Smart companies have been worried about data security for years—no one wants to be in the headlines as the next big company to have a breach, the next corporation to face a class action lawsuit or the next business facing federal or state regulatory scrutiny. It’s only heightened in recent years as companies faced new regulations imposed by the GDPR and the CCPA. Well, things are not getting any better in 2020—now an increasing number of municipalities are getting in on the act.
San Francisco was the first city to have this awakening in 2017. In response to the Equifax data breach on September 7, 2017, San Francisco filed claims against Equifax under California’s Unfair Competition Law (UCL). A few months later, Los Angeles brought a similar lawsuit against Uber claiming that the company paid hackers to delete stolen data and failed to notify consumers of the breach in violation of the UCL. But most state statutes do not give cities standing to bring lawsuits.
Enter Chicago’s consumer fraud, unfair competition or deceptive practices ordinance. Under the ordinance, a violation of the Illinois Consumer Fraud and Deceptive Business Practice Act is now a violation of Chicago’s municipal code. And Marriott International has now become the first company caught in the crosshairs. Late last year, Marriott sought dismissal of the city’s claim in federal court, but U.S. District Court Judge Grimm found [read here] that the city had standing. Judge Grimm noted that Marriott operated hotels throughout Chicago, bringing in significant revenue and boosting tourism, all of which could be loss as a result of Marriott’s data breaches.
But the scope of these municipal privacy regulations are not limited to hotels that boost a city’s tourism industry and tax revenue. Cities are now concentrating on a variety of privacy issues: San Francisco and Los Angeles are focusing on geolocation tracking, Austin is looking at autonomous vehicle data collection and Seattle is examining tech-sector privacy failures. San Francisco, feeling inspired by Chicago’s ordinance, implemented the city’s new “Privacy First Policy,” which regulates the storage and use of personal information by government and private companies.
As municipalities continue to implement local privacy law and policy, one has to wonder if this is overkill. There are already federal agencies, state officials and private individuals to hold companies accountable. Allowing municipalities to bring lawsuits under local ordinances could lead to redundant claims and excessive litigation costs, unnecessarily burdening the judicial system. But these concerns do not seem to be slowing down city leaders who believe that, when a company makes itself part of a city, the municipality should have the right hold the company accountable.