Statutory Penalties and Class Actions: Social Justice or Legalized Extortion?


Paul Karlsgodt

Privacy protection involves a particularly knotty set of questions for consumer protection laws.  Increasingly complex technology and the exponential proliferation of electronic data storage have created an ever-increasing risk of exposing consumer data to unauthorized access and identity theft.  The decreasing cost of and access to communications technology has created the ability to bombard consumers with spam and other unwanted communications.   Consumers themselves are highly supportive of legislation enacted to protect their private data from unauthorized transfer, use, and disclosure and from unnecessary intrusions into their right to be left alone.  On the other hand, determining appropriate civil remedies for violations of these laws is difficult because injuries resulting from a privacy breach are often unquantifiable.

Statutory damages offer a solution for many of these competing problems.  The prospect of a set monetary recovery of $100, $1,000, or even $5,000 for each violation of a privacy law may incentivize plaintiffs to pursue claims for violations when they otherwise would not bother to do so.  Statutory damages also provide a solution to the problem of actual damages being difficult to quantify.  Making a company or individual liable for a specific amount of statutory damages for each violation creates a financial deterrent to unscrupulous behavior and an inducement to adopt measures that protect customer and other consumer data. 

Statutory Damages and Class Actions

Despite these laudable goals, the ability to aggregate statutory damages across large populations of consumers makes privacy laws with statutory damages remedies highly susceptible to abuse.  Statutory damages cases are an attractive target for consumer class actions because the pre-specified amount and the arguably automatic nature of the remedy can eliminate key barriers to class certification in consumer class actions, such as proof of specific injury and damages.  Aggregating thousands or even millions of individual claims for statutory damages creates the potential for huge monetary exposure, and therefore huge settlements.  Huge settlements, in turn, create huge contingent fees.

Statutory damages class actions often threaten companies and individuals with annihilating civil exposure for technical violations of laws that do not create any appreciable injuries to consumers, or that are far in excess of any actual injury.  The exposure is often so large that the amount of the potential recovery alone can be used as leverage to convince a defendant to settle, regardless of the merits of the underlying claims.

Privacy Laws with Statutory Damages or Penalty Remedies

Laws providing for statutory damages or penalties in the privacy area generally fall into two categories: 1) laws prohibiting certain acts of invasion of privacy; and 2) laws prohibiting the intentional or negligent disclosure of private information.

An example of a statute prohibiting invasions of privacy is the federal Telephone Consumer Protection Act (TCPA),[1] which prohibits unsolicited automated communications, including faxes and robo-calls.  Courts have recently interpreted the TCPA to also prohibit unsolicited text messages.[2]  Statutory penalties for violations start at $500 per call and can be trebled to $1,500 for willful and wanton violations.[3]

There are numerous laws imposing statutory penalties for intentional or negligent disclosures of personal information.  These laws have recently been the subject of class actions arising from data breaches in various contexts.[4]   California’s Confidentiality of Medical Information Act (CMIA) entitles a person to $1,000 in “nominal” damages for a release of confidential medical information.[5]  The CMIA has recently been the subject of numerous data breach class actions against hospitals and other health care providers.  These suits have arisen out of thefts of computers or other unintentional acts that allegedly compromised patient data, notwithstanding the lack of any evidence of identity theft or other unauthorized use of the data following the theft.  The remedies sought by the plaintiffs in some of these cases exceed $1 billion in “nominal” damages.

The Debate over Class Actions for Annihilating Statutory Damages

Proponents of class actions for statutory damages or penalties may argue that they are a necessary deterrent to intentional, reckless, or negligent behavior, and that they are justified by the difficulty in assessing damages for real but unquantifiable harm. Even conceding that these objectives are legitimate, the existence of legitimate objectives doesn’t answer the question of whether allowing aggregated statutory damages is the best way to achieve them.  Deterrence can also be achieved through existing regulation and governmental oversight.[6]  In practical application, data privacy class actions often do little to provide affected individuals with any significant monetary recovery.  Settlements in privacy cases often involve no direct monetary benefits to class members because the per-person settlement amount would be too small to justify the cost of distributing the funds.[7]

Proponents also argue that privacy class actions are usually settled for far less than the maximum amount of possible statutory damages, so damages in these cases are not in fact annihilating.  This pragmatic argument is hardly a justification for creating the threat of potentially bankrupting liability for trivial breaches of privacy interests. What’s more, the possibility of an astronomical statutory exposure that bears no reasonable nexus either to any conceivable harm or wrongdoing by the defendant puts the court in an impossible situation in evaluating the fairness of any settlement.  In a case where the possible statutory damages are $1 billion, what is a fair settlement?  $1 million?  $10 million?  $100 million?  If legislation provides no guidance for this question, the court’s decision becomes arbitrary.  If no one really believes that the full amount of the statutory damages will ever be awarded, the law should reflect that reality.

Existing Judicial Solutions

Court decisions have tempered the devastating impact of statutory damages class actions in some circumstances, but each judicial solution has its loopholes.

