Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023). The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.
In a Case of First Impression Under North Carolina’s Automatic Renewal Statute, Judge Dismisses Some Claims but Allows Others to Proceed
A U.S. district court recently granted in part and denied in part the New York Times’s motion to dismiss claims that its subscription renewal terms violated North Carolina’s little-used Automatic Renewal Statute. The plaintiff, on behalf of a putative class, claimed that the Times subscription process failed to adequately disclose the automatic renewal and cancellation options as required by the statute. The court dismissed several of the plaintiff’s claims, but the case was allowed to proceed on allegations that the methodology for canceling was not clearly and conspicuously disclosed, and that the terms of subscription price increases were not provided in the format required by the statute.
A Closer Look: Courts Reject California Wiretap Claims Based on Website Chat Features
Late last year, our colleagues highlighted a wave of class action litigation asserting novel claims under state wiretap laws against website operators that use session replay software and chatbots on consumer websites. Federal district courts in California have now ruled on the first round of chatbot cases, most brought by a handful of “tester” plaintiffs under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seq., and have nearly uniformly rejected the claims. These initial favorable rulings should be helpful for defendants facing similar claims.
D.D.C.’s Application of TransUnion Echoes the Importance of Actual Injury to Class Certification
In Attias v. CareFirst, Inc., 15-cv-00882-CRC (D.D.C. Mar. 28, 2023), the court’s application of TransUnion v. Ramirez, 141 S. Ct. 2190 (2021), reinforced that inclusion of uninjured class members in the class definition can defeat certification. In CareFirst, Plaintiffs alleged that the data breach that CareFirst, Inc. (“CareFirst”), a health insurance company, suffered in 2014 exposed the plaintiffs to increased risk of fraud and identity theft. Plaintiffs claimed they had to spend time and money on services such as credit and identity theft monitoring programs. They sought to represent classes that included all CareFirst customers in certain states whose personal information was impacted by the breach, regardless of whether those customers incurred additional expenses as a result of the breach.
Dior’s Virtual Try-On Tool Fits in BIPA Healthcare Exemption, Illinois Court Says
Dior recently defeated an Illinois Biometric Information Privacy Act (“BIPA”) putative class action on the pleadings by arguing that BIPA’s exemption for patient data captured in a health care setting covered the plaintiff’s use of Dior’s virtual try-on tool while shopping for non-prescription sunglasses. See Warmack-Stillwell v. Christian Dior, Inc., No. 1:22-CV-04633 (N.D. Ill. Feb. 10, 2023).
Continue Reading Dior’s Virtual Try-On Tool Fits in BIPA Healthcare Exemption, Illinois Court Says
Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Claims under BIPA
The Illinois Supreme Court recently held that all claims brought under the Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, partly overturning a lower court decision that had applied a one-year limitations period to some claims brought under the law. See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).
The plaintiff, Jorome Tims, filed a putative class action against his former employer, alleging that the trucking and logistics company violated BIPA by requiring its employees to use a time clock with a fingerprint scanner without (i) implementing a publicly available data retention and destruction policy; (ii) notifying employees and obtaining their consent when collecting their biometrics; and (iii) obtaining employee consent before disclosing their biometric information to third parties. The defendant moved to dismiss the complaint, arguing that the plaintiff’s claims were barred by the one-year statute of limitations under the Illinois Code of Civil Procedure that governs actions for the “publication of matter[s] violating the right of privacy.”
New York Court Denies Class Certification in Copyright Infringement Action
A group of musicians has lost its bid in Waite v. UMG Recordings, No. 1:19-cv-01091-LAK (S.D.N.Y. 2019), to assert copyright infringement claims on a classwide basis against the record labels holding copyrights in the musicians’ sound recordings.
Seeking to reclaim the copyrights, the plaintiffs had issued notices of termination pursuant to Section 203 of
Class Action Suit Brought Under CIPA Section 637.7 for Alleged Location-Based Tracking of Vehicles Is Dismissed
A U.S. District Court Judge in California dismissed a putative class action asserting claims under section 637.7 of the California Invasion of Privacy Act (CIPA) in a case that could have useful implications for automotive and other device manufacturers whose products have the ability to track location. Plaintiff claimed that a third-party company, Otonomo Inc., partnered with automobile manufacturers to use the telematics control units (TCUs) installed in their vehicles to track a driver’s location via GPS without the driver’s knowledge. The Court rejected the claim, holding that because the TCU devices were built-in, rather than devices added to a vehicle, they were not “attached” to the car and thus did not fall within the statute’s definition of “electronic tracking device.”
Ninth Circuit Holds COPPA Does Not Preempt Consistent State Law Claims Premised on COPPA Violations
The Ninth Circuit recently held that the Children’s Online Privacy Protection Act, which gives the Federal Trade Commission authority to regulate the online collection of personal information from children under the age of 13, does not preempt consistent state law, potentially increasing the risk of class action litigation based on alleged COPPA violations. See Jones
Alabama Federal Court Finds Choice-of-Law Provision Bars BIPA Privacy Lawsuit Against Online Examination Company
An Alabama district court recently granted dismissal of a class action asserting Illinois Biometric Information Privacy Act (“BIPA”) claims brought by Illinois residents against ProctorU, Inc. in Thakkar v. ProctorU Inc., No. 2:21-cv-01565 (N.D. Ala.). The district court concluded that a choice-of-law provision contained in the terms of service and which required the application of Alabama law precluded the application of BIPA to the conduct alleged.