Data Privacy and Cybersecurity

An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).Continue Reading Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals

A federal court in the Northern District of California recently dismissed the majority of claims from a putative class action against Western Digital, in which plaintiffs claim that alleged security flaws in the manufacturer’s data storage devices allowed cyber hackers to access and delete plaintiffs’ data.  See Riordan v. W. Digital Corp., No. 21-CV-06074-EJD, 2024 WL 2868152 (N.D. Cal. June 5, 2024).  The court previously granted in part Western Digital’s motion to dismiss with leave to amend.Continue Reading Multiple Claims Dismissed from Putative Class Action Involving Cyber Attack on Data Storage Devices

An Ohio federal district court recently dismissed for lack of subject matter jurisdiction a class action complaint asserting claims arising from a data breach experienced by defendant Associated Materials, LLC.  See Marlin v. Associated Materials, LLC, 2024 WL 2319115 (N.D. Ohio May 22, 2024).Continue Reading Ohio Federal Court Dismisses Data Breach Lawsuit for Lack of Article III Standing

We recently posted about a trend of plaintiffs trying to keep certain class actions, including wiretap cases, in California state court and highlighted potential avenues for removal to federal court. Another federal court has weighed in, declining to remand because the plaintiff did not establish that CAFA’s mandatory local controversy exception applied. Miramalek v. Los Angeles Times Communications LLC, 2024 WL 2479940 (N.D. Cal. May 23, 2024). This recent case offers another potential ground for opposing a motion to remand, though it also underscores the attendant risk of jurisdictional discovery.Continue Reading N.D. Cal. Court Declines Remand of California-Focused Wiretap Class Action

A federal judge in the Western District of Washington recently dismissed a class action complaint accusing Overlake Hospital Medical Center of unlawfully disclosing the health data of patients who accessed its websites to third parties.  See Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709 (W.D. Wash. May 13, 2024).  Plaintiff Jacq Nienaber, an Overlake patient, alleged that the hospital shared her private data with Meta and other third parties through the use of the Meta Pixel and Meta’s Conversions Application Programming Interface on its public website and private patient portal. Continue Reading Washington Federal Court Dismisses Privacy Claims Involving Hospital Website

A court in the District of South Carolina recently denied class certification in a putative consumer data breach class action after concluding that the proposed class and sub-classes were not ascertainable. See In re Blackbaud, Inc., Customer Data Breach Litigation, 2024 WL 21555221 (D.S.C. May 14, 2024).

In February 2022, plaintiffs filed suit against Blackbaud, a business-to-business software company that sells cloud-computing services to social good organizations. Plaintiffs, who had provided personal information to Blackbaud’s customers, alleged that their information was compromised during a breach of Blackbaud’s data centers. In December 2022, plaintiffs moved to certify nationwide and sub-classes representing individuals whose “unencrypted information was stored on the database” of a Blackbaud customer. In support of class certification, plaintiffs sought to demonstrate that the proposed classes were ascertainable by relying on (1) expert opinion, (2) Blackbaud’s discovery responses, (3) customer notices Blackbaud sent following the breach, and (4) Blackbaud’s use of a database to comply with the California Consumer Privacy Act. The court rejected each of those arguments.Continue Reading South Carolina Federal Court Denies Class Certification in Consumer Data Breach Case

An Illinois federal district court recently dismissed for lack of personal jurisdiction a publicity privacy suit against Geneanet, which the complaint alleges is a French subsidiary of Ancestry.com that owns and operates an interactive genealogy website. See Shebesh v. Geneanet, S.A., No. 23-cv-4195 (N.D. Ill. May 3, 2024). Plaintiff Ethan Shebesh sued on behalf of himself and a putative class under the Illinois Right of Publicity Act, which prevents the use of an individual’s identity for a commercial purpose without the individual’s consent. 765 ILCS 1075/30(a). Shebesh asserted that Geneanet unlawfully used his and the putative class members’ names and other identifying information to advertise and sell premium memberships. Concluding that the plaintiff failed to show that Geneanet intentionally directed its conduct at Illinois, the court granted Geneanet’s motion to dismiss.Continue Reading Illinois Federal Court Dismisses Publicity Privacy Suit Against French Genealogy Site for Lack of Personal Jurisdiction

Courts have recently been grappling with an influx of class actions alleging that company websites are in violation of wiretapping and other privacy laws when using third-party technology to provide services on their websites.  Three different federal courts recently dismissed cases on similar grounds, demonstrating the challenges plaintiffs face with maintaining them and strategies defendants should keep in mind to defeat them. 

Two of the cases accuse healthcare providers of improperly sharing personal health information with third-party technology companies through the use of pixel technologies on the healthcare provider’s website.  In the first case, Doe v. Davita, Inc., plaintiffs accused Davita—a kidney dialysis provider—of violating the California Invasion of Privacy Act (“CIPA”) and other laws by purportedly collecting “patients’ personal and sensitive medical information on the Online Platforms and … improperly shar[ing] [this information] with the Tracking Technologies without patients’ consent.”  2024 WL 1772854, at *2 (S.D. Cal. April 24, 2024).  The court disagreed and dismissed the claims, holding that plaintiffs did “not explain what specific information they provided to Defendant” and calling their claims “conclusory.”  Id.  The complaint, said the court, was “devoid of any facts supporting” plaintiffs’ contentions that Davita disclosed “personal, confidential, and sensitive medical information; medical treatment; and payment information” with the third party.  Id. Continue Reading Lack of Plaintiff-Specific Allegations Dooms California, Pennsylvania Privacy-Based Class Actions

Likely spurred by plaintiffs’ recent successes in cases under Illinois’s Biometric Information Privacy Act (“BIPA”), a new wave of class actions is emerging under Illinois’s Genetic Information Privacy Act (“GIPA”). While BIPA regulates the collection, use, and disclosure of biometric data, GIPA regulates that of genetic testing information. Each has a private right of action and provides for significant statutory damages, even potentially where plaintiffs allege a violation of the rule without actual damages.[1] From its 1998 enactment until last year, there were few GIPA cases, and they were largely focused on claims related to genetic testing companies.[2] More recently, plaintiffs have brought dozens of cases against employers alleging GIPA violations based on allegations of employers requesting family medical history through pre-employment physical exams. This article explores GIPA’s background, the current landscape and key issues, and considerations for employers.Continue Reading Employers Beware: New Wave of Illinois Genetic Information Privacy Act Litigation

A district court judge in the Northern District of California recently denied class certification in a putative privacy class action against Google and its Real Time Bidding (“RTB”) advertising system. Plaintiffs moved to certify both damages and injunctive relief classes based on allegations that Google shared personal information through its RTB system. The court denied with prejudice certification under Rule 23(b)(3), finding that individual questions about class member’s past consent to—and subjective understanding of—Google’s disclosures would predominate. The district court also denied the proposed injunctive relief class on the grounds that the proposed class definition was “fail-safe” and that plaintiffs had not met their burden to prove that their data was representative of the proposed class, but the court did so with leave to amend and requested further briefing. Plaintiffs subsequently petitioned for leave to appeal the denial to the Ninth Circuit.Continue Reading Affirmative Defense of Consent Leads to 23(b)(3) Class Certification Denial in Google Ad Bidding Privacy Litigation