Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 


New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Octillo recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   


Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Octillo’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Octillo recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 


Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Octillo’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 


Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  


Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Octillo Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Octillo recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  


Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Octillo’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 


More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 


Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Octillo’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

New York Employee Electronic Monitoring RuleNew York’s New Rules on Employee Electronic Monitoring

New York’s New Rules on Employee Electronic Monitoring

On November 8, 2021, New York Governor Kathy Hochul signed into law Senate Bill 2628 / Assembly Bill 430, making New York the third state, following  Connecticut and Delaware, to require employers to provide notice of electronic monitoring to employees.


Who is covered?

The new law defines employers as “any individual, corporation, partnership, firm, or association with a place of business in the state.” The definition does not “include the state or any political subdivision of the state.”


What is required?

“Any employer who monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems, shall give prior written notice upon hiring to all employees who are subject to electronic monitoring.”

Such notice must be: (1) in writing, in an electronic record, or in some other electronic form; (2) acknowledged by the employee either in writing or electronically; and (3) conspicuously placed and readily available for employees.

Please note that the requirements of this new law do not apply to electronic mail, telephone, and internet usage processes that are “performed solely for the purpose of computer system maintenance and/or protection.”



The new law allows for enforcement by the attorney general. The maximum civil penalty for the first offense is $500. The maximum civil penalties for the second and third offenses are $1000 and $3000, respectively.


Effective Date

This new law takes effect on May 7, 2022.

Considering the evolving legal landscape and impending laws such as the recent employee electronic monitoring law enacted in New York, the Octillo Compliance team recommends that companies review existing policies and procedures.  Employee notices, Acceptable Use policies, and Employee handbook provisions are among the items that should be reviewed annually to be sure the representations align with any new legal obligations. Companies should also review employee login banners as well as evaluate and audit the process for tracking and documenting employee acknowledgment.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.


OCCFDIC Final Rule for Banking Organizations Notification RequirementsOCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

OCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

On November 18, 2021, the three primary banking regulatory agencies — the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) – jointly approved a final rule with two distinct notification requirements:

  • The rule requires “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred.
  • The rule also requires “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

The rule goes into effect in April 2022, and requires compliance by May 1, 2022.


Who is subject to the rule?

As explained above, the rule imposed distinct requirements “banking organizations” and “bank service providers.”

Banking organizations” generally include any organization that is regulated by the OCC, the Board, or the FDIC. Specifically:

  • For the OCC: “national banks, federal savings associations, and federal branches and agencies of foreign banks.”
  • For the Board: “all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.”
  • For the FDIC: “all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations”

The rule expressly excludes designated financial market utilities (“FMUs”) from its definition of “banking organization” and “bank service provider.” See 12 U.S.C. § 5462(4). To the extent an FMU is supervised by the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”), the FMUs are subject to any notification requirements imposed by those agencies. See e.g., SEC Reg. SCI, 17 CFR 242.1000 (SEC); 17 CFR 39.18(g) (CFTC).

When making the rule, the agencies also considered a rule being on “additional entities, such as financial technology firms and non-bank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms.” In the end, the agencies simply concluded that the definition of banking organization under the rule was “consistent with the agencies’ supervisory authorities.”  To the extent that a banking organization is required to make a notification under the rule, that notification must go to the agency with primary regulatory oversight over the organization.

A “Bank Service Provider” includes persons and companies performing “covered services” subject to the Bank Service Company Act, 12 U.S.C. 1861-1867 (“BCCA”). The definition is vague, but the Agencies’ rulemaking explains that the purpose of the definition was to encompass any company that provides services to a banking organization that could be involved in a service disruption.


When is notification required?

The respective notification requirements applicable to Banking Organizations and Bank Service Providers are based on the occurrence of a “Computer Security Incident.” For consistency, the Agencies adopted the same definition of “Computer Security Incident” as provided by the National Institute of Standards and Technology (“NIST”). Thus, a “computer-security incident” is “an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.


Banking Organizations

Bank Organizations must provide notification to their regulating agency when a “computer-security incident” rises to the level of a “notification incident.” A notification incident is a “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s) (any product or service that serves or supports business needs), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The definition of “notification incident” is broad enough to encompass any computer-security incident that impacts the banking organization’s general operations. As a practical matter, a banking organization will want to provide notification for any computer security incident that is likely to materially disrupt its operations or services to ensure compliance.

The banking organization must provide notice to the appropriate agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”


Bank Service Providers

Bank Service Providers’ notification requirement is triggered by the occurrence of the computer-security incident that has or is reasonably likely to “materially disrupt or degrade” the services it provides the bank for four or more hours. The rule makes clear that scheduled maintenance, testing, or software updates that have been previously communicated to the banking organization are not subject to the rule’s notification requirement.

