When a company that collected your personal data negligently fails to secure it, you should have accountability and relief—including standing to sue. 

EFF and our friends at Electronic Privacy Information Center filed an amicus brief in late November pointing this out to the U.S. Court of Appeals for the Fourth Circuit in a case arising from the 130 million consumer records stolen from Marriott in 2018.  We detailed the science and evidence demonstrating that people impacted by such data breaches run the risk of identity theft, ransomware attacks and increased spam, along with corresponding increased anxiety, depression and other psychological injuries. 

The Fourth Circuit’s decision last week didn’t address our arguments; instead it just kicked the can down the road. The appeals court found that the trial court had not properly considered whether consumers had waived their rights to bring a class action by joining Marriott’s loyalty programs— those programs that advertise huge benefits to loyal customers but put the costs you pay (like decreased ability to sue) into the fine print that no one reads. 

We strongly disagree with the suggestion that any Marriott customer meaningfully agreed to waive a class action here. Few if any customers read a hotel loyalty program’s fine-print terms and conditions, much less knowingly waive their right to bring a class action if the company negligently lets their data fall into the hands of thieves. We hope that on remand, the trial court will reject Marriott’s poorly-taken waiver argument, and we can get back to trying to ensure that consumers have real accountability when companies fail to protect the data they increasingly extract from us.  

This decision highlights one of EFF’s criticisms of the proposed American Data Privacy and Protection Act last year. One of the reasons we did not support the bill was that it failed to override bogus waivers such as this.  Privacy laws need to be strong and not full of holes that leave us without protection because of a single click or some tiny fine print that no one reads. We need a strong data privacy law that prohibits waivers and mandatory arbitration requirements letting companies sidestep users’ basic legal rights.  

We’ll keep watching this important case and standing up for your rights both in the courts and in Congress.  

Related Issues

Privacy

Related Updates

Surveillance cameras peering around, each with a social media company icon.
Deeplinks Blog by Sophia Cope, Saira Hussain | September 12, 2023

Federal Judge Upholds State Department Rule Requiring Visa Applicants to Disclose Social Media Information

Since 2019, people applying for a visa to the United States have had to register their social media accounts with the U.S. government as part of the application process. Two U.S.-based documentary film organizations that regularly collaborate with non-U.S. filmmakers and other international partners sued the State Department shortly...

Deeplinks Blog by Joe Mullin | September 8, 2023

The UK Government Knows How Extreme The Online Safety Bill Is

The bill would empower the U.K. government, in certain situations, to demand that online platforms use government-approved software to search through all users’ photos, files, and messages, scanning for illegal content. Online services that don’t comply can be subject to extreme penalties, including criminal penalties.
Three pie-eyed.onions play jumprope together, centered in three concentric circles.
Press Release | August 8, 2023

EFF Launches the Tor University Challenge

SAN FRANCISCO—Electronic Frontier Foundation (EFF) on Tuesday launched the Tor University Challenge, a campaign urging higher education institutions to support free, anonymous speech by running a Tor network relay. Universities answering this call to defend private access to an uncensored web will receive prizes while helping...