General Theories of Legal Liability (Contract, Tort, Civil Enforcement)

General Theories of Legal Liability: Contract, Tort & Civil Enforcement – A Complete CIPP/US Exam Guide

Why This Topic Is Important

Understanding the general theories of legal liability is foundational to the entire CIPP/US body of knowledge. Privacy law in the United States does not exist in a vacuum — it is enforced and interpreted through well-established legal frameworks. When a privacy violation occurs, the affected party (or a government agency) must rely on one or more of these theories to seek a remedy. For the CIPP/US exam, this topic sets the stage for understanding how privacy rights are actually protected, who can bring a claim, and what remedies are available. Without grasping contract law, tort law, and civil enforcement mechanisms, candidates will struggle to contextualize the specific privacy statutes and regulations covered later in the exam.

What Are the General Theories of Legal Liability?

There are three primary theories through which legal liability for privacy violations may arise in the United States:

1. Contract Law

Contract law governs legally binding agreements between parties. In the privacy context, contractual obligations arise when an organization makes promises about how it will handle personal information. Key concepts include:

• Breach of Contract: If an organization enters into a contract (or terms of service, or a privacy policy that is incorporated into a contractual relationship) and fails to uphold its privacy commitments, the other party may sue for breach of contract.

• Privacy Policies as Contracts: Courts have sometimes treated privacy policies as binding contractual promises. If a company states it will not share data with third parties but does so anyway, users may have a breach of contract claim.

• Elements of a Contract Claim: A valid contract existed, the defendant breached a term of that contract, and the plaintiff suffered damages as a result.

• Limitation — Privity: Generally, only the parties to the contract can enforce its terms. Third parties typically lack standing unless they are intended beneficiaries.

• Damages: Contract damages are usually compensatory in nature, designed to put the non-breaching party in the position they would have been in had the contract been performed.

2. Tort Law

Tort law covers civil wrongs that cause harm to individuals, independent of any contractual relationship. In the privacy context, several torts are particularly relevant:

• The Four Privacy Torts (from the Restatement (Second) of Torts, based on the work of William Prosser):

  - Intrusion Upon Seclusion: Intentionally intruding, physically or electronically, upon the solitude or private affairs of another in a way that would be highly offensive to a reasonable person.

  - Public Disclosure of Private Facts: Publicly disclosing private information about a person that would be highly offensive to a reasonable person and is not of legitimate public concern.

  - False Light: Publishing information that places a person in a false light in the public eye, which is highly offensive to a reasonable person.

  - Appropriation of Name or Likeness: Using someone's name, image, or likeness for commercial gain without their consent.

• Negligence: A failure to exercise reasonable care in protecting personal information. This requires showing a duty of care, a breach of that duty, causation, and actual damages.

• Damages in Tort: Tort damages can be compensatory (including for emotional distress), and in cases of egregious conduct, punitive damages may also be available.

• Key Distinction from Contract: Tort claims do not require a pre-existing contractual relationship. The duty arises from societal expectations of reasonable conduct or from specific legal standards.

3. Civil Enforcement (Regulatory and Statutory Actions)

Civil enforcement refers to actions brought by government agencies or under specific statutes to enforce privacy requirements. This is one of the most significant mechanisms for privacy protection in the U.S.:

• Federal Trade Commission (FTC) Enforcement: The FTC enforces privacy through its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. If a company's privacy practices are deceptive (e.g., violating its own privacy policy) or unfair (e.g., causing substantial consumer injury), the FTC can bring an enforcement action.

• State Attorneys General: State AGs have authority under state consumer protection statutes (often called "mini-FTC Acts" or UDAP statutes) to bring civil enforcement actions against companies that violate privacy laws or engage in deceptive practices.

• Statutory Private Rights of Action: Some privacy statutes grant individuals the right to sue directly. Examples include the Video Privacy Protection Act (VPPA), the Telephone Consumer Protection Act (TCPA), and certain state laws like the California Consumer Privacy Act (CCPA/CPRA).

• Consent Decrees and Settlement Agreements: Civil enforcement often results in consent decrees — court-approved agreements where the organization agrees to specific remedial measures, ongoing monitoring, and penalties for future violations.

• Statutory Damages: Some statutes provide for specific damages amounts per violation, which can be significant in aggregate when large numbers of individuals are affected.

• Injunctive Relief: Government agencies can seek court orders requiring organizations to stop certain practices, implement new safeguards, or take specific corrective actions.

