If you haven’t actually been hurt yet, suing doesn’t result in anything.
Generalised lawbreaking is a public concern. It’s prosecutors’ and regulators’ jobs to protect consumers ex ante.
Easy to argue the good/bad of it, but the California statutory damages lawsuit wave related to ADA accommodations definitely got a lot of business owners to pay attention. [https://www.thakurlawfirm.com/single-post/2020/06/15/ada-law...]
It's perverse and bizarre. If you avoid harm, you deprive yourself of the tools that you might've used to save others from the same harm.
The tricky part here is when someone is steadily stockpiling things which seem likely to cause truly irreparable harm in the future. But that act is not itself causing harm yet. For example, stockpiling tons of sensitive data.
Another example, a mine with a nearly overtopping tailings dam full of toxic chemicals is a disaster that is almost inevitably guaranteed to happen.
But civil law gives little to no method of stopping that disaster until it has already killed countless people, since - as noted - it hasn’t actually happened yet. And there is no actual guarantee that it will! Potential options do exist, but are so time consuming and high risk, good luck.
But it does give methods for those people’s relatives to get compensation after the fact at least. Which is better than some alternatives.
Which is why other types of regulatory frameworks exist, at least in some cases.
Unfortunately, as in the tailings dam case, and the icy sidewalk case, the actual smartest move is to just avoid them all together - somehow. Move? Take a different route?
Not always possible though, and being constantly on the lookout for these things is exhausting and infeasible for most.
Not sure how that is possible privacy law wise though, even for the most alert? Never engage with anyone or give anyone anything true?
But it's worse pretty much everywhere else. A few years ago, my data was in a breach of a health-care company I'd never heard of and never dealt directly with, they were some sort of back-end broker several layers away from us patients. Recently I went to sign up for new insurance, and I asked for a list of all companies that might handle my data, and copies of their most recent cybersecurity audit. Of course I didn't get a useful reply, and as a 'customer', I have no useful levers to pull. I have no useful information to use when selecting an insurer. And I have no recourse unless someone starts siphoning money out of my account AND I notice and can prove that it happened because of a breach.
"Never engage with anyone" equates directly to "Go be a hermit in the mountains". If that's where our privacy laws have gotten us, I think we're doing something wrong.
Along the same lines, a company gathering extensive details on the communications of and connections of others (especially without their permission) is putting others at risk. And, much like the previous example, the damage isn't actualized until it is. But it needs to be stopped _before_ the damage happens. Which means it needs to be criminal.