The bank service providers must provide notification to the designated point of contact at each banking organization at which any customer will be impacted by the bank services provider’s degradation or disruption of service. The bank service providers must provide notification “as soon as possible.”



The joint new rule from OCC, Board, and FDIC is consistent with a recent trend of varying state and federal regulatory bodies imposing independent notification obligations related to a data incident.

The imposition of new notification requirements may lead to the imposition of inconsistent notification requirements (e.g., the Agencies’ rule conflicts with the state incident notification laws). The rule could place the banking organizations between a rock and a hard place. For example, the banking organization could determine that notification is required under the new rule but may need additional time to determine if notification to state agencies and customers is necessary. The perceived delay may serve as a justification for the imposition of fines or to support a theory of liability in litigation related to the incident.

The proper timing for notification will always be a case-by-case decision. Banking organizations and bank service providers should work closely and proactively with experienced incident response counsel to ensure compliance with notification laws and to mitigate against creating any bases for the imposition of penalties or civil liability.

Octillo closely monitors developments in laws and regulations governing cybersecurity. Octillo’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Sources: 12 C.F.R. Part 53; 12 C.F.R. Part 255; 12 C.F.R. Part 304

Copy of the final rule:

Florida Changes its Telemarketing LawsFlorida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Florida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Recently, the State of Florida amended its laws governing telemarketing that have a strong impact on telemarketing and text message marketing targeting Florida residents (and to Florida area codes). These include the amended Florida Do-Not-Call Act (Fla. Stat. Ann. § 501.059) and the Florida Telemarketing Act a/k/a Florida’s “Mini-TCPA” (Fla. Stat. Ann. 502.601, et seq.) (collectively “Florida Laws”).

Impacts of the Florida Laws

The Florida Laws provide a right of action similar to those under the Telephone Consumer Protection Act (“TCPA”). (See Octillo’s article for more information about the TCPA and considerations for text marketing).  Importantly, the Florida Laws create stricter restrictions on telephone solicitations (i.e., sales calls) and commercial telephone calls than those under the TCPA, TCPA regulations, and recent caselaw.

More Complex Restrictions to Navigate

The Florida Laws include requirements that deviate from or are more restrictive than those under the TCPA, TCPA regulations, and recent caselaw (in particular, the U.S. Supreme Court’s recent narrow interpretation of “automatic telephone dialing system” or ATDS). (See Octillo’s article on the SCOTUS decision here).

The Florida Laws are a hot topic and growing concern for businesses, including the contact center industry. On behalf of this industry, the Enterprise Communications Advocacy Coalition (ECAC) recently filed a petition asking the Federal Communications Commission (FCC) to interpret and preempt certain provisions of the Florida laws that “create a more restrictive environment” than the TCPA and TCPA Regulations and “frustrate the federal objective of creating uniform national rules and therefore must be preempted.” See

The most prominent aspects of the Florida Laws that have the potential to impose more restrictive requirements include:

1. Requirements Extend to Florida Residents & Florida Area Codes

The Florida Laws create a rebuttable presumption that telephonic sales calls made to any area code in Florida are made to residents or persons within the state at the time of the call.


2. Call Time Restrictions Changed

The times restrictions under the Florida Laws narrow the permissible call time window period by one hour (from 9 p.m. to 8 p.m.). This one-hour reduction arguably places an increase costs burden, in particular – on telemarketers.


3. New Three Call Frequency Limit

The Florida Laws include a call frequency limit of three “commercial solicitation phone calls” in a 24-hour period on the same subject matter/issue from any number. Imposing this limit when the TCPA does not include a similar limitation could impact telemarketers conducting nationwide calling campaigns.


4. Caller ID Restrictions Changed

The Florida Laws ban the use of technology that “deliberately displays” different caller ID number to conceal the true identity of the caller. This arguably conflicts with the FCC’s TCPA regulations that permit the use of such technology subject to conditions.


5. Automated Equipment/System Undefined & Broader Than ATDS

Under the Florida Laws the term automated system/equipment is not defined and arguably broader than the recent narrow interpretation of ATDS under the TCPA. This could open the door wider for litigation in Florida.


Private Right of Action & Potential Lawsuits   

The amended Florida Do-Not-Call Act creates a private right of action for a called party to sue and recover actual damages, or $500 per violation (whichever is greater) plus attorney’s fees and costs.

Tighter restrictions coupled with the private right of action may lead to increased litigation related to telemarketing and text messaging activities targeting Florida residents or area codes.  A series of civil actions (over 30) were filed since the Florida Laws took effect on July 1st, most dismissed or currently pending.  The Octillo team is watching these cases carefully.


Next Steps for Businesses Marketing to Florida Residents or Florida Area Codes 

As we continue to watch the response to the Florida Laws, marketing teams can take the steps below now to address and incorporate applicable requirements and help mitigate legal risk.

