Presenting the inaugural column of Profiles in California Privacy Law, where we explore the many ways in which California privacy lawyers practice and what makes them tick.
Edelson’s Aaron Lawson – A Dynamic Plaintiffs’-Side Privacy Litigation Practice
Interviewed by Jennifer Oliver
Q: When did you decide to become a privacy lawyer? Or did you?
A: I definitely didn’t grow up necessarily thinking I would become a privacy attorney. After law school graduation I went to work as a staff attorney for the 7th Circuit in Chicago. When I left in 2015, the legal market was just recovering. I was open minded about what I would do next but I was also realistic, I had no illusions of grandeur. It was sheer luck that I ended up at Edelson. It was a firm I had noticed before due to their eye catching website, and I had kept tabs on them, but I thought I’d need to put in my dues somewhere else before I could grab a position there. But as it happened Edelson had just done some internal restructuring and out of that effort the Issues and Appeals group was born, and they were looking for people to join. I ended up getting an interview for that position through a headhunter in Chicago. At the time I was resigned to going to a “big firm,” but wasn’t really looking forward to it, so I jumped at the position. Before my interview I researched the firm’s work on PACER and thought it was really high quality. That really stood out to me because one of the big lessons I learned in my time with the court to that point is how bad most legal work is. Anyway, I got the job. So, I never set out to be a privacy lawyer, but I am glad it worked out this way. At the time it was an emerging field but now law students now come in to interviews and can speak intelligently about these issues and have a background in cybersecurity.
Q. What advice would you give those modern aspiring privacy lawyers?
A: I don’t think there is necessarily a specialized route to take. In fact, I think you run the risk of overspecializing. What is required is just the basic lawyer skills you would use in any area of law. It is a fast paced and evolving area of law, so there is no point in trying to get your head around it before you’re in it. Just build a base.
Q: Can you tell us a little about the type of work you do?
A: I am usually on the plaintiffs’ side. In the privacy space especially our practice focuses on class actions, and therefore usually on statutory privacy violations, although we’ll look for any angle when something big happens in the “privacy world.” Two of the bigger name cases in this regard right now are the Facebook biometric case in the Northern District of California, that’s in the settlement phase. And we have a TCPA case against ViSalus up in Oregon that actually went to trial, and we have a verdict. It used to be the case that this was substantially all of our portfolio, but as privacy cases have become more lucrative, we’ve had to branch out as other players have kind of entered the field. One of the changes we made was to begin to represent public plaintiffs, rather than exclusively private ones. One issue, particularly in private litigation, is how to value privacy. We tend to come into cases where parties are diametrically opposed regarding the value of privacy. You know, the defense position is invariably that some privacy invasion caused no quantifiable harm. Its why we focus so much on statutes, but that really limits the impact your litigation can have. I think this is one reason to be excited about the CCPA. Anyway, kind of reflecting the way my firm’s practice has diversified, right now I am working on a hodge podge of items. I do some work on our cases representing state and municipal governments in privacy cases. I am also working on some non-privacy consumer protection cases, an ERISA case, et cetera.
Q: What have been some of the most interesting cases you have worked on in your privacy career?
A: Spokeo was perhaps my most interesting case since it was a the Supreme Court and the justices produced this delphic opinion that gave something to everyone. When something goes up to the Supreme Court like that you obviously spend a lot of time thinking about it, so maybe this was my most interesting case by default. But here, too, everyone was struggling with what to do with that opinion, and it kept coming up over and over in privacy cases because, again, we all have vastly different notions of how to value privacy. So I got to live with Spokeo really for years. The Facebook biometric case was also interesting, that’s another one that involved a Spokeo question, but there were plenty of other moving parts there, too, and of course we were deep in trial prep when that settled, so just procedurally that one was fascinating for me.
Q: What do you view as the emerging issues in the field?
A: I think data breaches are where we’ll see the most development in the privacy space in the next few years. More and more companies are collecting more and more data, so its a pretty target-rich environment for bad actors, plus a lot of companies don’t seem to put as much emphasis as I, personally, think they should on securing customer data. I feel like a broken record, but again the big hurdle is how we value consumer data and harm from data breaches. Statutory damages regimes aren’t moving quickly, though at least there was progress in California in this regard. Still, one thing I’ve learned is that pro-consumer legislation can often be pretty quickly undone at the state level (the California initiative process notwithstanding). Plaintiffs can talk until they are blue in the face about how important data is, but defendants push back and courts haven’t really accepted the strong version of the plaintiff-side theories yet. Still, we know companies outside of litigation recognize the value of data. Back in 2019, for instance, it was revealed that Facebook was paying users $20 a month to collect data on user’s phone and web activity. Like, that’s a pretty clear statement about how valuable that data is. And, personally, I don’t think its crazy to say the companies who collect this data should be incentivized to keep it safe. And money is what gets companies to take action; this is the natural way that law evolves. Think about tort law as an example, you incentivize actors in the position to take precautions to do just that. Consumers are not in a position to protect their own data once it is surrendered, we must incentivize companies to take the precautions. I think that will happen eventually.
Q: So what is your special sauce, if you will tell us. How do you vet the cases?
A: Our firm has an in house team of technologists always investigating things. We also essentially crowdsource. There are people in cybersecurity fields generally who are deconstructing apps and looking at server traffic and things like that, and our team monitors that work. And another thing, too, is that you have to always be thinking about what a successful resolution looks like and whether you think that can be achieved. One thing we’ve always emphasized is, kind of in line with what I was just saying, is that people should get actual cash relief for privacy violations, and I wish more privacy attorneys kept their eye on the cash ball. The plaintiff’s bar seems to overemphasize credit monitoring. Everyone already has it! If you’re after injunctive relief, there are other types of injunctive relief are also available, for example changes in security procedures. But, like I said, if you really want people to notice, money talks.
Q: If data breaches are so prevalent that everyone already has credit monitoring are companies less incentivized to worry about them?
A: That’s a great point, and something I’m not sure I’d really considered before. But I think no, because it is still terrible PR for the company. Still, this is another way in which the CCPA might be beneficial. But on the other hand, CCPA compliance costs are very high, and one of the unintended consequences is that smaller companies without the resources to get into compliance ended up much worse off. And in the long run that means the bigger companies survive and hold more of your data. I’m not sure that’s the best outcome.
Q. What is different about your privacy cases compared to the other type of consumer protections cases you work on?
A. The cases are not really unique. As far as settlements go, the claims rates are about the same and the objections to the settlements are the same. Maybe the biggest difference is the reaction of the judges. Judges are still getting used to privacy cases which may involve technology or harms that are new or unfamiliar. Like, everyone understands false advertising, even if you’re talking about a product that was only $5. My sense is that privacy cases aren’t always met with the same acceptance. For instance, you don’t have to do any work (or at least much work) to get a judge to at least briefly take an ERISA claim seriously. That’s not always true with privacy cases, especially the smaller ones.
Q: How do you spend your time when you aren’t working on privacy cases?
A: I like to hang out with Piper, my golden retriever. I’m also a pretty avid fan of basketball and soccer.