Data Privacy

An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).Continue Reading Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals

We recently posted about a trend of plaintiffs trying to keep certain class actions, including wiretap cases, in California state court and highlighted potential avenues for removal to federal court. Another federal court has weighed in, declining to remand because the plaintiff did not establish that CAFA’s mandatory local controversy exception applied. Miramalek v. Los Angeles Times Communications LLC, 2024 WL 2479940 (N.D. Cal. May 23, 2024). This recent case offers another potential ground for opposing a motion to remand, though it also underscores the attendant risk of jurisdictional discovery.Continue Reading N.D. Cal. Court Declines Remand of California-Focused Wiretap Class Action

On May 16, both houses of Illinois’ legislature passed S.B. 2979, a significant amendment to the Illinois Biometric Information Privacy Act (BIPA). The bill states that an entity that, in more than one instance, obtains the same biometric identifier or biometric information from the same person using the same method of collection, in violation of BIPA’s notice and consent requirement has committed a single violation. As a result, each aggrieved person is entitled to, at most, one recovery for a single collective violation.Continue Reading Illinois Legislature Passes BIPA Amendment Limiting Violation Accrual

Likely spurred by plaintiffs’ recent successes in cases under Illinois’s Biometric Information Privacy Act (“BIPA”), a new wave of class actions is emerging under Illinois’s Genetic Information Privacy Act (“GIPA”). While BIPA regulates the collection, use, and disclosure of biometric data, GIPA regulates that of genetic testing information. Each has a private right of action and provides for significant statutory damages, even potentially where plaintiffs allege a violation of the rule without actual damages.[1] From its 1998 enactment until last year, there were few GIPA cases, and they were largely focused on claims related to genetic testing companies.[2] More recently, plaintiffs have brought dozens of cases against employers alleging GIPA violations based on allegations of employers requesting family medical history through pre-employment physical exams. This article explores GIPA’s background, the current landscape and key issues, and considerations for employers.Continue Reading Employers Beware: New Wave of Illinois Genetic Information Privacy Act Litigation

A district court judge in the Northern District of California recently denied class certification in a putative privacy class action against Google and its Real Time Bidding (“RTB”) advertising system. Plaintiffs moved to certify both damages and injunctive relief classes based on allegations that Google shared personal information through its RTB system. The court denied with prejudice certification under Rule 23(b)(3), finding that individual questions about class member’s past consent to—and subjective understanding of—Google’s disclosures would predominate. The district court also denied the proposed injunctive relief class on the grounds that the proposed class definition was “fail-safe” and that plaintiffs had not met their burden to prove that their data was representative of the proposed class, but the court did so with leave to amend and requested further briefing. Plaintiffs subsequently petitioned for leave to appeal the denial to the Ninth Circuit.Continue Reading Affirmative Defense of Consent Leads to 23(b)(3) Class Certification Denial in Google Ad Bidding Privacy Litigation

A Northern District of California court excluded two groups from certified classes alleging privacy violations against Google, finding that individuals who did not set their own privacy settings did not satisfy the predominance requirement of Rule 23(b)(3).

In Rodriguez, et al., v. Google LLC, 2024 WL 1486139 (N.D. Cal. Apr. 5, 2024), plaintiffs had filed a putative class action against Google alleging that their online activities were transmitted to Google even after they turned off certain internet tracking settings, constituting alleged intrusion upon seclusion, invasion of privacy, and violation of the Comprehensive Computer Data Access and Fraud Act (CDAFA). The court had already certified two classes, but during the class notice process a dispute arose over whether two groups of people who had not set their own tracking settings were part of the class definitions: 1) users of accounts created by businesses or organizations for their employees or members; and 2) users of accounts created for children under thirteen by their parents.Continue Reading In Internet Privacy Case, Predominance Rejected for Persons Who Did Not Choose Their Own Privacy Settings

Another federal district court has dismissed a putative class action complaint asserting that an online retailer’s chat feature violated the users’ privacy under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seqSee Garcia v. Build.com, Inc., Case No. 22-cv-1985-DMS-KSC (S.D. Cal. Mar. 29, 2024), ECF 37. Continue Reading Federal Court Dismisses Class Action Asserting California Wiretapping Claim Based on Website Chat Feature

The United States District Court for the Southern District of Iowa has dismissed on sovereign immunity grounds a putative class action against the University of Iowa Hospitals and Clinics (“UIHC”) for unjust enrichment and violations of the Electronic Communications Privacy Act and Computer Fraud and Abuse Act.  See Yeisley v. Univ. of Iowa Hosps. & Clinics, No. 3:23-cv-00025 (S.D. Iowa Feb. 16, 2024) (unpublished). 

The plaintiff, a patient of UIHC, had alleged that UIHC used a pixel on its website to share her personally identifiable information with third parties for marketing purposes and without her consent.  The Court did not reach the merits of the case and instead granted UIHC’s motion to dismiss on the basis that sovereign immunity barred each of the plaintiff’s claims.Continue Reading Federal Court Dismisses Lawsuit Over Use of Pixel Technology on University Hospital Websites

In class actions challenging data collection, whether the defendant’s privacy policy disclosed the collection is almost always a key question at the dismissal stage.  In a memorandum decision likely to be useful to defendants, the Ninth Circuit recently affirmed dismissal of claims challenging Google’s collection of data from third-party apps on its Android mobile operating system, holding that Google’s Privacy Policy clearly disclosed the collection.  See Hammerling v. Google LLC, No. 22-17024 (9th Cir. Mar. 5, 2024) (unpublished).Continue Reading Ninth Circuit Affirms Dismissal of Data Privacy Claims Based on Disclosure of Collection in Privacy Policy

A Pennsylvania federal district court overseeing a multi-district litigation recently dismissed various privacy and wiretapping claims against two online retailers, finding that allegations of interception and disclosure of mere “browsing activity” on those retailers’ websites is not “sufficiently personal or private” to confer Article III standing. 

In In re: BPS Direct, LLC, and Cabela’s, LLC, Wiretapping Litigation, 2:23-cv-04008-MAK (E.D. Pa. Dec. 5, 2023), the district court consolidated six proposed class actions involving eight plaintiffs, with each alleging that BPS Direct, LLC and Cabela’s, LLC, who operate retail stores known as Bass Pro Shops and Cabela’s, unlawfully intercepted and disclosed their private information through the use of session replay software on their websites.  The district court dismissed most of the plaintiffs’ claims, holding that they failed to adequately allege a concrete harm sufficient to support Article III standing.Continue Reading Pennsylvania Multi-District Wiretapping Litigation Finds Website Users Lack Article III Standing