  • Review telemarketing and text marketing practices in light of Florida restrictions
  • Update policies and procedures to comply with Florida requirements
  • Update automated dialing systems/equipment to meet Florida requirements
  • Conduct due diligence/review of vendor systems/equipment used and evaluate compliance with Florida requirements
  • Keep an eye out for a potential increase in litigation

Managing compliance of telemarketing and text message marketing remains a complex issue and the emergence of state-specific requirements such as those under the Florida Laws adds an additional layer of complexity. Businesses should remain proactive and vigilant in maintaining compliance best practices for telemarketing and text message activities.  The Octillo team has deep experience guiding marketing teams and organizations managing compliance and litigation matters under the full spectrum of laws and regulations governing telemarketing and text message marketing.

For more information regarding the Florida Do-Not-Call Act, Florida Telemarketing Act, the TCPA, or related marketing questions email Octillo Member Myriah Jaworski at

*Attorney Advertising: Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.




What's next for UK Data Privacy?UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

On November 10, 2021, a unanimous decision by the UK’s Supreme Court in Lloyd v. Google in favor of Google rejects an attempt to bring opt-out class action cases for data privacy claims in the UK.

In the UK, a robust class action regime for the field of data protection does not currently exist, and the Lloyd decision reflects a rejection of class action or representative actions in the data privacy realm Unlike the UK, a class action regime that allows for mass claims (including opt-out cases) has long existed in the US. Further, class action claims in the US have extended beyond traditional privacy tort claims to other claims related to data privacy (e.g., for violations of consumer protection laws and recently enacted data privacy laws such as the CCPA).

Background of Lloyd v. Google LLC  

Plaintiff Richard Lloyd filed an opt-out mass privacy action in English courts against Google relying on an old Civil Procedure Rule 19.6 which permits representative actions. Lloyd sought to bring the mass privacy action on behalf of 4.4 million allegedly affected iPhone users as a representative action for breach of Section 4(4) of the Data Protection Act 1998 (“DPA”).

Lloyd alleged that Google had breached its duties as a data controller under Section 4(4) of the DPA. Google allegedly used a workaround to capture user browser data from iPhone users when visiting a site with Google content after Apple enabled the automatic blocking of third-party cookies in its Safari browser. Lloyd alleged that the use of Google’s Safari workaround secretly tracked and captured data from millions of Apple iPhone users (between late 2011 and early 2012) without the users’ knowledge or consent.

Further, Lloyd argued that an individual is entitled to compensation under Section 13 of the DPA whenever a data controller fails to comply with any of the requirements of the DPA in relation to that individual’s personal data without proof of damages, provided that the breach is not trivial or de minimum. Lloyd sought a uniform amount of damages for all individuals without proving damage for all on basis of “loss of control” (or “user”) damages, a lowest common denominator of loss suffered by every individual by reason of the breach. Lloyd argued that because the loss of control of data has value, the users were entitled to compensation for that value of that loss.

In the High Court, Lloyd had to show a reasonable prospect of success to serve Google out of jurisdiction to move the case forward.  Google contested Lloyd’s claim on two grounds:

  • damages cannot be awarded under the DPA for “loss of control” of data without proof that it caused financial damage or distress; and
  • the claim, in any event, is not suitable to proceed as a representative action.

The High Court held in favor of Google on both issues and refused permission to serve Google.

Then, Lloyd appealed and the Court of Appeals which allowed it, reversed the High Court’s decision, and granted permission to serve Google.

Finally, Google appealed to the Supreme Court where the case captured more attention and triggered various intervening parties including UK’s Information Commissioner’s Office (ICO).

UK Supreme Court Decision

The issue brought before the Supreme Court on whether Lloyd should have been refused permission included three key questions:

  • Whether members suffered damages within the meaning of section 13 of the DPA 1998?
  • Did the class share the “same interest,” as required for a representative action to proceed?
  • Should the court exercise its discretion to disallow the representative action?

1. Damages for Loss of Control

The Supreme Court rejected Lloyd’s argument that “loss of control” damages without proof was within meaning of the DPA.    

Meaning of Damages

The Supreme Court held that to recover compensation under the DPA proof of material damage or distress are required: “to recover compensation [under the DPA] for any given individual, it would be necessary to show both that Google made some unlawful use of personal information relating to that individual and the individual suffered some damage as a result.”

The Supreme Court considered the wording of Section 13 of the DPA which states that a person who suffers damage from contravention by a data controller of any requirements of the act (or damages suffered from distress meeting specific conditions of Section 13) is entitled to compensation for that damage or distress.  It also noted that the intent behind the wording of Section 13 of the DPA was to implement Article 23 of the GDPR which provided compensation from a controller for damages suffered, i.e., material damage.

