real-time booking information from thousands of facilities, and millions of historical arrest records and intake photos." On August 16, 2021, the court granted Thomson Reuters' motion to dismiss based on its finding that Thomson Reuters did not appropriate the plaintiffs’ name or likeness for a commercial advantage, which is a required element under the California statute. Specifically, the court reasoned:
"This is not a right of publicity case because Thomson Reuters is not using Plaintiffs' name or likeness 'for promotional purposes,' i.e., to advertise or promote a separate product or service…. [Here,] Plaintiffs allege the product is their name, likeness, and personal information. Plaintiffs do not cite a single right of publicity case with analogous facts. Although the publishing of Plaintiffs' most private and intimate information for profit might be a gross invasion of their privacy, it is not a misappropriation of their name or likeness to advertise or promote a separate product or service."
Some case law also suggests that the plaintiffs in these cases lack standing under Article III because they were not injured as a result of having their information shared. For example, in Callahan v. Ancestry.com Inc.,5 the plaintiffs alleged that Ancestry violated California's right of publicity law by using their decades-old yearbook photos to solicit paying subscribers. Ancestry moved to dismiss the claims on standing grounds and other bases. The court granted Ancestry's motion on March 1, 2021, finding that "using the public profiles to solicit paying subscribers— standing alone—does not establish injury." The court specifically noted that the plaintiffs did not have a commercial interest in their public profiles that precluded Ancestry’s use of the profiles for commercial gain. The court also distinguished California's law from statutes that impose strict liability, because the California law only imposes liability where "persons [are] injured as a result" of the alleged violation.
Because suits arising out of California's consumer-friendly laws often serve as a bellwether for class action trends nationwide, these recent rulings may signal reluctance of courts to expand the application of right of privacy laws to the decades-long practice of selling data.
Retailers Are Increasingly the Target for New Right to Publicity Suits
Although this second wave of data privacy suits initially targeted publishers and media companies, at least eight of the most recent right of publicity suits have targeted retail and e-commerce companies. Unlike Michigan's PPPA, which narrowly applies only to businesses "engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings," state right of publicity laws are not so limited. Retailers with large customer bases, especially those who engage in list rentals, will likely be attractive targets to plaintiffs' counsel. As such, retailers would be wise to understand their businesses’ involvement in data sharing practices, and take steps to protect themselves now.
What This Means for Retailers and How to Lower the Risk of Becoming the Next Target
The safest way retailers can protect themselves is to obtain clear and comprehensive customer consent before sharing personal information with data cooperatives, data aggregators, or third parties looking to rent or buy customer data. This can be done in many ways, including requiring online consumers to affirmatively accept the company’s terms of service and privacy policies.
Additionally, terms of service limiting consumers' claims with mandatory arbitration and class action waiver clauses can halt potentially expensive claims like this in their tracks. Such clauses should be carefully crafted to curb a plaintiff’s ability to initiate mass arbitrations, and to avoid steep administrative fees in the event of significant claims.
Finally, given the rapidly evolving legal landscape and patchwork of laws that plaintiffs are invoking, it is advisable to consult counsel experienced in this area to develop risk reduction strategies tailored to your business.
Endnotes
1 Hufford, Case No. 1:19-cv-04452 (S.D.N.Y.).
2 Huston v. Hearst Communications, Case No. 1:21-CV-01196-MMM-JEH (C.D. Illinois).
3 Bohnak v. Trusted Media Brands, Inc., Case No. 7:21-CV-07476-NSR (S.D.N.Y).
4 Brooks, 2021 WL 3621837, at *5 (N.D. Cal. Aug. 16, 2021).
5 Callahan, 20-CV-08437-LB, 2021 WL 783524, at *1 (N.D. Cal. Mar. 1, 2021)