In some contexts, the lack of injury prevents statutory damages class actions from being pursued in the federal courts on the ground that the Article III injury-in-fact standing requirement has not been satisfied.[8]  However, state law standing requirements are often less stringent, and standing can often be established simply where a person is within the class of persons intended to be protected by a statutory damages scheme, whether or not the person suffered any measurable injury.[9]

By contrast, at least one state, New York, has a specific statute prohibiting class actions for statutory penalties.  In Shady Grove Orthopedic Associates v. Allstate,[10] however, the United States Supreme Court held that the New York law is a procedural law that does not apply in federal court actions involving New York disputes; therefore, it held that a class action for statutory penalties under New York law was not barred in the federal courts.[11]

One argument raised in early class actions involving potentially annihilating statutory damages liability was that the potential of putting a defendant out of business defeated the superiority element required for class certification.  Courts found that class actions were not the superior means of resolving claims because the potential liability in a class action would put the defendant out of business and because statutory penalties themselves facilitated individual lawsuits.[12]  More recently, as illustrated by the Ninth Circuit Court of Appeals’ decision in Bateman v. American Multi-Cinema, Inc.,[13] courts have rejected the idea that the potential for annihilating liability is a basis for finding a lack of superiority.

As in the context of large punitive damages awards, due process may provide a limitation on aggregation of statutory damages.   The practical problem with this limitation is that the defendant may have to incur a judgment for the excessive amount before most courts will consider the due process issue ripe for review.[14]

Paths to Reform

Reform must start with legislative recognition that creating a statutory damages remedy will likely transform the statute into a magnet for class actions.  In view of this reality, statutory damages provisions should be limited in such a way that they are not susceptible to abuse through the aggregation of claims in a class action.  Examples of potential limits on statutory damages provisions include 1) prohibiting aggregation of statutory damages in class actions altogether; 2) placing specific statutory caps on the amounts that can be awarded in class actions; 3) limiting the individual amounts that could be awarded depending on the number of claimants in a particular case; or 4) permitting only opt-in collective actions that require the affirmative participation of each plaintiff.

Even these sorts of limitations would not be a perfect solution, however.  Limiting class recoveries solves the problem of creating unintentionally high liability, but it also creates the problem of individual awards being so small that they cannot economically be distributed to class members.  It may be that statutory damages are simply irreconcilable with class action litigation.



       †     Mr. Karlsgodt is a partner at Baker & Hostetler LLP in Denver, where he serves as the Denver Office Litigation Coordinator and is the national chair of the firm’s Class Action Defense practice team.  He is the editor and primary contributor to the legal blog  Paul Karlsgodt served as Articles Editor for the University of Denver Law Review in 1996-97.

       [1].     47 U.S.C. § 227 (2010).

       [2].     Satterfield v. Simon & Schuster, Inc., 569 F.3d 946 (2009).

       [3].     Another example is the California Privacy Act, Section 630 et seq., California Penal Code, which prohibits monitoring or recording of confidential telephone conversations without the consent of both parties to the conversation, and imposes a statutory penalty of $5,000.

       [4].     Two examples include the federal Fair and Accurate Transactions Act (FACTA), 15 U.S.C. § 1681c(g)(1) (2012), which prohibits merchants from printing more than five digits of a consumer’s credit card number on a credit card receipt and imposes damages of “not less than $100 and not more than $1,000” per violation, and the Video Privacy Protection Act, 18 U.S.C. § 2710 (2013), which prohibits disclosure of consumer data about consumers’ video habits and imposes up to $2,500 per violation.

       [5].     Cal. Civil Code § 56.36(b) (West 2013).

       [6].     See, e.g., Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5, 123 Stat. 115 (2009), and regulations promulgated pursuant to the Act.

       [7].     See, e.g., Preliminary Approval of Class Settlement and Provisional Class Certification Order, Fraley v. Facebook, Inc., No. CV-11-01726-RS, 2012 WL 6013427, at *1 (N.D. Cal., Dec. 3, 2012).  The settlement as preliminarily approved in Fraley entitles class members to make a claim for a cash award of up to $10 out of a common fund, but if the number of claimants is so high that each claimant’s proportionate share would be less than $5, then the entire amount will be paid to charity.  See Joint Motion for Settlement, Fraley, No. CV-11-01726-RS (N.D. Cal., Dec. 3, 2012); Joint Motion for Preliminary Approval of Revised Settlement (dated October 12, 2012), Fraley, No. CV-11-01726-RS (N.D. Cal., Dec. 3, 2012), Attachment 1.

       [8].     See, e.g., Willey v. J.P. Morgan Chase, N.A., No. CV-1397-CM, 2009 WL 1938987, at *9 (S.D.N.Y. July 7, 2009); but see Resnick v. AvMed, Inc., 693 F.3d 1317, 1323-24 (11th Cir. 2012) (holding that plaintiff “alleged sufficient facts to confer standing.”).

       [9].     See, e.g., Jasmine Networks, Inc. v. Superior Court, 180 Cal. App. 4th 980 (2009).

     [10].     130 S.Ct. 1431 (2010).

     [11].     Id. at 1444.

     [12].     See, e.g., Spikings v. Cost Plus, 2007 U.S. Dist. LEXIS 44214 (C.D. Cal. May 25, 2007).

     [13].     623 F.3d 708 (9th Cir. 2010).

     [14].     See Parker v. Time Warner Enter. Co., 331 F.3d 13, 21-22 (2d Cir. 2003) (holding that due process issue was premature at the class certification stage because the threat of annihilating damages remained hypothetical).  One way that some courts have addressed due process concerns is through the common law doctrine of remittitur. See Sony BMG Music Enter. v. Tennenbaum, 721 F. Supp. 2d 85, 121(D. Mass. 2010) (granting Defendant’s Motion for New Trial or Remittitur “in so far as it seeks a reduction in the jury’s award on the grounds that it is so grossly excessive as to violate the Constitution”).