Thus, requiring only proof of breach would be inconsistent with the DPA.

Loss of Control Damages for Data Protection Violation

Lloyd argued that the same rule for “loss of control” or “user” damages without proof of damages permitted for claims for the tort of misuse of private information should apply to the claim for the violation of the DPA. Lloyd claimed this was appropriate because they are based on the same right to privacy.  In the tort cases, loss of control compensation was available for wrongful use of property, even without financial/physical damage.

The Supreme Court rejected Lloyd’s argument that the same rules for loss of control or user damages should apply. It emphasized distinctions between the common law tort claim of violation of privacy for misuse of private information a claim for a violation of a data protection law (e.g., the tort claim requires a reasonable expectation of privacy).  Further, the court noted that Lloyd did not bring a claim for misuse of the data collected by Google but rather a violation of the DPA.

Thus, loss of control damages without proof did not apply.

2. Representative Action

Most critically, the Supreme Court found that a representative action, in this case, would fail.

The Supreme Court held that recovery under the DPA requires proof of unlawful use and material damage or distress suffered as a result. The Supreme Court said that Lloyd had to show that each of the individuals of the class had both suffered a breach and suffered damages as a result of that breach. Thus, the use of a representative action as a method for recovery without proving either will fail.

In the decision, the Supreme Court rejected the argument for a representative action for breach of the DPA. Further, the Supreme Court determined that a representative action for damages without an individualized assessment for damages would fail.

Representative Action for Breach – Same Interest Test

The Supreme Court evaluated the representative action to establish breach of the DPA and entitlement to compensation based on that breach. The CPR 19.6 permits claims to seek recovery on behalf of a group of individuals where all individuals have “the same interest” in the claim. The court noted that the CPR 19.6(1) requires proof that all individuals  have the “same interest” in claim as the representative and this test was not met.

However, the court noted that Lloyd could have framed the claim differently and adopted a bifurcated process for the representative action under the Act and individual claims for damages separately. As Lloyd did not seek a bifurcated action, the Supreme Court stated that the only other option for Lloyd was a representative action for damages.

Representative Action for Damages – Uniform v. Individual

The Supreme Court evaluated a representative action for damages and Lloyd’s claims for damages for each class member on “uniform per capita basis.” The court stated that this option fails because the effect of Safari Workaround was not uniform across the class and likely varied by types of users (i.e., super/heavy users v. limited users) and different types and amounts of affected data. Thus, individualized assessment of damages would be required for all class members.

Lloyd argued for no assessment requirement relying on the proposition that the class was entitled to compensation for any (non-trivial) contravention of DPA without the need to prove individual damages. Lloyd argued that all members suffered a loss (damages or distress under the Art) based either on general damages on uniform per capita basis, or the amount that could reasonably be charged for releasing Google from duties.  The Supreme Court rejected both arguments.

Key Takeaways

The Supreme Court unanimously allowed Google’s appeal and restored the dismissal of the case by the High Court.

This decision provides some key takeaways:

  • Claims for Violations of the DPA:
    • Proof of material damages or distress are required for claims for violation of the DPA brought by individuals and groups
    • Representative actions are not suitable for claims for violation of the DPA without evidence of misuse or material damages/distress
  • Other Mass Privacy Claims:
    • Opt-out representative action for damages requires an individualized assessment of damages

Further, the Supreme Court’s decision to reject Lloyd’s attempt to bring an opt-out case against Google shows that opt-out representative actions are likely not possible (or at least very difficult) for data protection actions.

How will this impact future data privacy claims in the UK?

This much anticipated and landmark decision will drastically reduce the number of mass privacy claims brought in the UK due to the heightened evidentiary burden, and deter cases where only minimal evidence of harm as a result of breach exists.

For plaintiffs/claimants, this decision makes it even more difficult for individuals and class counsel to bring a mass privacy claims in the UK without obtaining proof of damages for all potential class members. This could be costly and likely deter many cases but does not completely prevent these types of cases where individuals have suffered actual damages.

For businesses, this decision provides some relief from potential frivolous claims or claims lacking evidentiary support for businesses processing personal information in or about individuals in the UK.

Other pending potential representative actions (awaiting this decision) will likely be prevented from moving forward in UK courts.   However, note, the Lloyd decision focused on the DPA as applied during the claim period (2011 to 2012) and not recent developments in the data privacy framework in the UK (i.e., updates to the DPA and the UK GDPR).

Even in light of the Lloyd decision, the international data privacy landscape remains complex.  Octillo works with its clients on developing international privacy compliance strategies and programs to implement proactive measures to protect personal data and thus reduce the risk of litigation.  Our team of experienced attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to provide guidance to navigate the complexities of international privacy frameworks and handle any resulting enforcement actions or litigation matters.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes. 


1 2 3 12