How These Theories Work Together

In practice, a single privacy incident can give rise to liability under all three theories simultaneously. For example, a data breach at a company might result in:

• Contract claims from customers who relied on privacy commitments in the company's terms of service.
• Tort claims (negligence) from individuals whose personal data was exposed due to inadequate security measures.
• Civil enforcement actions from the FTC or state attorneys general for unfair or deceptive trade practices.

Understanding this overlap is critical for the exam because questions may test your ability to identify which theory applies in a given fact pattern, or which remedy is available under each theory.

Key Distinctions to Remember for the Exam

Feature	Contract	Tort	Civil Enforcement
Who brings the claim?	Party to the contract	Injured individual	Government agency or individual (if private right of action exists)
Basis of duty	Contractual promise	Societal duty of care or recognized privacy interests	Statutory or regulatory requirement
Damages	Compensatory (expectation, reliance)	Compensatory, emotional distress, punitive	Statutory damages, civil penalties, injunctive relief
Requires privity?	Yes (generally)	No	No
Requires actual harm?	Yes (breach + damages)	Generally yes (varies by tort)	Not always (some statutes allow enforcement without proof of individual harm)

Exam Tips: Answering Questions on General Theories of Legal Liability (Contract, Tort, Civil Enforcement)

Tip 1: Identify the Theory Being Tested
Read the question carefully and identify which legal theory is at issue. Look for keywords: "promise," "agreement," or "terms of service" suggest contract. Words like "reasonable person," "offensive," "negligence," or "duty of care" suggest tort. References to the FTC, state attorney general, statutory penalties, or specific statutes suggest civil enforcement.

Tip 2: Know the Four Privacy Torts Cold
The four privacy torts — intrusion upon seclusion, public disclosure of private facts, false light, and appropriation — are heavily tested. Be able to distinguish among them. Remember that intrusion focuses on the act of intruding, while public disclosure focuses on making private facts public. False light involves misleading portrayals, and appropriation involves unauthorized commercial use of someone's identity.

Tip 3: Understand Standing and Harm Requirements
A common exam theme is whether the plaintiff has standing to bring a claim. For contract claims, you need privity. For tort claims, you generally need actual harm. For civil enforcement, a government agency may not need to show individual harm — just that a law was violated. Some statutes with private rights of action also have specific standing requirements.

Tip 4: Connect Privacy Policies to Contract Liability
Remember that a privacy policy can create contractual obligations. If a question describes a company violating its own privacy policy, consider both contract liability (breach of promise) and civil enforcement (FTC deceptive practices).

Tip 5: FTC Section 5 Is Central
The FTC's authority under Section 5 of the FTC Act is one of the most important enforcement mechanisms in U.S. privacy law. Understand the distinction between deceptive practices (saying one thing and doing another) and unfair practices (causing substantial injury to consumers that is not reasonably avoidable and not outweighed by benefits). Many exam questions revolve around this distinction.

Tip 6: Remember Remedies Differ by Theory
If a question asks about available remedies, match the remedy to the theory. Contract claims yield compensatory damages. Tort claims can yield compensatory and punitive damages. Civil enforcement actions can result in civil penalties, consent decrees, injunctive relief, and statutory damages.

Tip 7: Watch for Fact Patterns That Trigger Multiple Theories
Some questions present scenarios where more than one theory of liability could apply. Do not assume there is only one correct theory. The best answer may be the one that most directly addresses the facts given, so read all answer choices before selecting.

Tip 8: Distinguish Between Private and Public Enforcement
Not all statutes provide a private right of action. If a question asks whether an individual can sue under a particular law, check whether that statute grants a private right of action. If only government agencies can enforce it, the individual may need to rely on tort or contract theories instead.

Tip 9: Use Process of Elimination
If you are unsure, eliminate obviously wrong answers. For instance, if the scenario involves no contractual relationship, eliminate contract-based answers. If there is no government agency involved, eliminate civil enforcement answers.

Tip 10: Understand the Historical Development
The CIPP/US exam values contextual understanding. Know that the privacy torts trace back to Samuel Warren and Louis Brandeis's famous 1890 Harvard Law Review article, "The Right to Privacy," and were later systematized by William Prosser. This historical context sometimes appears in questions or helps you understand why certain principles exist.

Summary

The general theories of legal liability — contract, tort, and civil enforcement — form the backbone of privacy law enforcement in the United States. For the CIPP/US exam, you must understand each theory's elements, who can bring a claim, what must be proven, and what remedies are available. Mastering these foundational concepts will enable you to more effectively analyze the specific privacy statutes and regulations that the rest of the exam covers. Always read questions carefully, identify the theory being tested, and match the facts to the correct legal framework.