106 Iowa L. Rev. 555 (2020)
Download PDF
Abstract
Perhaps, nowhere has the pace of technology placed more pressure on the law than in the area of data privacy. Huge data breaches fill our headlines. Companies often violate their own privacy policies by selling customer data, or by using the information in ways that fall outside their policy. Yet, even when there is indisputable misconduct, the law generally does not hold these companies accountable. That is because traditional legal claims are poorly suited for handling privacy losses.
Contract claims fail when privacy policies are not considered contractual obligations. Misrepresentation claims cannot succeed when customers never read and rely on those policies. The economic loss rule thwarts many negligence claims. But undoubtedly the thorniest obstacle is that privacy harms are often not considered cognizable injuries under many common legal theories. Tort, contract, and constitutional standing doctrine all demand some form of concrete injury, but privacy injuries are often too intangible or risk-based to qualify. Thus, no matter how blatantly a company violates its privacy obligations or how porous a company’s data security is, the victims’ lawsuit is often perfunctorily dismissed.
While many commentators have persuasively argued that we should modify these doctrines to better accommodate privacy harms, this article takes a different tack and revives an old, neglected common law approach to address these modern ills. Privacy victims should use the oft-misunderstood law of restitution and unjust enrichment to disgorge the wrongful gains companies earn when they break their privacy policies. This theory also will allow victims to recover any wrongful savings companies retain when they fail to take reasonable data security precautions and instead use deficient cybersecurity. Because unjust enrichment focuses on the defendant’s wrongful gain and not the plaintiff’s injury, this theory can avoid many of the pitfalls associated with the more conventional causes of actions privacy plaintiffs typically raise.