Privacy Losses as Wrongful Gains

54 Pages Posted: 27 Feb 2020 Last revised: 17 Mar 2020

See all articles by Bernard Chao

Bernard Chao

University of Denver Sturm College of Law

Date Written: February 25, 2020


Perhaps, nowhere has the pace of technology placed more pressure on the law than in the area of data privacy. Huge data breaches fill our headlines. Companies often violate their own privacy policies by selling customer data, or by using the information in ways that fall outside their policy. Yet, even when there is indisputable misconduct, the law generally does not hold these companies accountable. That is because traditional legal claims are poorly suited for handling privacy losses.

Contract claims fail when privacy policies are not considered contractual obligations. Misrepresentation claims cannot succeed when customers never read and rely on those policies. The economic loss rule often thwarts negligence claims. But undoubtedly the thorniest obstacle is that privacy harms are often not considered cognizable injuries under many common legal theories. Tort, contract and constitutional standing doctrine all demand some form of concrete injury, but privacy injuries are often too intangible, or risk based. Thus, no matter how blatantly a company violates its privacy obligations or how porous a company’s data security is, the victims’ lawsuit is often perfunctorily dismissed.

While many commentators have persuasively argued that we should modify these doctrines to be more accommodating of privacy harms, this article takes a different tack and revives an old and neglected common law approach to address these modern ills. Privacy victims should use the oft-misunderstood law of restitution and unjust enrichment to disgorge the wrongful gains companies earn when they break their privacy policies. This theory also will allow victims to recover any wrongful savings these companies retain when they fail to take reasonable data security precautions and instead use deficient cybersecurity. Because unjust enrichment focuses on the defendant’s wrongful gain and not the plaintiff’s injury, this theory can avoid many of the pitfalls associated with the more conventional causes of actions privacy plaintiffs typically raise.

Keywords: Privacy, Remedies, Restitution, Unjust Enrichment, Data Breaches, Standing

Suggested Citation

Chao, Bernard H., Privacy Losses as Wrongful Gains (February 25, 2020). U Denver Legal Studies Research Paper No. 20-05; Iowa Law Review, Forthcoming. Available at SSRN: or

Bernard H. Chao (Contact Author)

University of Denver Sturm College of Law ( email )

2255 E. Evans Avenue
Denver, CO 80208
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Abstract Views
PlumX Metrics