Data Privacy

Subscribe to Data Privacy

A procedural violation of a state’s privacy statute is not alone enough to establish Article III standing—a plaintiff must suffer a concrete injury, such as an increased risk of identity theft.  The Fourth Circuit’s decision in O’Leary v. TrustedID, Inc., 2023 WL 2125996 (4th Cir. Feb. 21, 2023) confirms this—but also illustrates how Article III standing is a two-edged sword that may allow a plaintiff to defeat a defendant’s attempt to remove a case to federal court. 

The plaintiff in O’Leary filed a class action against TrustedID in South Carolina state court for allegedly violating South Carolina’s Financial Identity Fraud and Identity Theft Protection Act, S.C. Code Ann. § 37-20-180.  The statute prohibits requiring consumers to use six or more digits of their Social Security numbers to access a website without also requiring some other authentication measure.  The plaintiff alleged that TrustedID’s website required him to provide six digits of his Social Security number and did not have any other safety precautions, such as a password requirement.

Continue Reading Fourth Circuit Remands Class Action to State Court After Plaintiff Questions His Own Standing

The Illinois Supreme Court recently held that all claims brought under the Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, partly overturning a lower court decision that had applied a one-year limitations period to some claims brought under the law.  See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).

The plaintiff, Jorome Tims, filed a putative class action against his former employer, alleging that the trucking and logistics company violated BIPA by requiring its employees to use a time clock with a fingerprint scanner without (i) implementing a publicly available data retention and destruction policy; (ii) notifying employees and obtaining their consent when collecting their biometrics; and (iii) obtaining employee consent before disclosing their biometric information to third parties.  The defendant moved to dismiss the complaint, arguing that the plaintiff’s claims were barred by the one-year statute of limitations under the Illinois Code of Civil Procedure that governs actions for the “publication of matter[s] violating the right of privacy.”

Continue Reading Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Claims under BIPA

A U.S. District Court Judge in California dismissed a putative class action asserting claims under section 637.7 of the California Invasion of Privacy Act (CIPA) in a case that could have useful implications for automotive and other device manufacturers whose products have the ability to track location.  Plaintiff claimed that a third-party company, Otonomo Inc., partnered with automobile manufacturers to use the telematics control units (TCUs) installed in their vehicles to track a driver’s location via GPS without the driver’s knowledge.  The Court rejected the claim, holding that because the TCU devices were built-in, rather than devices added to a vehicle, they were not “attached” to the car and thus did not fall within the statute’s definition of “electronic tracking device.”

Continue Reading Class Action Suit Brought Under CIPA Section 637.7 for Alleged Location-Based Tracking of Vehicles Is Dismissed

The Ninth Circuit recently held that the Children’s Online Privacy Protection Act, which gives the Federal Trade Commission  authority to regulate the online collection of personal information from children under the age of 13, does not preempt consistent state law, potentially increasing the risk of class action litigation based on alleged COPPA violations.  See Jones

An Alabama district court recently granted dismissal of a class action asserting Illinois Biometric Information Privacy Act (“BIPA”) claims brought by Illinois residents against ProctorU, Inc. in Thakkar v. ProctorU Inc., No. 2:21-cv-01565 (N.D. Ala.).  The district court concluded that a choice-of-law provision contained in the terms of service and which required the application of Alabama law precluded the application of BIPA to the conduct alleged.

Continue Reading Alabama Federal Court Finds Choice-of-Law Provision Bars BIPA Privacy Lawsuit Against Online Examination Company

On October 17, the District of Massachusetts added to the growing line of federal courts that have held a mere data breach, without additional harm, is insufficient to grant customers Article III standing.  See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *1 (D. Mass. Oct. 17, 2022).  In February 2022, a home delivery pharmacy notified over 75,000 affected customers that hackers broke through its defenses and accessed patients’ personal data.  Two of these customers filed a putative class action against the pharmacy, alleging various tort and contract theories.  The court dismissed their claims for lack of standing, holding that plaintiffs had failed to allege any actionable harm stemming from the data breach despite their allegations that the breach caused them significant emotional harm.

Continue Reading Data Breach, Without Allegations of Misuse, Isn’t Enough for Article III Standing

Following a week-long trial, a jury in Illinois awarded a plaintiff class of truck drivers a $228 million verdict against BNSF Railways for violations of the Illinois Biometric Information Privacy Act (“BIPA”).  The large verdict, arising from the first case to go to trial under the 2008 law, highlights the potential impact of class actions brought under this statute.

Continue Reading Illinois BIPA jury verdict highlights rising prominence of class actions based on state privacy statutes

The Northern District of California denied class certification in a data breach suit against Zoosk, an online dating service, concluding that the lead plaintiff had waived any right to represent a class by agreeing to a class-action waiver.  See Order Denying Class Certification, Flores-Mendez v. Zoosk, Inc., No. 3:20-04929-WHA (N.D. Cal. July 27, 2022).

Continue Reading Class Certification Denied in Data Breach Class Action Based on Class-Action Waiver in Terms of Service

A California federal district court recently granted in part the dismissal of certain federal and state privacy claims, including a California Consumer Privacy Act (“CCPA”) claim, in Hayden v. The Retail Equation, Inc., No. 8:20-cv-01203 (C.D. Cal.).  Plaintiffs in Hayden alleged that twelve retailers unlawfully shared customer data with a computer software firm, The Retail Equation (“TRE”), which in turn created “customer risk scores” to identify potentially fraudulent customer returns.  This customer risk score was alleged to include information about the customers’ purchase histories, information gleaned from social media, as well as personal information, including name, government identification card or passport information, address, sex, race, and date of birth.  TRE and the retailers sought dismissal of: (1) the Fair Credit Reporting Act (“FCRA”) claim; (2) the CCPA claim; (3) the California invasion of privacy claim; (4) the Unfair Competition Law (“UCL”) claim; and (5) unjust enrichment claim.  The Court dismissed all but the invasion of privacy claim.

Continue Reading Court Grants in Part Dismissal of Certain Privacy Claims, Including CCPA Claim, Against The Retail Equation and Retailers

Last week, a federal court in Illinois dismissed a putative class action complaint alleging violations of the Illinois Biometrics Information Privacy Act (“BIPA”) for engaging in “impermissible group pleading.”  The ruling serves as a reminder that a complaint that fails to plead specific facts as to each defendant does not meet the Rule 8 pleading