A U.S. District Court Judge in California dismissed a putative class action asserting claims under section 637.7 of the California Invasion of Privacy Act (CIPA) in a case that could have useful implications for automotive and other device manufacturers whose products have the ability to track location.  Plaintiff claimed that a third-party company, Otonomo Inc., partnered with automobile manufacturers to use the telematics control units (TCUs) installed in their vehicles to track a driver’s location via GPS without the driver’s knowledge.  The Court rejected the claim, holding that because the TCU devices were built-in, rather than devices added to a vehicle, they were not “attached” to the car and thus did not fall within the statute’s definition of “electronic tracking device.”

Continue Reading Class Action Suit Brought Under CIPA Section 637.7 for Alleged Location-Based Tracking of Vehicles Is Dismissed

The Ninth Circuit recently held that the Children’s Online Privacy Protection Act, which gives the Federal Trade Commission  authority to regulate the online collection of personal information from children under the age of 13, does not preempt consistent state law, potentially increasing the risk of class action litigation based on alleged COPPA violations.  See Jones

The Northern District of California recently dismissed with prejudice a putative class action lawsuit against Google, which alleged that the company used a secret program called “Android Lockbox” to spy on Android smartphone users.  See Order Granting Motion to Dismiss, Hammerling v. Google LLC, No. 21-cv-09004-CRB (N.D. Cal. December 1, 2022).  The Court previously dismissed the case in July and gave plaintiffs leave to amend, but signaled that the complaint’s deficiencies would be “difficult to cure.”  Finding that plaintiffs had failed to cure the previous deficiencies, the court dismissed with prejudice on all ten claims.

Continue Reading Google Wins Final Dismissal In “Android Lockbox” Putative Class Action

An Alabama district court recently granted dismissal of a class action asserting Illinois Biometric Information Privacy Act (“BIPA”) claims brought by Illinois residents against ProctorU, Inc. in Thakkar v. ProctorU Inc., No. 2:21-cv-01565 (N.D. Ala.).  The district court concluded that a choice-of-law provision contained in the terms of service and which required the application of Alabama law precluded the application of BIPA to the conduct alleged.

Continue Reading Alabama Federal Court Finds Choice-of-Law Provision Bars BIPA Privacy Lawsuit Against Online Examination Company

In a recent decision, a federal judge granted summary judgment for the Securities and Exchange Commission (SEC) finding that the LBC cryptocurrency token qualifies as a security.  While the ruling is confined to this specific token, it represents a victory for the SEC’s assertions that many cryptocurrencies, including so called “utility tokens,” represent securities that need to be registered with the agency.  The Court also held that the makers of the LBC token, LBRY, Inc., had fair notice that the token was subject to the securities laws.  Considering the ongoing class actions and enforcement proceedings litigating this issue across several cases, companies operating in the cryptocurrency space, including cryptocurrency exchanges, should follow this development to assess any possible impact on their businesses.

Continue Reading S.E.C. Wins Summary Judgment Determination That Cryptocurrency Token Qualifies as a Security

On October 17, the District of Massachusetts added to the growing line of federal courts that have held a mere data breach, without additional harm, is insufficient to grant customers Article III standing.  See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *1 (D. Mass. Oct. 17, 2022).  In February 2022, a home delivery pharmacy notified over 75,000 affected customers that hackers broke through its defenses and accessed patients’ personal data.  Two of these customers filed a putative class action against the pharmacy, alleging various tort and contract theories.  The court dismissed their claims for lack of standing, holding that plaintiffs had failed to allege any actionable harm stemming from the data breach despite their allegations that the breach caused them significant emotional harm.

Continue Reading Data Breach, Without Allegations of Misuse, Isn’t Enough for Article III Standing

A court in the District of Kansas recently remanded a data breach class action against a hospital to state court for lack of standing, holding that the named plaintiffs had failed to demonstrate any injury in fact that was fairly traceable to the exposure of their personal and health information.  See Memorandum and Order, Blood v. Labette County Medical Center, No. 5:22-cv-04036-HLT-KGG (D. Kansas Oct. 20, 2022), ECF 27.

Continue Reading Hospital Data Breach Class Action Fails Due to “Speculative” Injury

Following a week-long trial, a jury in Illinois awarded a plaintiff class of truck drivers a $228 million verdict against BNSF Railways for violations of the Illinois Biometric Information Privacy Act (“BIPA”).  The large verdict, arising from the first case to go to trial under the 2008 law, highlights the potential impact of class actions brought under this statute.

Continue Reading Illinois BIPA jury verdict highlights rising prominence of class actions based on state privacy statutes

On Monday, the Supreme Court granted certiorari in Gonzalez v. Google LLC, 2 F.4th 871 (9th Cir. 2021) on the following question presented:  “Does section 230(c)(1) immunize interactive computer services when they make targeted recommendations of information provided by another information content provider, or only limit the liability of interactive computer services when they engage in traditional editorial functions (such as deciding whether to display or withdraw) with regard to such information?”  This is the first opportunity the Court has taken to interpret 47 U.S.C. § 230 (“Section 230”) since the law was enacted in 1996.

Continue Reading Supreme Court Grants Certiorari in Gonzalez v. Google, Marking First Time Court Will Review Section 230

The Third Circuit recently reinstated the putative class action Clemens v. ExecuPharm Inc., concluding there was sufficient risk of imminent harm after a data breach to confer standing on the named plaintiff when the information had been posted on the Dark Web.

Continue Reading Data Breach and the Dark Web: Third Circuit Allows Class Action Standing With Sufficient Risk of Harm