[JumpCrisscross]

This is a decision made regarding Washington state law’s “statutory injury requirement” [1].

It says “a plaintiff must allege an injury to ‘his or her business, his or her person, or his or her reputation,’” with “a bare violation” of the privacy law being “insufficient to satisfy the statutory injury requirement.”

It is particular to Washington state, not all Americans. And it may not apply to a prosecutor versus private plaintiff.

[1] https://www.documentcloud.org/documents/24133084-22-35448

[RHSeeger]

That sounds remarkably like saying "it's ok to drive drunk, as long as you don't hurt anyone"; which, clearly, is ridiculous. If you're breaking the law, there should be consequences even if you didn't _happen_ to hurt someone this time.

[lazide]

Most civil law requires actual damages. It’s the same situation.

If you haven’t actually been hurt yet, suing doesn’t result in anything.

[JumpCrisscross]

To underline why, consider the consequences of letting anyone sue anyone for potential violations. Every minor perceived violation would result in a cascade of lawsuits. You could bankrupt a competitor by baselessly speculating on their wrongdoing.

Generalised lawbreaking is a public concern. It’s prosecutors’ and regulators’ jobs to protect consumers ex ante.

[lazide]

Yup, though for some things that there is a strong public policy reason to discourage, statutory damages can make a good disincentive.

Easy to argue the good/bad of it, but the California statutory damages lawsuit wave related to ADA accommodations definitely got a lot of business owners to pay attention. [https://www.thakurlawfirm.com/single-post/2020/06/15/ada-law...]

[myself248]

Which creates an incentive, if you see a shiny bit of sidewalk that might be ice, to step on it rather than stepping around it.

It's perverse and bizarre. If you avoid harm, you deprive yourself of the tools that you might've used to save others from the same harm.

[lazide]

But also don’t actually suffer that harm. Which is good?

The tricky part here is when someone is steadily stockpiling things which seem likely to cause truly irreparable harm in the future. But that act is not itself causing harm yet. For example, stockpiling tons of sensitive data.

Another example, a mine with a nearly overtopping tailings dam full of toxic chemicals is a disaster that is almost inevitably guaranteed to happen.

But civil law gives little to no method of stopping that disaster until it has already killed countless people, since - as noted - it hasn’t actually happened yet. And there is no actual guarantee that it will! Potential options do exist, but are so time consuming and high risk, good luck.

But it does give methods for those people’s relatives to get compensation after the fact at least. Which is better than some alternatives.

Which is why other types of regulatory frameworks exist, at least in some cases.

Unfortunately, as in the tailings dam case, and the icy sidewalk case, the actual smartest move is to just avoid them all together - somehow. Move? Take a different route?

Not always possible though, and being constantly on the lookout for these things is exhausting and infeasible for most.

Not sure how that is possible privacy law wise though, even for the most alert? Never engage with anyone or give anyone anything true?

[myself248]

Worse, you've got a Hobson's choice when it comes to using many of these systems. If you decline to get your data hoovered up, you simply can't participate at all. In this way, the car's contact-download is pretty benign, you can still make phone calls even if you decline the contacts.

But it's worse pretty much everywhere else. A few years ago, my data was in a breach of a health-care company I'd never heard of and never dealt directly with, they were some sort of back-end broker several layers away from us patients. Recently I went to sign up for new insurance, and I asked for a list of all companies that might handle my data, and copies of their most recent cybersecurity audit. Of course I didn't get a useful reply, and as a 'customer', I have no useful levers to pull. I have no useful information to use when selecting an insurer. And I have no recourse unless someone starts siphoning money out of my account AND I notice and can prove that it happened because of a breach.

"Never engage with anyone" equates directly to "Go be a hermit in the mountains". If that's where our privacy laws have gotten us, I think we're doing something wrong.

[RHSeeger]

Therein lies the issue. This type of thing shouldn't be civil in nature. Things that are dangerous to others and have a likelihood of causing significant damage... should be criminal in nature. Someone driving drunk is putting others at risk, but the injury isn't actualized until it is. A company forcing it's drivers to work too many hours, driving while unable to get enough sleep, is putting others at risk; but the injury isn't actualized until it is.

Along the same lines, a company gathering extensive details on the communications of and connections of others (especially without their permission) is putting others at risk. And, much like the previous example, the damage isn't actualized until it is. But it needs to be stopped _before_ the damage happens. Which means it needs to be criminal.

[simbolit]

This is why such things should be criminal offenses!

[lazide]

Yup! Or provide statutory damages instead of vague or no statutory penalties.

[zlg_codes]

As a Washingtonian I am embarrassed that my state loves to pretend its progressive but then I see shit like this, and two party consent laws that businesses can still treat like one-party.

Had the whole state pay for a stadium and a tunnel, in Seattle. So, pointless use of taxes and other wastes of my contributions.

Sadly, not an actually progressive place aside from Mutual Combat laws.

[drewcoo]

So post facto punishment and not consumer protection.

WA has a referendum system, though, so if people in WA care about this, you can get something on a ballot and vote it into law.